Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Idk Whats Wrong But Maybe This'll Help.


  • This topic is locked This topic is locked
4 replies to this topic

#1 xolacieox

xolacieox

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 02 June 2007 - 03:21 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:17:36 PM, on 6/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\CustomXML\CustomXML.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ECURIT~1\regedit.exe
C:\Documents and Settings\spenca\Application Data\??mantec\r?ndll.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mmc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
D:\Program Files\Morpheus\Morpheus.exe
C:\Documents and Settings\spenca\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [CustomXML] C:\Program Files\CustomXML\CustomXML.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\System32\dildlhlm.dll",realset
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [qkmm] C:\PROGRA~1\COMMON~1\qkmm\qkmmm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Cnpt] "C:\PROGRA~1\ECURIT~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Orltxl] "C:\Documents and Settings\spenca\Application Data\??mantec\r?ndll.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c3BlbmNh\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:20 AM

Posted 02 June 2007 - 04:12 PM

Hello xolacieox,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 02 June 2007 - 04:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 xolacieox

xolacieox
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 02 June 2007 - 05:26 PM

ComboFix 07-05.27.BV - Running from: "C:\PROGRA~1\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\djfqkvet.dll
C:\WINDOWS\system32\uvswrlil.dll
C:\WINDOWS\system32\wkjbdnvg.dll
C:\WINDOWS\system32\khfdcaw.dll
C:\WINDOWS\system32\jikkj.bak1
C:\WINDOWS\system32\jikkj.bak2
C:\WINDOWS\system32\jikkj.ini
C:\WINDOWS\system32\jikkj.tmp
C:\WINDOWS\system32\jikkj.bak1
C:\WINDOWS\system32\jikkj.bak2
C:\WINDOWS\system32\jikkj.ini
C:\WINDOWS\system32\jkkij.dll
C:\WINDOWS\system32\jkkkiig.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1275OinAdmin.exe"
"C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
"C:\WINDOWS\system32\atmtd.dll"
"C:\WINDOWS\system32\atmtd.dll._"
"C:\WINDOWS\uninstall_nmon.vbs"
"C:\WINDOWS\retadpu11.exe"
"C:\DOCUME~1\spenca\APPLIC~1\Install.dat"
"C:\DOCUME~1\spenca\APPLIC~1.\searchtoolbarcorp\Toolbar Vision\PageHistory.txt"
"C:\DOCUME~1\spenca\APPLIC~1.\searchtoolbarcorp\Toolbar Vision\WebHistory.txt"
"C:\Program Files\outerinfo\OiUninstaller.exe"
"C:\Program Files\outerinfo\outerinfo.ico"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\Program Files\outlook\outlook.exe.ren"
"C:\Program Files\outlook\p.zip"
"C:\Program Files\outlook\v.tmp"
"C:\WINDOWS\system32\wsnpoem\audio.dll"
"C:\WINDOWS\system32\wsnpoem\video.dll"
"C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\domains.txt"
"C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\log.txt"
"C:\DOCUME~1\spenca\APPLIC~1.\install.dat"
"C:\WINDOWS\system32\bszip.dll"
"C:\WINDOWS\system32\cmd.com"
"C:\WINDOWS\system32\netstat.com"
"C:\WINDOWS\system32\ping.com"
"C:\WINDOWS\system32\regedit.com"
"C:\WINDOWS\system32\taskkill.com"
"C:\WINDOWS\system32\tasklist.com"
"C:\WINDOWS\system32\tracert.com"
"C:\WINDOWS\system32\tsuninst.exe"
"C:\WINDOWS\system32\wcpcc.exe"
"C:\onoes.exe"
"C:\WINDOWS\b122.exe"
"C:\DOCUME~1\spenca\APPLIC~1.\searchtoolbarcorp"
"C:\Program Files\inetget2"
"C:\Program Files\ipwindows"
"C:\Program Files\network monitor"
"C:\Program Files\outerinfo"
"C:\Program Files\outlook"
"C:\Program Files\winupdates"
"C:\WINDOWS\system32\components"
"C:\WINDOWS\system32\wsnpoem"
"C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon"
"C:\Program Files\Common Files\{309C6~1"
"C:\Program Files\Common Files\{809C6~1"

