Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continuous Popups And Bother


  • This topic is locked This topic is locked
14 replies to this topic

#1 hatto

hatto

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mum
  • Local time:10:37 PM

Posted 06 June 2007 - 05:28 AM

i sortof know what to do, but i still need an expert to tell me what is going so wrong:

Logfile of HijackThis v1.99.1
Scan saved at 8:22:51 PM, on 6/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://redirect.zonelabs.com/redirect/rout...;dest=whats_new
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {8071E65A-3F56-4426-8372-8667CD213057} - C:\WINDOWS\system32\qomjhfg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C2B5FD89-2603-4313-B7E3-58F5BF0CC8FF} - C:\WINDOWS\system32\ssqpq.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\dykrshjd.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\lpuleaqc.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Dale\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: qomjhfg - C:\WINDOWS\SYSTEM32\qomjhfg.dll
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 06 June 2007 - 10:17 PM

Hello hatto,

Go to start > control panel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN

or anything similar with Oin in it.

Reboot when done! Really important!



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Edited by SifuMike, 06 June 2007 - 10:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hatto

hatto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mum
  • Local time:10:37 PM

Posted 08 June 2007 - 02:46 AM

i couldn't find any oin related programs, so used vundofix as you told me:

Logfile of HijackThis v1.99.1
Scan saved at 5:39:28 PM, on 8/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://redirect.zonelabs.com/redirect/rout...;dest=whats_new
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E00CB7A-2274-470E-8638-7369D67F9484} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\hsikjwie.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\lpuleaqc.dll",realset
O4 - HKLM\..\Run: [j5251831] rundll32 C:\WINDOWS\system32\j5251831.dll sook
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Dale\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe






thankyou

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 08 June 2007 - 10:32 AM

Hi hatto,

You forgot to post the contents of C:\vundofix.txt

Edited by SifuMike, 08 June 2007 - 10:33 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 hatto

hatto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mum
  • Local time:10:37 PM

Posted 08 June 2007 - 07:49 PM

sorry:


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:42:02 PM 8/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\byxutsp.dll
C:\WINDOWS\system32\byxxvsr.dll
C:\WINDOWS\system32\cqaelupl.ini
C:\WINDOWS\system32\dykrshjd.dll
C:\WINDOWS\system32\kwnrhckx.dll
C:\WINDOWS\system32\lpuleaqc.dll
C:\WINDOWS\system32\oblfrtbx.ini
C:\WINDOWS\system32\qomjhfg.dll
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\taiuukxh.dll
C:\WINDOWS\system32\xbtrflbo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxutsp.dll
C:\WINDOWS\system32\byxutsp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxxvsr.dll
C:\WINDOWS\system32\byxxvsr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cqaelupl.ini
C:\WINDOWS\system32\cqaelupl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dykrshjd.dll
C:\WINDOWS\system32\dykrshjd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kwnrhckx.dll
C:\WINDOWS\system32\kwnrhckx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lpuleaqc.dll
C:\WINDOWS\system32\lpuleaqc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oblfrtbx.ini
C:\WINDOWS\system32\oblfrtbx.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomjhfg.dll
C:\WINDOWS\system32\qomjhfg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\ssqpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\taiuukxh.dll
C:\WINDOWS\system32\taiuukxh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbtrflbo.dll
C:\WINDOWS\system32\xbtrflbo.dll Has been deleted!

Performing Repairs to the registry.
Done!

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 08 June 2007 - 09:06 PM

Hello hatto,

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {1E00CB7A-2274-470E-8638-7369D67F9484} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\hsikjwie.dll
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\lpuleaqc.dll",realset
O4 - HKLM\..\Run: [j5251831] rundll32 C:\WINDOWS\system32\j5251831.dll sook
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll


These are optinal fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [Reminder] \"C:\Windows\Creator\Remind_XP.exe\"
(Description: Subscription reminder to unlock unkimited use for SoftThinks CD Creator CD/DVD rewriting software, usually supplied with HP PC's as a pre-installed package. Unnecessary. Removing this will free up a small amount of system resources. )

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\RealMedia\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\hsikjwie.dll <==file
C:\WINDOWS\system32\lpuleaqc.dll <==file
C:\WINDOWS\system32\j5251831.dll <==file
C:\WINDOWS\SYSTEM32\winmfu32.dll <==file
C:\Windows\ALCMTR.EXE <==file

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix  log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking    
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.    
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.    
 In the right pane, uncheck Enable Script Blocking (recommended).    
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.


