Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems; Pop-ups, Programs Closing Automatically


  • This topic is locked This topic is locked
22 replies to this topic

#1 SchueyFan

SchueyFan

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 15 June 2007 - 11:34 PM

I have had some growing problems over the last few weeks. I think it could have something to do with something called smgr.exe

anyway, here is my HijackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 2:31:57 PM, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\FRAPS\FRAPS.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
R3 - URLSearchHook: (no name) - {BDD5E4C6-0B55-0EF5-23F0-0D45710A2DE3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Gadgetbar Toolbar - {ad8088d4-219c-40db-b16a-5e53261bed3d} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [{7CFAE340-0BB8-1033-1212-03030725003d}] "C:\Program Files\Common Files\{7CFAE340-0BB8-1033-1212-03030725003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\kveergxw.dll",setvm
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ruhhcngb.dll",realset
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gaihofnm] C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\Application Data\s?stem\scanregw.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra 'Tools' menuitem: &Popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161483010468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161482993843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2542663-1FC3-4B45-A177-2F0BDF7F9DD1}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7FDB2A7-FE25-4B26-B04C-048C6CF6EE8D}: NameServer = 10.0.0.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

any help would be greatly appreciated

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:49 PM

Posted 16 June 2007 - 12:55 AM

Hello,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.


Please uninstall Microsoft AntiSpyware, because this is a real outdated version. It is Windows Defender now...

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SchueyFan

SchueyFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 16 June 2007 - 06:25 AM

hello,
this is the only combofix.txt file i can find (C:\Combo Fix)
---
ComboFix 07-06-13.3 - C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\My Documents\Software\ComboFix.exe
"Edward" - 2007-06-16 20:38:11 - Service Pack 2 NTFS
---

here is a new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 21:23, on 2007-06-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Popup Preventer\popup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
R3 - URLSearchHook: (no name) - {BDD5E4C6-0B55-0EF5-23F0-0D45710A2DE3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Gadgetbar Toolbar - {ad8088d4-219c-40db-b16a-5e53261bed3d} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [{7CFAE340-0BB8-1033-1212-03030725003d}] "C:\Program Files\Common Files\{7CFAE340-0BB8-1033-1212-03030725003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\tlfbsugg.dll",realset
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gaihofnm] C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\Application Data\s?stem\scanregw.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra 'Tools' menuitem: &Popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161483010468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161482993843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2542663-1FC3-4B45-A177-2F0BDF7F9DD1}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7FDB2A7-FE25-4B26-B04C-048C6CF6EE8D}: NameServer = 10.0.0.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
---

also, i tried to find any trace of Microsoft AntiSpyware, but i couldn't find any - i thought i de-installed that ages ago...

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:49 PM

Posted 16 June 2007 - 06:40 AM

Hi,

Perform next steps in the right order..

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - URLSearchHook: (no name) - {BDD5E4C6-0B55-0EF5-23F0-0D45710A2DE3} - (no file)
O3 - Toolbar: Gadgetbar Toolbar - {ad8088d4-219c-40db-b16a-5e53261bed3d} - (no file)
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [{7CFAE340-0BB8-1033-1212-03030725003d}] "C:\Program Files\Common Files\{7CFAE340-0BB8-1033-1212-03030725003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\tlfbsugg.dll",realset
O4 - HKCU\..\Run: [Gaihofnm] C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\Application Data\s?stem\scanregw.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Download Deckard System Scanner to your Desktop.
  • Close all applications and windows.
  • Double-click on dds.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - main.txt
  • A folder (C:\Deckard\System Scanner) will also open which contains the main.txt and an extra.txt.
  • Copy and paste the contents of main.txt in your next reply. (Do not post the extra.txt - only post this when being asked) together with a new hijackthislog and the contents of C:\vundofix.txt

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SchueyFan

SchueyFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 16 June 2007 - 09:30 PM

ok, done;

VundoFix:
---

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:05:03 PM 23/07/2006

Listing files found while scanning....

C:\windows\system32\byxxwvs.dll
C:\windows\system32\cbxuvtt.dll
C:\windows\system32\cbxvsrs.dll
C:\windows\system32\ddcbyww.dll
C:\windows\system32\ddcddef.dll
C:\windows\system32\efcbaba.dll
C:\windows\system32\efcbcbc.dll
C:\windows\system32\fccbbyx.dll
C:\windows\system32\hggggda.dll
C:\windows\system32\iifcbba.dll
C:\windows\system32\jkkhggh.dll
C:\windows\system32\jkkijif.dll
C:\windows\system32\ljjkjji.dll
C:\windows\system32\mljhhif.dll
C:\windows\system32\mljihfc.dll
C:\windows\system32\nnnmnkj.dll
C:\windows\system32\qomnopn.dll
C:\windows\system32\rqrqnkk.dll
C:\windows\system32\ssqqnll.dll
C:\windows\system32\tuvvutt.dll
C:\windows\system32\urqolif.dll
C:\windows\system32\urqrsrp.dll
C:\windows\system32\vturppq.dll
C:\windows\system32\yayvvuu.dll
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\byxxwvs.dll
C:\windows\system32\byxxwvs.dll Has been deleted!