-- Purity Folders:

C:\WINDOWS\system32\FNTS~1
C:\WINDOWS\SMBOLS~1
C:\Program Files\SMBOLS~1
C:\Program Files\ECURIT~1
C:\DOCUME~1\spenca\APPLIC~1\PPATCH~1
C:\DOCUME~1\spenca\APPLIC~1\CURITY~1
C:\DOCUME~1\spenca\APPLIC~1\MANTEC~1
C:\DOCUME~1\spenca\APPLIC~1\PPATCH~2
C:\DOCUME~1\spenca\MYDOCU~1\WNSXS~1
C:\DOCUME~1\spenca\MYDOCU~1\PPPATC~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 ))))))))))))))))))))))))))))))))))


2007-06-02 15:04 50,740 --a------ C:\WINDOWS\system32\gjcchjag.dll
2007-06-02 11:59 2,580 --a------ C:\WINDOWS\system32\egaecjdp.exe
2007-06-02 04:55 60,928 --a------ C:\WINDOWS\system32\asaev.dll
2007-06-01 15:24 2,580 --a------ C:\WINDOWS\system32\syybnbec.exe
2007-06-01 15:24 131,124 --a------ C:\WINDOWS\system32\dildlhlm.dll
2007-05-30 20:16 <DIR> d-------- C:\Downloads
2007-05-28 07:44 122,343 --a------ C:\WINDOWS\system32\iiijj.dll
2007-05-27 13:08 <DIR> d-------- C:\!KillBox
2007-05-27 01:16 2 --a------ C:\WINDOWS\system32\wcpicomsv32.exe
2007-05-25 21:42 <DIR> d-------- C:\DOCUME~1\spenca\APPLIC~1\Snapfish
2007-05-24 01:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Yahoo!
2007-05-23 12:39 77,824 --a------ C:\WINDOWS\system32\FLKill.exe
2007-05-23 12:39 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2007-05-23 12:39 110,592 --a------ C:\WINDOWS\system32\suppdll.dll
2007-05-21 13:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AOL OCP
2007-05-21 13:43 <DIR> d-------- C:\Program Files\AIM6
2007-05-12 01:01 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 21:37:43 -------- d-----w C:\DOCUME~1\spenca\APPLIC~1\Morpheus
2007-06-01 17:11:14 -------- d-----w C:\DOCUME~1\spenca\APPLIC~1\Yahoo!
2007-05-26 04:42:26 4,466 ----a-w C:\WINDOWS\mozver.dat
2007-05-24 08:46:06 -------- d-----w C:\Program Files\Yahoo!
2007-05-22 06:56:44 1,056 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-21 20:47:13 -------- d-----w C:\Program Files\Viewpoint
2007-05-14 22:28:28 -------- d-----w C:\Program Files\MSN Messenger
2007-05-08 04:37:09 -------- d-----w C:\Program Files\Y!mLite
2007-05-05 23:45:05 -------- d-----w C:\Program Files\Common Files\qkmm
2007-04-30 04:00:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-30 03:51:04 -------- d-----w C:\Program Files\CustomXML
2007-04-30 01:17:44 -------- d-----w C:\DOCUME~1\spenca\APPLIC~1\?dobe
2007-04-28 01:28:00 -------- d-----w C:\Program Files\Common Files\?asks
2007-04-12 22:42:17 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-04-03 17:17:38 -------- d-----w C:\Program Files\Common Files\Corel
2007-04-03 17:17:27 -------- d-----w C:\DOCUME~1\spenca\APPLIC~1\Corel
2007-04-03 17:15:20 -------- d-----w C:\Program Files\Corel
2007-03-26 06:54:44 37,081 ----a-w C:\WINDOWS\system32\lsasss.exe.ren
2007-03-22 10:06:26 30,608 ----a-w C:\WINDOWS\system32\msoeaccz.dat
2007-03-22 10:06:26 10,478 ----a-w C:\WINDOWS\system32\netlxgon.dat
2007-03-22 10:06:26 0 -c--a-w C:\WINDOWS\system32\umaxscin.dat
2007-03-22 10:06:26 0 -c--a-w C:\WINDOWS\system32\imgutimn.dat
2007-03-22 06:11:46 27,233 ----a-w C:\WINDOWS\system32\ddcyv.exe
2007-03-22 05:55:39 8,504 ----a-w C:\WINDOWS\system32\pmnmnmk.dll
2007-03-22 05:51:36 0 -c--a-w C:\WINDOWS\system32\wshexjd.dat
2007-03-22 05:51:36 0 -c--a-w C:\WINDOWS\system32\mstvisvf.dat
2007-03-17 11:02:13 1,354 ----a-w C:\WINDOWS\system32\kbdsv.dat
2007-03-17 11:01:11 0 -c--a-w C:\WINDOWS\system32\rasmcnsh.dat
2007-03-16 08:53:47 3,108 ----a-w C:\WINDOWS\qvikkav.exe
2007-03-04 23:33:18 2,614 ----a-w C:\WINDOWS\unins000.dat
2007-03-04 23:33:13 641,021 ----a-w C:\WINDOWS\unins000.exe
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\c3BlbmNh\wa15vAh1.vbs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 14:39]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]
