Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maleware Problems


  • This topic is locked This topic is locked
36 replies to this topic

#1 IowaGuy

IowaGuy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 11 May 2007 - 06:59 PM

All I know for sure is I am infected and of course all the spyware and anti-virus software wont remove it. It originally started when I clicked on this message in a MSN IM message. Even though I knew better than to click it, I did, I guess because I have nude photos of me on some websites, and thought maybe they actually found one! So any way, their scam worked! It don't seem to be to bad - just an occasional pop-up from time to time that never shows a website. Also I don't have a name for what ever I have. Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:00 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Heidemann\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\kgouotec.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


Thanks, Rob

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 PM

Posted 12 May 2007 - 12:36 AM

Hello IowaGuy! Welcome to Bleepingcomputer forums :thumbsup:

Let's get you clean up.

Step #1

We Have to move Hijackthis to it's own folder because In it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later

Click START>My Computer >right click Local Disk (usually (C:) for most people)>Explore.
Right click an open area in the main panel.
Select New > Folder.
Type in HJT & press Enter

Now We have Created C:\HJT\ folder. Put your HijackThis.exe there.

Step #2

Please download Combofix to your desktop.
  • Double click on Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next reply please Post Combofix.txt & Hijackthis Logfile.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 IowaGuy

IowaGuy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 12 May 2007 - 09:26 AM

Howdy 0 here are the logs you requested:

"Rob Heidemann" - 2007-05-12 9:06:38 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Rob Heidemann\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fbinvins.dll
C:\WINDOWS\system32\genpewri.dll
C:\WINDOWS\system32\kgouotec.dll
C:\WINDOWS\system32\xtockfix.dll
C:\WINDOWS\system32\xxyaxwu.dll
C:\WINDOWS\system32\cetouogk.ini
C:\WINDOWS\system32\wvusttr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\{34F33~1
C:\Program Files\Common Files\{54F33~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1\DOBE~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1\s?stem32
C:\qoobox\purity\C\Program Files\STEM32~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-12 08:53 <DIR> d-------- C:\HJT
2007-05-05 13:32 <DIR> d-------- C:\Program Files\Executive Software
2007-05-05 11:58 <DIR> d-------- C:\Program Files\IObit
2007-05-05 11:32 <DIR> d-------- C:\Program Files\CCleaner
2007-05-05 11:17 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12 <DIR> d-------- C:\Program Files\InterMute
2007-05-04 21:24 1,500,767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24 1,397,965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-04-23 21:20 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\.Philips
2007-04-21 18:04 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\Viewpoint
2007-04-18 21:39 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\X10 Commander
2007-04-17 19:39 <DIR> d-------- C:\Program Files\Skype


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 14:13:24 132,660 ----a-w C:\WINDOWS\system32\pcehfjwb.dll
2007-05-05 16:41:31 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-04 03:41:34 -------- d-----w C:\Program Files\MSN Messenger
2007-05-02 01:38:07 -------- d-----w C:\Program Files\Rhapsody
2007-05-01 02:54:52 -------- d-----w C:\Program Files\mIRC
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 00:10:07 -------- d-----w C:\Program Files\Philips
2007-04-16 11:24:34 -------- d-----w C:\Program Files\Lx_cats
2007-04-13 02:32:57 -------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 22:15:05 -------- d-----w C:\Program Files\Common Files\i4j_jres
2007-04-09 21:59:56 286,720 ------w C:\WINDOWS\Setup1.exe
2007-04-09 21:59:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-04 01:21:00 -------- d-----w C:\Program Files\ID3man
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-14 16:51:50 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{40F095AF-D288-48EE-9AE7-FB59E8BB7078}"="C:\WINDOWS\system32\sstqq.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\pcehfjwb.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 09:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-12 9:15:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-12 09:18


Logfile of HijackThis v1.99.1
Scan saved at 9:20:48 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pcehfjwb.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#4 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 PM

Posted 12 May 2007 - 09:57 AM

Good Work :thumbsup:

We still have work to do.