Attempting to delete C:\windows\system32\cbxuvtt.dll
C:\windows\system32\cbxuvtt.dll Has been deleted!

Attempting to delete C:\windows\system32\cbxvsrs.dll
C:\windows\system32\cbxvsrs.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcbyww.dll
C:\windows\system32\ddcbyww.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcddef.dll
C:\windows\system32\ddcddef.dll Has been deleted!

Attempting to delete C:\windows\system32\efcbaba.dll
C:\windows\system32\efcbaba.dll Has been deleted!

Attempting to delete C:\windows\system32\efcbcbc.dll
C:\windows\system32\efcbcbc.dll Has been deleted!

Attempting to delete C:\windows\system32\fccbbyx.dll
C:\windows\system32\fccbbyx.dll Could not be deleted.

Attempting to delete C:\windows\system32\hggggda.dll
C:\windows\system32\hggggda.dll Has been deleted!

Attempting to delete C:\windows\system32\iifcbba.dll
C:\windows\system32\iifcbba.dll Has been deleted!

Attempting to delete C:\windows\system32\jkkhggh.dll
C:\windows\system32\jkkhggh.dll Has been deleted!

Attempting to delete C:\windows\system32\jkkijif.dll
C:\windows\system32\jkkijif.dll Has been deleted!

Attempting to delete C:\windows\system32\ljjkjji.dll
C:\windows\system32\ljjkjji.dll Has been deleted!

Attempting to delete C:\windows\system32\mljhhif.dll
C:\windows\system32\mljhhif.dll Has been deleted!

Attempting to delete C:\windows\system32\mljihfc.dll
C:\windows\system32\mljihfc.dll Has been deleted!

Attempting to delete C:\windows\system32\nnnmnkj.dll
C:\windows\system32\nnnmnkj.dll Has been deleted!

Attempting to delete C:\windows\system32\qomnopn.dll
C:\windows\system32\qomnopn.dll Has been deleted!

Attempting to delete C:\windows\system32\rqrqnkk.dll
C:\windows\system32\rqrqnkk.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqqnll.dll
C:\windows\system32\ssqqnll.dll Has been deleted!

Attempting to delete C:\windows\system32\tuvvutt.dll
C:\windows\system32\tuvvutt.dll Has been deleted!

Attempting to delete C:\windows\system32\urqolif.dll
C:\windows\system32\urqolif.dll Has been deleted!

Attempting to delete C:\windows\system32\urqrsrp.dll
C:\windows\system32\urqrsrp.dll Has been deleted!

Attempting to delete C:\windows\system32\vturppq.dll
C:\windows\system32\vturppq.dll Has been deleted!

Attempting to delete C:\windows\system32\yayvvuu.dll
C:\windows\system32\yayvvuu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:20:04 PM 23/07/2006

Listing files found while scanning....

C:\windows\system32\fccbbyx.dll
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\fccbbyx.dll
C:\windows\system32\fccbbyx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Scan started at 9:41:02 PM 23/07/2006

Listing files found while scanning....

C:\WINDOWS\system32\Drivers\DP.sys

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Scan started at 10:03:19 AM 19/11/2006

Listing files found while scanning....


VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 5:47:03 PM 16/12/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.4

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 10:23:19 PM 16/06/2007

Listing files found while scanning....

No infected files were found.

---

DSS;
---
Deckard's System Scanner v20070611.50
Run by Edward on 2007-06-17 at 12:22:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
63: 2007-06-17 02:22:45 UTC - RP622 - Deckard's System Scanner Restore Point
62: 2007-06-16 10:38:04 UTC - RP621 - Windows Defender Checkpoint
61: 2007-06-16 03:10:54 UTC - RP620 - Windows Defender Checkpoint
60: 2007-06-15 11:52:47 UTC - RP619 - Installed Sygate Personal Firewall
59: 2007-06-15 08:34:12 UTC - RP618 - Windows Defender Checkpoint