Post a new Hijackthis log, and the ComboFix log.
 

Edited by SifuMike, 08 June 2007 - 09:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 hatto

hatto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mum
  • Local time:10:37 PM

Posted 14 June 2007 - 02:35 AM

thankyou for your detailed instructions.


ComboFix 07-06-13.3 - C:\Documents and Settings\Brendan\Desktop\ComboFix.exe
"Brendan" - 2007-06-14 16:52:02 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\vsadd-in
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\kdwkl.exe
C:\WINDOWS\system32\klikalka.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))


2007-06-14 17:14 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-06-14 16:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 16:29 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-06-14 12:28 <DIR> d-------- C:\Program Files\CCleaner
2007-06-08 16:25 2,580 --a------ C:\WINDOWS\system32\tjqmiwrx.exe
2007-06-07 13:15 55,316 --a------ C:\WINDOWS\system32\wqnopsvn.dll
2007-06-07 00:01 14,868 --a------ C:\WINDOWS\system32\cfrjvrcu.exe
2007-06-05 21:20 <DIR> d-------- C:\DOCUME~1\Rama\APPLIC~1\Lavasoft
2007-06-05 15:48 2,580 --a------ C:\WINDOWS\system32\vslcoeot.exe
2007-06-04 23:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-04 19:30 2,580 --a------ C:\WINDOWS\system32\owmoqpay.exe
2007-06-03 19:00 2,580 --a------ C:\WINDOWS\system32\ioxklnow.exe
2007-06-03 12:37 2,580 --a------ C:\WINDOWS\system32\needwoau.exe
2007-06-02 10:59 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-02 10:54 <DIR> d-------- C:\DOCUME~1\Brendan\.housecall6.6
2007-05-26 18:21 92,672 --a------ C:\WINDOWS\system32\KillBox.exe
2007-05-24 19:37 <DIR> d-------- C:\Program Files\RealMedia
2007-05-24 19:37 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2007-05-24 19:37 <DIR> d-------- C:\Program Files\DScaler5
2007-05-24 19:37 <DIR> d-------- C:\Program Files\CD Audio Reader Filter
2007-05-24 19:36 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-05-24 19:36 <DIR> d-------- C:\Program Files\SHOUTcast Source
2007-05-24 19:36 <DIR> d-------- C:\Program Files\Haali
2007-05-24 19:36 <DIR> d-------- C:\Program Files\ffdshow
2007-05-24 19:36 <DIR> d-------- C:\Program Files\DS-MP3 Source
2007-05-24 19:35 <DIR> d-------- C:\Program Files\DirectVobSub
2007-05-24 19:34 <DIR> d-------- C:\Program Files\Zoom Player
2007-05-21 21:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-21 21:45 <DIR> d-------- C:\Program Files\MSBuild
2007-05-21 21:42 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-21 21:42 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-21 21:41 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-21 19:25 <DIR> d-------- C:\!Submit
2007-05-20 13:54 <DIR> d-------- C:\Program Files\GD MSN Plugin
2007-05-20 12:43 <DIR> d-------- C:\Program Files\LaceLevel2GDS
2007-05-20 12:01 <DIR> d-------- C:\Program Files\Sound Energy
2007-05-20 11:52 <DIR> d-------- C:\Program Files\otron.net
2007-05-20 11:51 <DIR> d-------- C:\Program Files\Airbear Software
2007-05-19 10:54 <DIR> d-------- C:\Program Files\DC++
2007-05-18 18:41 <DIR> d-------- C:\VundoFix Backups
2007-05-18 18:27 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-18 18:27 <DIR> d-------- C:\Program Files\Winamp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 02:23:14 -------- d-----w C:\DOCUME~1\Brendan\APPLIC~1\Azureus
2007-06-07 08:03:08 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-07 07:40:46 -------- d-----w C:\Program Files\iTunes
2007-06-07 07:40:17 -------- d-----w C:\Program Files\iPod
2007-06-07 07:38:39 -------- d-----w C:\Program Files\QuickTime
2007-06-01 12:22:47 -------- d-----w C:\Program Files\Symantec
2007-06-01 12:22:46 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-01 12:22:46 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-30 06:41:21 252 ----a-w C:\DOCUME~1\Brendan\APPLIC~1\wklnhst.dat
2007-05-27 01:50:12 -------- d-----w C:\Program Files\LimeWire
2007-05-27 01:24:36 -------- d-----w C:\Program Files\MSN Games
2007-05-24 10:27:37 -------- d-----w C:\Program Files\MediaMonkey