Step #1

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #2

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepads: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Step #3

In your Next reply please post:

C:\Vundofix.txt
C:\Deckard\System Scanner\Main.txt
C:\Deckard\System Scanner\Extra.txt
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#5 IowaGuy

IowaGuy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 12 May 2007 - 10:32 AM

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:05:44 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll



Logfile of HijackThis v1.99.1
Scan saved at 10:27:22 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pcehfjwb.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-12 at 10:13:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-12 15:13:57 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:14:52 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\Rob Heidemann.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40F095AF-D288-48EE-9AE7-FB59E8BB7078} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pcehfjwb.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 IFP800 (iriver Internet Audio Player IFP-800) - c:\windows\system32\drivers\ifp800.sys <Not Verified; iRiver, Inc.; IFP-100>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R1 BS_I2cIo - c:\windows\system32\drivers\bs_i2cio.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>

S3 BCORETH5 (BCORETH5 NDIS Protocol Driver) - c:\windows\system32\bcoreth5.sys <Not Verified; BridgeCo AG, Switzerland; BridgeCo RawEther Driver>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 giveio - c:\windows\system32\giveio.sys
S3 pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 ZZZMPR5 (ZZZMPR5 NDIS Protocol Driver) - c:\windows\system32\zzzmpr5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>
S3 x10nets (X10 Device Network Service) - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 09:13:22 132660 --a------ C:\WINDOWS\system32\pcehfjwb.dll
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 21:24:34 1500767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24:22 1397965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23:57 284244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-05-03 21:23:56 284244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{40F095AF-D288-48EE-9AE7-FB59E8BB7078} C:\WINDOWS\system32\sstqq.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\pcehfjwb.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1200ba9d-2f9e-11db-81aa-806d6172696f}]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 10:15:55 ---------



Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 3.20GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 702.42 MiB / 288.56 MiB
Pagefile Memory (total/avail): 1721.13 MiB / 1342.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1972.68 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 37.27 GiB total, 21.38 GiB free.
D: is Fixed (NTFS) - 93.16 GiB total, 26.1 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is CDROM (UDF)
H: is CDROM (UDF)
I: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1001 [VPS 000739-3] v4.7.1001 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob Heidemann\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HEIDEMAN-C1D0D8
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob Heidemann
LOGONSERVER=\\HEIDEMAN-C1D0D8
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\MOZILL~1;C:\PROGRA~1\MOZILL~1;C:\Program Files\Mozilla Firefox;C:\Program Files\Outlook Express;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
USERDOMAIN=HEIDEMAN-C1D0D8
USERNAME=Rob Heidemann
USERPROFILE=C:\Documents and Settings\Rob Heidemann
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob Heidemann (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
ATI Multimedia Center 8.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{42BC25C4-E224-45FB-8CEF-162D2EEC5A34} /l1033
ATI Remote Wonder 1.4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{41331E03-97D4-421E-BBD1-0A914CFE19BC} /l1033
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\Setup.exe" -l0x9 -SYSTEM
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Stylus Photo R260 User's Guide --> C:\Program Files\epson\guide\spr260_e\uninstall.exe
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\Documents and Settings\Rob Heidemann\Desktop\HijackThis.exe /uninstall
ID3man5.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ID3man\ID3man.isu"
IObit SmartDefrag Beta 2.1 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
iriver Music Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{072D2077-9E22-4F7F-B817-A92CA6CCC843}\Setup.exe" -l0x9 anything
iRiver Updater --> \uninst.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark 3100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBRUN5C.EXE -dLexmark 3100 Series
Lexmark 810 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBSUNST.EXE -NOLICENSE
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Picture It! Photo 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe F:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
MySpaceIM --> MsiExec.exe /I{FE242C4A-4AF0-4E9F-ABFF-92CA3CEE8761}
Nero 7 Ultra Edition --> MsiExec.exe /I{FC98FBE9-E931-494C-8717-497185371033}
Philips Media Manager 3.3.12.0004 --> C:\Program Files\Philips\Media Manager\uninstall.exe
Philips Wireless Music Receiver Utility --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Philips\Wireless Music Receiver\ST6UNST.LOG"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody Player Engine --> MsiExec.exe /I{6A136B9A-1895-436F-83F8-30D9C68BB6EA}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SSC Service Utility v4.20 --> "C:\Program Files\SSC Service Utility\unins000.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\VIA\UChromeP\s3minset.exe /u C:\PROGRA~1\VIA\UChromeP\UChromeP.uns
Wal-Mart Music Downloads Store --> MsiExec.exe /I{A6A13E30-656F-4876-9B03-FBD4D712BB40}
WarpSpeeder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EB4EAD4A-8A80-43A5-8B23-78A2F6B26298}\setup.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 10:15:55 ---------