-- First Restore Point --
1: 2007-05-12 12:24:51 UTC - RP560 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Edward.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:24:17 PM, on 17/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Popup Preventer\popup.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\Desktop\dss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HIJACK~1\Edward.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - (no file)
O2 - BHO: (no name) - {05A57232-D46A-4CDB-90C2-AE4765A77617} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\awtuspo.dll
O2 - BHO: (no name) - {36C0DB12-6184-3B20-A548-66E33B94FEE1} - (no file)
O2 - BHO: (no name) - {3F0E769D-CC1B-4180-86F9-0B269296F141} - (no file)
O2 - BHO: (no name) - {4E8D4748-7B0E-4EBA-9494-9A045113935B} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\vwcldbqb.dll
O2 - BHO: (no name) - {5ED6E46C-EE12-43FD-943E-19FA700E1A6D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {98112280-03AE-4E81-B7D2-35EBD60592FB} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B42C3D6E-DEF8-8D09-D10F-82ADDF9329B1} - C:\WINDOWS\system32\frnp.dll
O2 - BHO: (no name) - {BA585145-E9DD-E67B-F79D-EBFBFA6475E3} - (no file)
O2 - BHO: (no name) - {D7497EE8-B62E-4A78-8F77-A67FA7BD281F} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra 'Tools' menuitem: &Popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161483010468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161482993843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2542663-1FC3-4B45-A177-2F0BDF7F9DD1}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7FDB2A7-FE25-4B26-B04C-048C6CF6EE8D}: NameServer = 10.0.0.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtuspo - C:\WINDOWS\SYSTEM32\awtuspo.dll
O20 - Winlogon Notify: gebyy - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khfeccd - C:\WINDOWS\
O20 - Winlogon Notify: ssqpolm - C:\WINDOWS\
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070617-122215-122 O3 - Toolbar: Gadgetbar Toolbar - {ad8088d4-219c-40db-b16a-5e53261bed3d} - (no file)
backup-20070617-122215-337 O4 - HKCU\..\Run: [Gaihofnm] C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\Application Data\s?stem\scanregw.exe
backup-20070617-122215-536 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20070617-122215-726 R3 - URLSearchHook: (no name) - {BDD5E4C6-0B55-0EF5-23F0-0D45710A2DE3} - (no file)
backup-20070617-122215-936 O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
backup-20070617-122215-947 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-06-17 12:14:23 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-05-25 03:23:00 452 --a------ C:\WINDOWS\Tasks\WebReg 20060926032352.job
2007-05-22 18:32:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-04-21 03:00:00 364 --a------ C:\WINDOWS\Tasks\XoftSpySE.job
2006-11-26 19:31:00 272 --a------ C:\WINDOWS\Tasks\Easy Internet Sign-up.job
2006-09-28 23:22:40 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2005-07-16 12:02:00 410 --ah----- C:\WINDOWS\Tasks\{A273CEA5-7A92-4670-8EB9-F5C5BD9ECEE4}_YOUR-7U2NFIGQ42_Edward.job


-- Files created between 2007-05-17 and 2007-06-17 -----------------------------

2007-06-16 21:48:14 129132 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-16 21:43:12 56832 --a------ C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
2007-06-16 21:05:16 124436 --a------ C:\WINDOWS\system32\tlfbsugg.dll
2007-06-16 20:51:35 0 --a------ C:\WINDOWS\system32\sfsync03.dll
2007-06-16 20:51:34 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-06-16 20:39:27 93696 --a------ C:\WINDOWS\system32\drvgug.dll
2007-06-16 20:17:31 125972 --a------ C:\WINDOWS\system32\oowafbqm.dll
2007-06-15 21:53:33 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-06-15 21:53:27 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-06-15 21:52:55 0 d-------- C:\Program Files\Sygate
2007-06-15 21:51:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-15 20:09:22 0 d-------- C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\.housecall6.6
2007-06-14 22:50:03 62516 --a------ C:\WINDOWS\system32\vwcldbqb.dll
2007-06-14 22:13:37 62516 --a------ C:\WINDOWS\system32\islkixfc.dll
2007-06-14 21:42:07 62516 --a------ C:\WINDOWS\system32\vuunlbtk.dll
2007-06-14 21:41:54 93696 --a------ C:\WINDOWS\system32\drvjuw.dll
2007-06-14 19:14:59 62516 --a------ C:\WINDOWS\system32\vxamajfs.dll
2007-06-11 13:27:40 897720 ---hs---- C:\WINDOWS\system32\prqss.ini2
2007-06-08 01:00:58 28160 --a------ C:\WINDOWS\system32\sysmon32.exe <Not Verified; NoName Corp.; NNC module>
2007-06-07 22:49:50 0 d-------- C:\Program Files\lo2k Tools
2007-06-07 21:24:08 55316 --a------ C:\WINDOWS\system32\xwgfkowo.dll
2007-06-07 21:00:52 60928 --a------ C:\WINDOWS\system32\frnp.dll
2007-06-06 06:24:16 10752 --a------ C:\WINDOWS\system32\j9201033.dll
2007-06-06 06:24:14 14868 --a------ C:\WINDOWS\system32\aluavxwy.exe
2007-05-28 10:16:34 28160 --a------ C:\WINDOWS\system32\winsys64.exe <Not Verified; NoName Corp.; NNC module>
2007-05-25 23:14:23 98304 --a------ C:\WINDOWS\system32CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-05-25 00:43:51 0 d-a------ C:\TexResizer User Guide_files
2007-05-23 21:02:18 10240 --a------ C:\WINDOWS\system32\klikalka.exe <Not Verified; NoName Corp.; NNC module>
2007-05-17 17:35:30 3837952 --a------ C:\Documents and Settings\Lizzy.YOUR-7U2NFIGQ42.000\ntuser.dat
2007-05-17 17:35:29 4194304 --a------ C:\Documents and Settings\Helen.YOUR-7U2NFIGQ42.000\ntuser.dat
2007-05-17 16:46:20 40183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe


-- Find3M Report ---------------------------------------------------------------

2007-06-16 15:18:58 0 d-------- C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\Application Data\AdobeUM
2007-06-15 22:40:27 0 d-------- C:\Program Files\GTR2
2007-06-09 19:05:05 402976 --ah----- C:\viewport.dll <Not Verified; Pegasus Software, LLC.; >
2007-06-08 18:55:33 0 d-------- C:\Program Files\Java
2007-06-04 01:15:00 0 d-------- C:\Program Files\ZaZ Gp4 Tools
2007-05-30 23:28:02 0 d-------- C:\Program Files\iTunes
2007-05-30 23:27:42 0 d-------- C:\Program Files\iPod
2007-05-30 23:21:57 0 d-------- C:\Program Files\QuickTime
2007-05-30 22:43:32 0 d-------- C:\Program Files\Apple Software Update
2007-05-27 09:49:05 2 --a------ C:\WINDOWS\system32\wnscpiit32.exe
2007-05-18 23:36:18 0 d-------- C:\Program Files\GIMP-2.0
2007-05-18 17:25:33 0 d-------- C:\Program Files\TrackMania
2007-05-14 20:31:12 262708 -----n--- C:\WINDOWS\system32\ssqrp.dll
2007-05-14 15:59:56 680220 ---hs---- C:\WINDOWS\system32\qtutv.bak1
2007-05-14 15:59:23 680819 ---hs---- C:\WINDOWS\system32\qtutv.bak2
2007-05-13 20:21:01 680041 ---hs---- C:\WINDOWS\system32\hhkmp.ini2
2007-05-13 19:25:01 676355 ---hs---- C:\WINDOWS\system32\hhkmp.bak1
2007-05-13 19:24:48 677192 ---hs---- C:\WINDOWS\system32\hhkmp.bak2
2007-05-13 15:23:21 0 d-------- C:\Program Files\Infogrames
2007-05-12 19:57:11 0 d-------- C:\Program Files\Xvid
2007-05-12 19:57:10 0 d-------- C:\Program Files\DivX
2007-05-12 19:57:08 0 d-------- C:\Program Files\F1Career
2007-05-12 19:30:20 0 d-------- C:\Program Files\Paint.NET
2007-04-26 23:09:28 63488 --a------ C:\WINDOWS\system32\vawthdg.dll
2007-04-26 23:09:28 86528 --a------ C:\WINDOWS\system32\ouuyyvf.dll
2007-04-17 22:43:01 0 d-------- C:\Program Files\Google
2007-04-17 01:19:23 0 d-------- C:\Program Files\Common Files\xing shared
2007-04-17 01:19:00 0 d-------- C:\Program Files\Common Files\Real
2007-04-17 01:04:45 0 d-------- C:\Program Files\Picasa2
2007-03-28 18:35:43 489253 ---hs---- C:\WINDOWS\system32\yybeg.ini2
2007-03-28 17:56:38 620791 ---hs---- C:\WINDOWS\system32\yybeg.bak2
2007-03-27 20:40:02 26730 -----n--- C:\WINDOWS\system32\awtuspo.dll
2007-03-24 18:45:08 7160678 --a------ C:\WINDOWS\system32\AUSTRALIAN GP 2007.scr
2007-03-23 22:06:19 470665 ---hs---- C:\WINDOWS\system32\yybeg.bak1
2007-03-19 23:50:42 81408 --a------ C:\WINDOWS\system32\qhkfneh.dll