{E6541B4C-F18F-DD50-D97B-F9ADD9E624E5}=C:\WINDOWS\System32\asaev.dll [2007-05-21 06:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2007-03-25 23:54]
"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" []
"CustomXML"="C:\Program Files\CustomXML\CustomXML.exe" [2007-03-25 23:54]
"MessengerPlus3"="D:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-05-27 14:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2007-03-25 23:54]
"MessengerPlus3"="D:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-05-27 14:53]
"qkmm"="C:\PROGRA~1\COMMON~1\qkmm\qkmmm.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34]
"Cnpt"="C:\PROGRA~1\ECURIT~1\regedit.exe" []
"Orltxl"="C:\Documents and Settings\spenca\Application Data\??mantec\r?ndll.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^svchost.exe]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\svchost.exe
backup=C:\WINDOWS\pss\svchost.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^spenca^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\spenca\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7c1bf5af.exe]
C:\WINDOWS\System32\7c1bf5af.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner 2006 Free]
"C:\Program Files\DriveCleaner 2006 Free\UDC2006.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1142893477\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Manolito]
C:\Program Files\Manolito\Manolito.exe SILENT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareQuake.com]
C:\Program Files\SpywareQuake.com\Spyware-Quake.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]
C:\Program Files\winupdates\winupdates.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XeroxScannerDaemon]
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-02 11:00:00 C:\WINDOWS\tasks\Scheduled scanning task.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-02 15:10:28
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-06-02 15:18:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-02 15:17

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 3:22:43 PM, on 6/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\CustomXML\CustomXML.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\taskmgr.exe
D:\Program Files\Morpheus\Morpheus.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\spenca\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E6541B4C-F18F-DD50-D97B-F9ADD9E624E5} - C:\WINDOWS\System32\asaev.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [CustomXML] C:\Program Files\CustomXML\CustomXML.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [qkmm] C:\PROGRA~1\COMMON~1\qkmm\qkmmm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Cnpt] "C:\PROGRA~1\ECURIT~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Orltxl] "C:\Documents and Settings\spenca\Application Data\??mantec\r?ndll.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:20 AM

Posted 02 June 2007 - 07:26 PM

Hello xolacieox,

Are you received help anywhere else? :thumbsup: I see a tool that is only used by malware removal sites in your log.


Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is suicidal in today's digital world.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download only one of the following (free)

Avast or
AntiVir or
AVG antivirus


Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

********************

Download SUPERantispyware
  • Load SUPERantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log to this thread along with a fresh Hijackthis log
  • Run ComboFix again and post a fresh ComboFix log

Edited by SifuMike, 02 June 2007 - 07:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:20 AM

Posted 10 June 2007 - 01:23 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users