2007-05-20 00:07:52 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-19 23:32:26 -------- d-----w C:\Program Files\Google
2007-05-18 23:59:02 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-01 07:12:15 -------- d-----w C:\Program Files\Common Files\SWF Studio
2007-05-01 06:43:55 -------- d-----w C:\Program Files\Peter
2007-04-29 01:12:01 -------- d-----w C:\Program Files\Trippy's best
2007-04-27 06:48:30 -------- d-----w C:\DOCUME~1\Brendan\APPLIC~1\Alive Games
2007-04-20 07:21:01 -------- d-----w C:\Program Files\7-Zip
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-15 00:28:41 -------- d-----w C:\Program Files\Maxis
2007-03-30 07:15:02 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-03-28 08:51:54 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 08:51:52 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-22 20:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-22 20:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 10:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-18 06:32:41 1,289 ----a-w C:\WINDOWS\mozver.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-03-23 22:21]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 19:33]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2007-05-23 12:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 07:05 C:\WINDOWS\system32\ftutil2.dll]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 07:15]
"nwiz"="nwiz.exe" [2006-06-21 03:06 C:\WINDOWS\system32\nwiz.exe]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 02:05]
"PCDrProfiler"="" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 15:34]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 10:40]
"DeviceDiscovery"="C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 19:56]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 11:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-03-23 22:21]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-20 09:34]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 09:56 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"TkBellExe"="C:\Program Files\RealMedia\Update_OB\realsched.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-21 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" []
"FlashMute"="C:\Program Files\FlashMute\FlashMute.exe" [2006-03-12 05:49]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 10:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Setup.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-11 09:04:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-14 07:27:08 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-08 10:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Brendan.job
2007-06-13 06:55:59 C:\WINDOWS\tasks\User_Feed_Synchronization-{0CE98986-11D0-4B0E-8EEF-F7F50B27A50D}.job
2006-11-24 04:20:55 C:\WINDOWS\tasks\Warranty Reminder 11 month.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 17:24:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 17:28:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 17:28

--- E O F ---





and the hijack this log:



Logfile of HijackThis v1.99.1
Scan saved at 5:34:40 PM, on 14/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://redirect.zonelabs.com/redirect/rout...;dest=whats_new
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Dale\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



thankyou.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 14 June 2007 - 10:35 AM

Hello hatto,

You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\sfsync02.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:
C:\WINDOWS\system32\ff_vfw.dll
C:\WINDOWS\system32\tjqmiwrx.exe
C:\WINDOWS\system32\wqnopsvn.dll
C:\WINDOWS\system32\cfrjvrcu.exe
C:\WINDOWS\system32\vslcoeot.exe
C:\WINDOWS\system32\owmoqpay.exe
C:\WINDOWS\system32\ioxklnow.exe
C:\WINDOWS\system32\needwoau.exe



Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 hatto

hatto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mum
  • Local time:10:37 PM

Posted 17 June 2007 - 01:56 AM

hope you don't mind the length of this post:




Complete scanning result of "ff_vfw.dll", received in VirusTotal at 06.15.2007, 09:19:05 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.12.2 06.15.2007 no virus found
AntiVir 7.4.0.32 06.15.2007 no virus found
Authentium 4.93.8 06.15.2007 no virus found
Avast 4.7.997.0 06.14.2007 no virus found
AVG 7.5.0.467 06.14.2007 no virus found
BitDefender 7.2 06.15.2007 no virus found
CAT-QuickHeal 9.00 06.14.2007 no virus found
ClamAV devel-20070416 06.15.2007 no virus found
DrWeb 4.33 06.14.2007 no virus found
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3720 06.15.2007 no virus found
Ewido 4.0 06.14.2007 no virus found
FileAdvisor 1 06.15.2007 Not analyzed yet
Fortinet 2.85.0.0 06.15.2007 no virus found
F-Prot 4.3.2.48 06.14.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 no virus found
Ikarus T3.1.1.8 06.15.2007 no virus found
Kaspersky 4.0.2.24 06.15.2007 no virus found
McAfee 5053 06.14.2007 no virus found
Microsoft 1.2503 06.14.2007 no virus found
NOD32v2 2330 06.15.2007 no virus found
Norman 5.80.02 06.14.2007 no virus found
Panda 9.0.0.4 06.15.2007 no virus found
Prevx1 V2 06.15.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.14.2007 no virus found
Symantec 10 06.15.2007 no virus found
TheHacker 6.1.6.133 06.15.2007 no virus found
VBA32 3.12.0.2 06.14.2007 no virus found
VirusBuster 4.3.23:9 06.14.2007 no virus found
Webwasher-Gateway 6.0.1 06.15.2007 no virus found






Complete scanning result of "tjqmiwrx.exe", received in VirusTotal at 06.15.2007, 09:31:53 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.12.2 06.15.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.15.2007 TR/Agent.anr.1
Authentium 4.93.8 06.15.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 06.14.2007 Win32:Agent-HZS
AVG 7.5.0.467 06.14.2007 Generic4.SLZ
BitDefender 7.2 06.15.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.14.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.15.2007 Trojan.Agent-4537
DrWeb 4.33 06.15.2007 no virus found
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3720 06.15.2007 no virus found
Ewido 4.0 06.14.2007 Trojan.Agent.anr
FileAdvisor 1 06.15.2007 no virus found
Fortinet 2.85.0.0 06.15.2007 no virus found
F-Prot 4.3.2.48 06.14.2007 W32/Malware!7e40
F-Secure 6.70.13030.0 06.15.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.15.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.15.2007 Trojan.Win32.Agent.anr
McAfee 5053 06.14.2007 AllowCookie
Microsoft 1.2503 06.14.2007 no virus found
NOD32v2 2330 06.15.2007 Win32/Agent.ANR
Norman 5.80.02 06.14.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.15.2007 Trj/Lowzones.TP
Prevx1 V2 06.15.2007 Covert.Sys.Exec
Sophos 4.18.0 06.12.2007 Troj/SetCook-A
Sunbelt 2.2.907.0 06.14.2007 no virus found
Symantec 10 06.15.2007 Trojan.LowZones
TheHacker 6.1.6.133 06.15.2007 Trojan/Agent.anr
VBA32 3.12.0.2 06.14.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.14.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.15.2007 Trojan.Agent.anr.1