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
{05A57232-D46A-4CDB-90C2-AE4765A77617} C:\WINDOWS\system32\ssqrp.dll
{182B90A3-F372-438A-800C-6814B4DE417B} C:\WINDOWS\system32\awtuspo.dll
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} C:\WINDOWS\system32\vwcldbqb.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{B42C3D6E-DEF8-8D09-D10F-82ADDF9329B1} C:\WINDOWS\system32\frnp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"_SetRes"="c:\\hp\\bin\\cloaker c:\\hp\\bin\\res.bat"
"IcoSet"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\IcoSet\\adjust.bat seticon"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"regcmdcons"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\cmdcons.cmd"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"szarkrmf.exe"="C:\\Documents and Settings\\All Users\\Application Data\\szarkrmf.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"Fraps"="C:\\FRAPS\\FRAPS.EXE"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Start WingMan Profiler"="\"C:\\Program Files\\Logitech\\Profiler\\lwemon.exe\" /noui"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{182B90A3-F372-438A-800C-6814B4DE417B}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuspo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfeccd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpolm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexz32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480


-- End of Deckard's System Scanner: finished at 2007-06-17 at 12:25:40 ---------

---

HijackThis;
---
Logfile of HijackThis v1.99.1
Scan saved at 12:27:06 PM, on 17/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Popup Preventer\popup.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra 'Tools' menuitem: &Popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161483010468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161482993843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2542663-1FC3-4B45-A177-2F0BDF7F9DD1}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7FDB2A7-FE25-4B26-B04C-048C6CF6EE8D}: NameServer = 10.0.0.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:49 PM

Posted 16 June 2007 - 11:15 PM

Hello,

What a mess. Is your Norton up to date? Because I am a bit suprised it didn't flag/delete a lot of malware related files...

Let's use Vundofix for the stubborn files and another tool for the other files.
We're going to delete the starforce protection as well, since it's not needed.
It's really important you follow my instructions in the right order...!

Also, the Vundofix instructions are a bit modified, so make sure you read and perform them properly...
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\system32\ssqrp.dll
  • Copy and paste next in the second field: C:\WINDOWS\system32\awtuspo.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    c:\windows\system32\drivers\sfdrv01.sys
    c:\windows\system32\drivers\sfhlp02.sys
    c:\windows\system32\drivers\sfvfs02.sys
    C:\WINDOWS\system32\scchk32.exe
    C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
    C:\WINDOWS\system32\tlfbsugg.dll
    C:\WINDOWS\system32\sfsync03.dll
    C:\WINDOWS\system32\sfsync02.dll
    C:\WINDOWS\system32\drvgug.dll
    C:\WINDOWS\system32\oowafbqm.dll
    C:\WINDOWS\system32\vwcldbqb.dll
    C:\WINDOWS\system32\islkixfc.dll
    C:\WINDOWS\system32\vuunlbtk.dll
    C:\WINDOWS\system32\drvjuw.dll
    C:\WINDOWS\system32\vxamajfs.dll
    C:\WINDOWS\system32\prqss.ini2
    C:\WINDOWS\system32\sysmon32.exe
    C:\WINDOWS\system32\xwgfkowo.dll
    C:\WINDOWS\system32\frnp.dll
    C:\WINDOWS\system32\j9201033.dll
    C:\WINDOWS\system32\aluavxwy.exe
    C:\WINDOWS\system32\winsys64.exe
    C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
    C:\WINDOWS\system32\wnscpiit32.exe
    C:\WINDOWS\system32\qtutv.bak1
    C:\WINDOWS\system32\qtutv.bak2
    C:\WINDOWS\system32\hhkmp.ini2
    C:\WINDOWS\system32\hhkmp.bak1
    C:\WINDOWS\system32\hhkmp.bak2
    C:\WINDOWS\system32\vawthdg.dll
    C:\WINDOWS\system32\ouuyyvf.dll
    C:\WINDOWS\system32\yybeg.ini2
    C:\WINDOWS\system32\yybeg.bak2
    C:\WINDOWS\system32\yybeg.bak1
    C:\WINDOWS\system32\qhkfneh.dll
    C:\WINDOWS\system32\ssqrp.dll
    C:\WINDOWS\system32\awtuspo.dll
    C:\WINDOWS\system32\vwcldbqb.dll
    C:\WINDOWS\system32\frnp.dll



  • Then click the red Moveit! button below.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.
Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