#6 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 PM

Posted 12 May 2007 - 10:41 AM

Please Re-Scan using Vundofix and post the results in your next reply.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#7 IowaGuy

IowaGuy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 12 May 2007 - 11:36 AM

You guys are fast responders! Here ya go:


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:05:44 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 11:23:26 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

#8 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 PM

Posted 12 May 2007 - 12:10 PM

Run ComboFix again using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v qqtss.bak1 qqtss.bak2 sstqq.dll

When finished, it shall produce a log for you, which will again be named C:\ComboFix.txt. Post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Now, Re-scan using Dss.exe.

Next Please Post:

C:\ComboFix.txt
C:\Deckard\System Scanner\Main.txt
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#9 IowaGuy

IowaGuy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 12 May 2007 - 12:24 PM

"Rob Heidemann" - 2007-05-12 12:13:43 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Rob Heidemann\Desktop\"
Command switches used :: "/v qqtss.bak1 qqtss.bak2 sstqq.dll"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pcehfjwb.dll
C:\WINDOWS\system32\bwjfhecp.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1\DOBE~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1\s?stem32
C:\qoobox\purity\C\Program Files\STEM32~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-12 10:13 <DIR> d-------- C:\Deckard
2007-05-12 10:05 <DIR> d-------- C:\VundoFix Backups
2007-05-12 09:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-12 08:53 <DIR> d-------- C:\HJT
2007-05-05 13:32 <DIR> d-------- C:\Program Files\Executive Software
2007-05-05 11:58 <DIR> d-------- C:\Program Files\IObit
2007-05-05 11:32 <DIR> d-------- C:\Program Files\CCleaner
2007-05-05 11:17 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12 <DIR> d-------- C:\Program Files\InterMute
2007-05-04 21:24 1,500,767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24 1,397,965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-04-23 21:20 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\.Philips
2007-04-21 18:04 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\Viewpoint
2007-04-18 21:39 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\X10 Commander
2007-04-17 19:39 <DIR> d-------- C:\Program Files\Skype


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 16:41:31 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-04 03:41:34 -------- d-----w C:\Program Files\MSN Messenger
2007-05-02 01:38:07 -------- d-----w C:\Program Files\Rhapsody
2007-05-01 02:54:52 -------- d-----w C:\Program Files\mIRC
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 00:10:07 -------- d-----w C:\Program Files\Philips
2007-04-16 11:24:34 -------- d-----w C:\Program Files\Lx_cats
2007-04-13 02:32:57 -------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 22:15:05 -------- d-----w C:\Program Files\Common Files\i4j_jres
2007-04-09 21:59:56 286,720 ------w C:\WINDOWS\Setup1.exe
2007-04-09 21:59:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-04 01:21:00 -------- d-----w C:\Program Files\ID3man
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-14 16:51:50 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{40F095AF-D288-48EE-9AE7-FB59E8BB7078}"="C:\WINDOWS\system32\sstqq.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1200ba9d-2f9e-11db-81aa-806d6172696f}]
Shell\AutoRun\command E:\Setup.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 12:18:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-12 12:18:27
C:\ComboFix-quarantined-files.txt ... 2007-05-12 12:18
C:\ComboFix2.txt ... 2007-05-12 09:15



Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-12 at 12:19:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:19:32 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40F095AF-D288-48EE-9AE7-FB59E8BB7078} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 21:24:34 1500767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24:22 1397965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23:57 284244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-05-03 21:23:56 284244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{40F095AF-D288-48EE-9AE7-FB59E8BB7078} C:\WINDOWS\system32\sstqq.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1200ba9d-2f9e-11db-81aa-806d6172696f}]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 12:20:17 ---------

#10 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 PM

Posted 12 May 2007 - 01:41 PM

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step #1

Please download the OTMoveIt.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\qqtss.bak2
    C:\WINDOWS\system32\qqtss.bak1
    C:\WINDOWS\system32\ddabc.dll
    C:\WINDOWS\system32\sstqq.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #2

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O2 - BHO: (no name) - {40F095AF-D288-48EE-9AE7-FB59E8BB7078} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):

C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint

Step #3

Go to Start » Run » type in: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File » Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{40F095AF-D288-48EE-9AE7-FB59E8BB7078}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq]

Save this as fix.reg Choose to save as all files and place it on your desktop.

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Step #4

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Step #5

Now, Re-scan using Deckard's System scanner.

In your next reply please post:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt

Also Add Doctor Web Results.

Let me know how thins are running now :thumbsup:

Edited by Rahina Rescue, 12 May 2007 - 01:42 PM.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#11 IowaGuy

IowaGuy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 12 May 2007 - 11:58 PM

Ok I did all your steps, but the files you wanted me to fix did not show up in HiJackThis. Also the file i was to delete was not showing up in Windows Explorer.
Here is the Doctor Web results:
sstqq.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.60;Incurable.Moved.;
fbinvins.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Incurable.Moved.;
genpewri.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Incurable.Moved.;
kgouotec.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
pcehfjwb.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
wvusttr.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xtockfix.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xxyaxwu.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0000017.dll;C:\System Volume Information\_restore{AAFE2685-98FA-4B34-A8D9-2924C0C3826E}\RP1;Trojan.Virtumod;Deleted.;
ab_02.exe;C:\WINDOWS;Trojan.DownLoader.17379;Deleted.;
sstqq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
ddabc.dll;C:\_OTMoveIt\MovedFiles\WINDOWS\system32;Trojan.Virtumod;Deleted.;


HERE IS THE DSS LOGS, BUT IT DIDNT APPEAR TO MAKE A NEW EXTRA.TXT

Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-12 at 23:50:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:50:40 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4EDA0FEC-458C-497E-8FB8-720CD64A464E} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 21:25:51 132660 --a------ C:\WINDOWS\system32\eboinupw.dll
2007-05-12 21:25:47 49204 --a------ C:\WINDOWS\system32\rgjaaklt.dll
2007-05-12 21:25:46 1504926 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:23:56 284244 -----n--- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{4EDA0FEC-458C-497E-8FB8-720CD64A464E} C:\WINDOWS\system32\sstqq.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A} C:\WINDOWS\system32\rgjaaklt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\eboinupw.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 23:51:24 ---------





Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 3.20GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 702.42 MiB / 288.56 MiB
Pagefile Memory (total/avail): 1721.13 MiB / 1342.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1972.68 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 37.27 GiB total, 21.38 GiB free.
D: is Fixed (NTFS) - 93.16 GiB total, 26.1 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is CDROM (UDF)
H: is CDROM (UDF)
I: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1001 [VPS 000739-3] v4.7.1001 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob Heidemann\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HEIDEMAN-C1D0D8
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob Heidemann
LOGONSERVER=\\HEIDEMAN-C1D0D8
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\MOZILL~1;C:\PROGRA~1\MOZILL~1;C:\Program Files\Mozilla Firefox;C:\Program Files\Outlook Express;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
USERDOMAIN=HEIDEMAN-C1D0D8
USERNAME=Rob Heidemann
USERPROFILE=C:\Documents and Settings\Rob Heidemann
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob Heidemann (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
ATI Multimedia Center 8.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{42BC25C4-E224-45FB-8CEF-162D2EEC5A34} /l1033
ATI Remote Wonder 1.4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{41331E03-97D4-421E-BBD1-0A914CFE19BC} /l1033
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\Setup.exe" -l0x9 -SYSTEM
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Stylus Photo R260 User's Guide --> C:\Program Files\epson\guide\spr260_e\uninstall.exe
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\Documents and Settings\Rob Heidemann\Desktop\HijackThis.exe /uninstall
ID3man5.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ID3man\ID3man.isu"
IObit SmartDefrag Beta 2.1 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
iriver Music Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{072D2077-9E22-4F7F-B817-A92CA6CCC843}\Setup.exe" -l0x9 anything
iRiver Updater --> \uninst.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark 3100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBRUN5C.EXE -dLexmark 3100 Series
Lexmark 810 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBSUNST.EXE -NOLICENSE
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Picture It! Photo 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe F:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
MySpaceIM --> MsiExec.exe /I{FE242C4A-4AF0-4E9F-ABFF-92CA3CEE8761}
Nero 7 Ultra Edition --> MsiExec.exe /I{FC98FBE9-E931-494C-8717-497185371033}
Philips Media Manager 3.3.12.0004 --> C:\Program Files\Philips\Media Manager\uninstall.exe
Philips Wireless Music Receiver Utility --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Philips\Wireless Music Receiver\ST6UNST.LOG"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody Player Engine --> MsiExec.exe /I{6A136B9A-1895-436F-83F8-30D9C68BB6EA}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SSC Service Utility v4.20 --> "C:\Program Files\SSC Service Utility\unins000.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\VIA\UChromeP\s3minset.exe /u C:\PROGRA~1\VIA\UChromeP\UChromeP.uns
Wal-Mart Music Downloads Store --> MsiExec.exe /I{A6A13E30-656F-4876-9B03-FBD4D712BB40}
WarpSpeeder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EB4EAD4A-8A80-43A5-8B23-78A2F6B26298}\setup.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 10:15:55 ---------

#12 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 PM

Posted 13 May 2007 - 03:35 AM

Thank you, Could you please post Fresh Reports from Deckards system Scanner.

Report's are located here:

C:\Deckard\System Scanner\Main.txt
C:\Deckard\System Scanner\Extra.txt
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#13 IowaGuy

IowaGuy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 13 May 2007 - 08:40 AM

For some reason I cant get it to make a new Extra.txt. It only makes Main.txt.

Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-13 at 08:33:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:33:41 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D494C649-BCA9-487E-97F5-157174AF87F8} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-13 and 2007-05-13 -----------------------------

2007-05-12 21:25:51 132660 --a------ C:\WINDOWS\system32\eboinupw.dll
2007-05-12 21:25:47 49204 --a------ C:\WINDOWS\system32\rgjaaklt.dll
2007-05-12 21:25:46 1504926 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:23:56 284244 -----n--- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{D494C649-BCA9-487E-97F5-157174AF87F8} C:\WINDOWS\system32\sstqq.dll
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A} C:\WINDOWS\system32\rgjaaklt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\eboinupw.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-13 at 08:34:24 ---------

#14 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 PM

Posted 13 May 2007 - 10:06 AM

  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste the 4 entries below into the top 2 boxes:

    C:\WINDOWS\System32\rgjaaklt.dll
    C:\WINDOWS\system32\tlkaajgr.*

    C:\WINDOWS\SYSTEM32\sstqq.dll
    C:\WINDOWS\SYSTEM32\qqtss.*

  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#15 IowaGuy

IowaGuy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:54 AM

Posted 13 May 2007 - 10:31 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:26:46 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D494C649-BCA9-487E-97F5-157174AF87F8} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)





VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:05:44 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 11:23:26 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:11:22 AM 5/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\rgjaaklt.dll
C:\WINDOWS\System32\rgjaaklt.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sstqq.dll
C:\WINDOWS\SYSTEM32\sstqq.dll Has been deleted!

Performing Repairs to the registry.
Done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users