Complete scanning result of "wqnopsvn.dll", received in VirusTotal at 06.17.2007, 05:18:32 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 no virus found
AntiVir 7.4.0.32 06.16.2007 TR/BHO.O.5
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.16.2007 no virus found
AVG 7.5.0.467 06.16.2007 Generic4.XZM
BitDefender 7.2 06.17.2007 Trojan.BHO.BP
CAT-QuickHeal 9.00 06.16.2007 Trojan.BHO.o
ClamAV devel-20070416 06.16.2007 Trojan.BHO-67
DrWeb 4.33 06.16.2007 Trojan.Juan
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 Trojan.BHO.o
FileAdvisor 1 06.17.2007 no virus found
Fortinet 2.85.0.0 06.17.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 Trojan.Win32.BHO.o
Ikarus T3.1.1.8 06.16.2007 Trojan.Win32.BHO.o
Kaspersky 4.0.2.24 06.17.2007 Trojan.Win32.BHO.o
McAfee 5054 06.15.2007 Generic.dx
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 Win32/BHO.G
Norman 5.80.02 06.15.2007 W32/BHO.dam
Panda 9.0.0.4 06.16.2007 Spyware/Vundo
Prevx1 V2 06.17.2007 no virus found
Sophos 4.18.0 06.12.2007 Troj/BHO-CE
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Symantec 10 06.17.2007 Trojan.Metajuan
TheHacker 6.1.6.133 06.15.2007 Trojan/BHO.o
VBA32 3.12.0.2 06.15.2007 Trojan.Win32.BHO.o
VirusBuster 4.3.23:9 06.16.2007 Trojan.BHO.GR
Webwasher-Gateway 6.0.1 06.16.2007 Trojan.BHO.O.5

Aditional Information
File size: 55316 bytes
MD5: 513d3f04267402b3d313f00c992871ee
SHA1: 2991e49dc71385984442b818f5c076109ac34d7a
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.







Complete scanning result of "cfrjvrcu.exe", received in VirusTotal at 06.17.2007, 05:24:33 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 Win-Trojan/Downloader.14868
AntiVir 7.4.0.32 06.16.2007 TR/Click.Small.MW
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.16.2007 Win32:Zlob-ZL
AVG 7.5.0.467 06.16.2007 Clicker.GGA
BitDefender 7.2 06.17.2007 Trojan.Clicker.Small.YB
CAT-QuickHeal 9.00 06.16.2007 TrojanClicker.Small.cf
ClamAV devel-20070416 06.16.2007 no virus found
DrWeb 4.33 06.16.2007 Trojan.Click.2485
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 Hijacker.Small.mw
FileAdvisor 1 06.17.2007 no virus found
Fortinet 2.85.0.0 06.17.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 Trojan-Clicker.Win32.Small.mw
Ikarus T3.1.1.8 06.16.2007 Trojan-Clicker.Small.YB
Kaspersky 4.0.2.24 06.17.2007 Trojan-Clicker.Win32.Small.mw
McAfee 5054 06.15.2007 Generic AdClicker.b.dll
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 no virus found
Norman 5.80.02 06.15.2007 W32/Smalltroj.BHVO
Panda 9.0.0.4 06.16.2007 Trj/Clicker.ACO
Prevx1 V2 06.17.2007 no virus found
Sophos 4.18.0 06.12.2007 Troj/Small-EJD
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.17.2007 Downloader.MisleadApp
TheHacker 6.1.6.133 06.15.2007 Trojan/Clicker.Small.mw
VBA32 3.12.0.2 06.15.2007 Trojan.Click.2480
VirusBuster 4.3.23:9 06.16.2007 Trojan.CL.Small.UCK
Webwasher-Gateway 6.0.1 06.16.2007 Trojan.Click.Small.MW

Aditional Information
File size: 14868 bytes
MD5: a05097b7f541c47c0111caaafe6af28e
SHA1: bfb18eb9cc39cb350b6e3c6447703c4df9c42752
packers: BINARYRES