Then, after reboot,

Go to start > run and copy and paste next commands in the field:

sc delete sfdrv01 Hit enter

sc delete sfhlp02 Hit enter

sc delete sfvfs02 Hit enter

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - (no file)
O2 - BHO: (no name) - {05A57232-D46A-4CDB-90C2-AE4765A77617} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\awtuspo.dll
O2 - BHO: (no name) - {36C0DB12-6184-3B20-A548-66E33B94FEE1} - (no file)
O2 - BHO: (no name) - {3F0E769D-CC1B-4180-86F9-0B269296F141} - (no file)
O2 - BHO: (no name) - {4E8D4748-7B0E-4EBA-9494-9A045113935B} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\vwcldbqb.dll
O2 - BHO: (no name) - {5ED6E46C-EE12-43FD-943E-19FA700E1A6D} - (no file)
O2 - BHO: (no name) - {98112280-03AE-4E81-B7D2-35EBD60592FB} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B42C3D6E-DEF8-8D09-D10F-82ADDF9329B1} - C:\WINDOWS\system32\frnp.dll
O2 - BHO: (no name) - {BA585145-E9DD-E67B-F79D-EBFBFA6475E3} - (no file)
O2 - BHO: (no name) - {D7497EE8-B62E-4A78-8F77-A67FA7BD281F} - (no file)
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O20 - Winlogon Notify: awtuspo - C:\WINDOWS\SYSTEM32\awtuspo.dll
O20 - Winlogon Notify: gebyy - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khfeccd - C:\WINDOWS\
O20 - Winlogon Notify: ssqpolm - C:\WINDOWS\
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{182B90A3-F372-438A-800C-6814B4DE417B}"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Rescan with Deckard's System scanner and post the log in your next reply together with the new log from Vundofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SchueyFan

SchueyFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 17 June 2007 - 12:41 AM

Hello,

[/list]Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


VundoFix was meant to start at reboot, but didn't show up - what should I do?

yes, my Norton is a few years out of date - is it worth buying a new one?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:49 PM

Posted 17 June 2007 - 06:34 AM

Hi,

yes, my Norton is a few years out of date - is it worth buying a new one?

Why are you keeping an Antivirus which is outdated for a couple of years? It won't protect you at all. You should have replaced it with a free alternative. Look in my signature below under Antivirus for the ones I recommend. For example, Avira is a Free Antivirus which is great in detection.

Anyway, if Vundofix didn't restart at reboot, just proceed with my next instructions. We'll see afterwards what's still present or not...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SchueyFan

SchueyFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 18 June 2007 - 10:40 AM

ok, here are the files...

Vundo Fix
---
VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:05:03 PM 23/07/2006

Listing files found while scanning....

C:\windows\system32\byxxwvs.dll
C:\windows\system32\cbxuvtt.dll
C:\windows\system32\cbxvsrs.dll
C:\windows\system32\ddcbyww.dll
C:\windows\system32\ddcddef.dll
C:\windows\system32\efcbaba.dll
C:\windows\system32\efcbcbc.dll
C:\windows\system32\fccbbyx.dll
C:\windows\system32\hggggda.dll
C:\windows\system32\iifcbba.dll
C:\windows\system32\jkkhggh.dll
C:\windows\system32\jkkijif.dll
C:\windows\system32\ljjkjji.dll
C:\windows\system32\mljhhif.dll
C:\windows\system32\mljihfc.dll
C:\windows\system32\nnnmnkj.dll
C:\windows\system32\qomnopn.dll
C:\windows\system32\rqrqnkk.dll
C:\windows\system32\ssqqnll.dll
C:\windows\system32\tuvvutt.dll
C:\windows\system32\urqolif.dll
C:\windows\system32\urqrsrp.dll
C:\windows\system32\vturppq.dll
C:\windows\system32\yayvvuu.dll
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\byxxwvs.dll
C:\windows\system32\byxxwvs.dll Has been deleted!

Attempting to delete C:\windows\system32\cbxuvtt.dll
C:\windows\system32\cbxuvtt.dll Has been deleted!

Attempting to delete C:\windows\system32\cbxvsrs.dll
C:\windows\system32\cbxvsrs.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcbyww.dll
C:\windows\system32\ddcbyww.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcddef.dll
C:\windows\system32\ddcddef.dll Has been deleted!

Attempting to delete C:\windows\system32\efcbaba.dll
C:\windows\system32\efcbaba.dll Has been deleted!

Attempting to delete C:\windows\system32\efcbcbc.dll
C:\windows\system32\efcbcbc.dll Has been deleted!

Attempting to delete C:\windows\system32\fccbbyx.dll
C:\windows\system32\fccbbyx.dll Could not be deleted.

Attempting to delete C:\windows\system32\hggggda.dll
C:\windows\system32\hggggda.dll Has been deleted!