Complete scanning result of "vslcoeot.exe", received in VirusTotal at 06.17.2007, 05:40:57 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.16.2007 TR/Agent.anr.1
Authentium 4.93.8 06.16.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 06.16.2007 Win32:Agent-HZS
AVG 7.5.0.467 06.16.2007 Generic4.SLZ
BitDefender 7.2 06.17.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.16.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.16.2007 Trojan.Agent-4537
DrWeb 4.33 06.16.2007 no virus found
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 Trojan.Agent.anr
FileAdvisor 1 06.17.2007 no virus found
Fortinet 2.85.0.0 06.17.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 W32/Malware!7e40
F-Secure 6.70.13030.0 06.15.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.16.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.17.2007 Trojan.Win32.Agent.anr
McAfee 5054 06.15.2007 AllowCookie
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 Win32/Agent.ANR
Norman 5.80.02 06.15.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.16.2007 Trj/Lowzones.TP
Prevx1 V2 06.17.2007 Covert.Sys.Exec
Sophos 4.18.0 06.12.2007 Troj/SetCook-A
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.17.2007 Trojan.LowZones
TheHacker 6.1.6.133 06.15.2007 Trojan/Agent.anr
VBA32 3.12.0.2 06.15.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.16.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.16.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: aeb938e281fb01fb8494e07ddddd7f98
SHA1: 29a36d9bfd0e465d3507eab111be84d6b2d0c46e
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500



Complete scanning result of "owmoqpay.exe", received in VirusTotal at 06.17.2007, 07:11:46 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.16.2007 TR/Agent.anr.1
Authentium 4.93.8 06.16.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 06.16.2007 Win32:Agent-HZS
AVG 7.5.0.467 06.16.2007 Generic4.SLZ
BitDefender 7.2 06.17.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.16.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.16.2007 Trojan.Agent-4537
DrWeb 4.33 06.16.2007 no virus found
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 Trojan.Agent.anr
FileAdvisor 1 06.17.2007 no virus found
Fortinet 2.85.0.0 06.17.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 W32/Malware!7e40
F-Secure 6.70.13030.0 06.15.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.17.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.17.2007 Trojan.Win32.Agent.anr
McAfee 5054 06.15.2007 AllowCookie
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 Win32/Agent.ANR
Norman 5.80.02 06.15.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.16.2007 Trj/Lowzones.TP
Prevx1 V2 06.17.2007 Covert.Sys.Exec
Sophos 4.18.0 06.12.2007 Troj/SetCook-A
Sunbelt 2.2.907.0 06.16.2007 no virus found
TheHacker 6.1.6.133 06.15.2007 Trojan/Agent.anr
VBA32 3.12.0.2 06.15.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.16.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.16.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: aeb938e281fb01fb8494e07ddddd7f98
SHA1: 29a36d9bfd0e465d3507eab111be84d6b2d0c46e
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500






Complete scanning result of "ioxklnow.exe", received in VirusTotal at 06.17.2007, 08:21:01 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.16.2007 TR/Agent.anr.1
Authentium 4.93.8 06.16.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 06.16.2007 Win32:Agent-HZS
AVG 7.5.0.467 06.16.2007 Generic4.SLZ
BitDefender 7.2 06.17.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.16.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.16.2007 Trojan.Agent-4537
DrWeb 4.33 06.16.2007 no virus found
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 Trojan.Agent.anr
FileAdvisor 1 06.17.2007 no virus found
Fortinet 2.85.0.0 06.17.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 W32/Malware!7e40
F-Secure 6.70.13030.0 06.15.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.17.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.17.2007 Trojan.Win32.Agent.anr
McAfee 5054 06.15.2007 AllowCookie
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 Win32/Agent.ANR
Norman 5.80.02 06.15.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.16.2007 Trj/Lowzones.TP
Prevx1 V2 06.17.2007 Covert.Sys.Exec
Sophos 4.18.0 06.12.2007 Troj/SetCook-A
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.17.2007 Trojan.LowZones
TheHacker 6.1.6.133 06.15.2007 Trojan/Agent.anr
VBA32 3.12.0.2 06.15.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.16.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.16.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: aeb938e281fb01fb8494e07ddddd7f98
SHA1: 29a36d9bfd0e465d3507eab111be84d6b2d0c46e
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500