Attempting to delete C:\windows\system32\iifcbba.dll
C:\windows\system32\iifcbba.dll Has been deleted!

Attempting to delete C:\windows\system32\jkkhggh.dll
C:\windows\system32\jkkhggh.dll Has been deleted!

Attempting to delete C:\windows\system32\jkkijif.dll
C:\windows\system32\jkkijif.dll Has been deleted!

Attempting to delete C:\windows\system32\ljjkjji.dll
C:\windows\system32\ljjkjji.dll Has been deleted!

Attempting to delete C:\windows\system32\mljhhif.dll
C:\windows\system32\mljhhif.dll Has been deleted!

Attempting to delete C:\windows\system32\mljihfc.dll
C:\windows\system32\mljihfc.dll Has been deleted!

Attempting to delete C:\windows\system32\nnnmnkj.dll
C:\windows\system32\nnnmnkj.dll Has been deleted!

Attempting to delete C:\windows\system32\qomnopn.dll
C:\windows\system32\qomnopn.dll Has been deleted!

Attempting to delete C:\windows\system32\rqrqnkk.dll
C:\windows\system32\rqrqnkk.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqqnll.dll
C:\windows\system32\ssqqnll.dll Has been deleted!

Attempting to delete C:\windows\system32\tuvvutt.dll
C:\windows\system32\tuvvutt.dll Has been deleted!

Attempting to delete C:\windows\system32\urqolif.dll
C:\windows\system32\urqolif.dll Has been deleted!

Attempting to delete C:\windows\system32\urqrsrp.dll
C:\windows\system32\urqrsrp.dll Has been deleted!

Attempting to delete C:\windows\system32\vturppq.dll
C:\windows\system32\vturppq.dll Has been deleted!

Attempting to delete C:\windows\system32\yayvvuu.dll
C:\windows\system32\yayvvuu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:20:04 PM 23/07/2006

Listing files found while scanning....

C:\windows\system32\fccbbyx.dll
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\fccbbyx.dll
C:\windows\system32\fccbbyx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Scan started at 9:41:02 PM 23/07/2006

Listing files found while scanning....

C:\WINDOWS\system32\Drivers\DP.sys

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Scan started at 10:03:19 AM 19/11/2006

Listing files found while scanning....


VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 5:47:03 PM 16/12/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.4

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 10:23:19 PM 16/06/2007

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.4

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 2:57:38 PM 17/06/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe could not be stopped
Vundofix may not be able to delete some files that were found.

The process winlogon.exe could not be stopped
Vundofix may not be able to delete some files that were found.

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\awtuspo.dll
C:\WINDOWS\system32\awtuspo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\awtuspo.dll
C:\WINDOWS\system32\awtuspo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

The process smss.exe could not be stopped
Vundofix may not be able to delete some files that were found.

The process winlogon.exe could not be stopped
Vundofix may not be able to delete some files that were found.

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\awtuspo.dll
C:\WINDOWS\system32\awtuspo.dll Could not be deleted.

Performing Repairs to the registry.
Done!
---

DSS
---
Deckard's System Scanner v20070611.50
Run by Edward on 2007-06-19 at 01:33:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Edward.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:33:42 AM, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Virus Checking-Removal\dss.exe
C:\PROGRA~1\HIJACK~1\Edward.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {036671E1-826E-4A07-8FC4-CC72F271E0E3} - C:\WINDOWS\system32\oowafbqm.dll (file missing)
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - (no file)
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\awtuspo.dll
O2 - BHO: (no name) - {36C0DB12-6184-3B20-A548-66E33B94FEE1} - (no file)
O2 - BHO: (no name) - {37BB46A5-5770-4C18-A98D-DF6A60C56741} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: (no name) - {3F0E769D-CC1B-4180-86F9-0B269296F141} - (no file)
O2 - BHO: (no name) - {4E8D4748-7B0E-4EBA-9494-9A045113935B} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\vwcldbqb.dll (file missing)
O2 - BHO: (no name) - {5ED6E46C-EE12-43FD-943E-19FA700E1A6D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {98112280-03AE-4E81-B7D2-35EBD60592FB} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B42C3D6E-DEF8-8D09-D10F-82ADDF9329B1} - (no file)
O2 - BHO: (no name) - {BA585145-E9DD-E67B-F79D-EBFBFA6475E3} - (no file)
O2 - BHO: (no name) - {D7497EE8-B62E-4A78-8F77-A67FA7BD281F} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\saxknvso.dll",realset
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra 'Tools' menuitem: &Popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161483010468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161482993843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2542663-1FC3-4B45-A177-2F0BDF7F9DD1}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7FDB2A7-FE25-4B26-B04C-048C6CF6EE8D}: NameServer = 10.0.0.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtuspo - C:\WINDOWS\SYSTEM32\awtuspo.dll
O20 - Winlogon Notify: gebyy - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khfeccd - C:\WINDOWS\
O20 - Winlogon Notify: ssqpolm - C:\WINDOWS\
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