Complete scanning result of "needwoau.exe", received in VirusTotal at 06.17.2007, 08:26:43 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.32 06.16.2007 TR/Agent.anr.1
Authentium 4.93.8 06.16.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 06.16.2007 Win32:Agent-HZS
AVG 7.5.0.467 06.16.2007 Generic4.SLZ
BitDefender 7.2 06.17.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.16.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.16.2007 Trojan.Agent-4537
DrWeb 4.33 06.16.2007 no virus found
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.16.2007 Trojan.Agent.anr
FileAdvisor 1 06.17.2007 no virus found
Fortinet 2.85.0.0 06.17.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 W32/Malware!7e40
F-Secure 6.70.13030.0 06.15.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.17.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.17.2007 Trojan.Win32.Agent.anr
McAfee 5054 06.15.2007 AllowCookie
Microsoft 1.2607 06.16.2007 no virus found
NOD32v2 2334 06.15.2007 Win32/Agent.ANR
Norman 5.80.02 06.15.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.16.2007 Trj/Lowzones.TP
Prevx1 V2 06.17.2007 Covert.Sys.Exec
Sophos 4.18.0 06.12.2007 Troj/SetCook-A
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.17.2007 Trojan.LowZones
TheHacker 6.1.6.133 06.15.2007 Trojan/Agent.anr
VBA32 3.12.0.2 06.15.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.16.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.16.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: aeb938e281fb01fb8494e07ddddd7f98
SHA1: 29a36d9bfd0e465d3507eab111be84d6b2d0c46e
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500





C:\WINDOWS\system32\sfsync02.dll contains 0 bytes, so it threw up an error when i tried to send it. it says it was deleted by combofix.

thankyou for your ongoing support.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 17 June 2007 - 10:28 AM

Hello hatto,

Download Pocket Killbox

http://www.atribune.org/downloads/KillBox.exe

Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next part in the code box (but not the word code):

C:\WINDOWS\system32\sfsync02.dll
C:\WINDOWS\system32\tjqmiwrx.exe
C:\WINDOWS\system32\wqnopsvn.dll
 C:\WINDOWS\system32\cfrjvrcu.exe
C:\WINDOWS\system32\vslcoeot.exe
C:\WINDOWS\system32\owmoqpay.exe
C:\WINDOWS\system32\ioxklnow.exe
 C:\WINDOWS\system32\needwoau.exe

Open 'file' in the killbox menu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, then reboot manually.

Then run ComboFix and post the ComboFix log.

Edited by SifuMike, 17 June 2007 - 10:29 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 hatto

hatto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mum
  • Local time:10:37 PM

Posted 17 June 2007 - 09:15 PM

ComboFix 07-06-13.3 - C:\Documents and Settings\Brendan\Desktop\antiviral\ComboFix.exe
"Brendan" - 2007-06-18 12:02:46 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


2007-06-14 16:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 12:28 <DIR> d-------- C:\Program Files\CCleaner
2007-06-05 21:20 <DIR> d-------- C:\DOCUME~1\Rama\APPLIC~1\Lavasoft
2007-06-04 23:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 10:59 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-02 10:54 <DIR> d-------- C:\DOCUME~1\Brendan\.housecall6.6
2007-05-26 18:21 92,672 --a------ C:\WINDOWS\system32\KillBox.exe
2007-05-24 19:37 <DIR> d-------- C:\Program Files\RealMedia
2007-05-24 19:37 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2007-05-24 19:37 <DIR> d-------- C:\Program Files\DScaler5
2007-05-24 19:37 <DIR> d-------- C:\Program Files\CD Audio Reader Filter
2007-05-24 19:36 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-05-24 19:36 <DIR> d-------- C:\Program Files\SHOUTcast Source
2007-05-24 19:36 <DIR> d-------- C:\Program Files\Haali
2007-05-24 19:36 <DIR> d-------- C:\Program Files\ffdshow
2007-05-24 19:36 <DIR> d-------- C:\Program Files\DS-MP3 Source
2007-05-24 19:35 <DIR> d-------- C:\Program Files\DirectVobSub
2007-05-24 19:34 <DIR> d-------- C:\Program Files\Zoom Player
2007-05-21 21:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-21 21:45 <DIR> d-------- C:\Program Files\MSBuild
2007-05-21 21:42 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-21 21:42 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-21 21:41 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-21 19:25 <DIR> d-------- C:\!Submit
2007-05-20 13:54 <DIR> d-------- C:\Program Files\GD MSN Plugin
2007-05-20 12:43 <DIR> d-------- C:\Program Files\LaceLevel2GDS
2007-05-20 12:01 <DIR> d-------- C:\Program Files\Sound Energy
2007-05-20 11:52 <DIR> d-------- C:\Program Files\otron.net
2007-05-20 11:51 <DIR> d-------- C:\Program Files\Airbear Software
2007-05-19 10:54 <DIR> d-------- C:\Program Files\DC++
2007-05-18 18:41 <DIR> d-------- C:\VundoFix Backups
2007-05-18 18:27 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-18 18:27 <DIR> d-------- C:\Program Files\Winamp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 02:09:49 -------- d-----w C:\DOCUME~1\Brendan\APPLIC~1\Azureus
2007-06-15 06:49:27 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-07 07:40:46 -------- d-----w C:\Program Files\iTunes
2007-06-07 07:40:17 -------- d-----w C:\Program Files\iPod
2007-06-07 07:38:39 -------- d-----w C:\Program Files\QuickTime
2007-06-01 12:22:47 -------- d-----w C:\Program Files\Symantec
2007-06-01 12:22:46 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-01 12:22:46 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-30 06:41:21 252 ----a-w C:\DOCUME~1\Brendan\APPLIC~1\wklnhst.dat
2007-05-27 01:50:12 -------- d-----w C:\Program Files\LimeWire
2007-05-27 01:24:36 -------- d-----w C:\Program Files\MSN Games
2007-05-24 10:27:37 -------- d-----w C:\Program Files\MediaMonkey
2007-05-20 00:07:52 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-19 23:32:26 -------- d-----w C:\Program Files\Google
2007-05-18 23:59:02 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-01 07:12:15 -------- d-----w C:\Program Files\Common Files\SWF Studio
2007-05-01 06:43:55 -------- d-----w C:\Program Files\Peter
2007-04-29 01:12:01 -------- d-----w C:\Program Files\Trippy's best
2007-04-27 06:48:30 -------- d-----w C:\DOCUME~1\Brendan\APPLIC~1\Alive Games
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 07:21:01 -------- d-----w C:\Program Files\7-Zip
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-30 07:15:02 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-03-28 08:51:54 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 08:51:52 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-22 20:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-22 20:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 10:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-18 06:32:41 1,289 ----a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-03-23 22:21]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 19:33]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2007-05-23 12:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 07:05 C:\WINDOWS\system32\ftutil2.dll]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 07:15]
"nwiz"="nwiz.exe" [2006-06-21 03:06 C:\WINDOWS\system32\nwiz.exe]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 02:05]
"PCDrProfiler"="" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 15:34]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 10:40]
"DeviceDiscovery"="C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 19:56]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 11:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-03-23 22:21]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-20 09:34]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 09:56 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"TkBellExe"="C:\Program Files\RealMedia\Update_OB\realsched.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" []
"FlashMute"="C:\Program Files\FlashMute\FlashMute.exe" [2006-03-12 05:49]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 10:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Setup.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-11 09:04:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-18 00:17:02 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-08 10:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Brendan.job
2007-06-18 02:10:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{0CE98986-11D0-4B0E-8EEF-F7F50B27A50D}.job
2006-11-24 04:20:55 C:\WINDOWS\tasks\Warranty Reminder 11 month.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 12:09:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-18 12:11:30
C:\ComboFix-quarantined-files.txt ... 2007-06-18 12:11
C:\ComboFix2.txt ... 2007-06-14 17:28

--- E O F ---

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 17 June 2007 - 10:39 PM

Hello hatto,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 hatto

hatto
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mum
  • Local time:10:37 PM

Posted 22 June 2007 - 07:12 PM

thankyou very much for your assistance through my heinous troubles. i'll try to repay you in another life sometime.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 22 June 2007 - 08:58 PM

Your very welcome. I hope your computer continues to run smootly. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 29 June 2007 - 05:46 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users