-- Files created between 2007-05-19 and 2007-06-19 -----------------------------

2007-06-19 01:33:17 124436 --a------ C:\WINDOWS\system32\saxknvso.dll
2007-06-19 01:32:41 76412 --a------ C:\WINDOWS\system32\ybltvage.dll
2007-06-19 01:29:55 124436 --a------ C:\WINDOWS\system32\vdetkgxc.dll
2007-06-19 01:27:07 124436 --a------ C:\WINDOWS\system32\oouqholx.dll
2007-06-19 01:22:40 124436 -----n--- C:\WINDOWS\system32\scaalcmf.dll
2007-06-19 01:19:09 892411 ---hs---- C:\WINDOWS\system32\prqss.ini2
2007-06-19 01:05:36 124436 -----n--- C:\WINDOWS\system32\fpnlxkjp.dll
2007-06-18 23:28:25 124436 --a------ C:\WINDOWS\system32\lgpbaxny.dll
2007-06-17 21:08:14 124436 --a------ C:\WINDOWS\system32\pflutpce.dll
2007-06-17 21:05:31 903163 ---hs---- C:\WINDOWS\system32\prqss.bak2
2007-06-17 12:48:42 0 d-------- C:\WINDOWS\system32\mevqvvvb
2007-06-15 21:53:33 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-06-15 21:53:27 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-06-15 21:52:55 0 d-------- C:\Program Files\Sygate
2007-06-15 21:51:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-15 20:09:22 0 d-------- C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\.housecall6.6
2007-06-07 22:49:50 0 d-------- C:\Program Files\lo2k Tools
2007-05-25 23:14:23 98304 --a------ C:\WINDOWS\system32CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-05-25 00:43:51 0 d-a------ C:\TexResizer User Guide_files
2007-05-23 21:02:18 10240 --a------ C:\WINDOWS\system32\klikalka.exe <Not Verified; NoName Corp.; NNC module>


-- Find3M Report ---------------------------------------------------------------

2007-06-17 14:02:06 0 d-------- C:\Program Files\ZaZ Gp4 Tools
2007-06-16 15:18:58 0 d-------- C:\Documents and Settings\Edward.YOUR-7U2NFIGQ42.000\Application Data\AdobeUM
2007-06-15 22:40:27 0 d-------- C:\Program Files\GTR2
2007-06-09 19:05:05 402976 --ah----- C:\viewport.dll <Not Verified; Pegasus Software, LLC.; >
2007-06-08 18:55:33 0 d-------- C:\Program Files\Java
2007-05-30 23:28:02 0 d-------- C:\Program Files\iTunes
2007-05-30 23:27:42 0 d-------- C:\Program Files\iPod
2007-05-30 23:21:57 0 d-------- C:\Program Files\QuickTime
2007-05-30 22:43:32 0 d-------- C:\Program Files\Apple Software Update
2007-05-18 23:36:18 0 d-------- C:\Program Files\GIMP-2.0
2007-05-18 17:25:33 0 d-------- C:\Program Files\TrackMania
2007-05-14 20:31:12 262708 -----n--- C:\WINDOWS\system32\ssqrp.dll
2007-05-13 15:23:21 0 d-------- C:\Program Files\Infogrames
2007-05-12 19:57:11 0 d-------- C:\Program Files\Xvid
2007-05-12 19:57:10 0 d-------- C:\Program Files\DivX
2007-05-12 19:57:08 0 d-------- C:\Program Files\F1Career
2007-05-12 19:30:20 0 d-------- C:\Program Files\Paint.NET
2007-03-27 20:40:02 26730 -----n--- C:\WINDOWS\system32\awtuspo.dll
2007-03-24 18:45:08 7160678 --a------ C:\WINDOWS\system32\AUSTRALIAN GP 2007.scr


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
{036671E1-826E-4A07-8FC4-CC72F271E0E3} C:\WINDOWS\system32\oowafbqm.dll [x]
{182B90A3-F372-438A-800C-6814B4DE417B} C:\WINDOWS\system32\awtuspo.dll
{37BB46A5-5770-4C18-A98D-DF6A60C56741} C:\WINDOWS\system32\ssqrp.dll
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} C:\WINDOWS\system32\vwcldbqb.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"_SetRes"="c:\\hp\\bin\\cloaker c:\\hp\\bin\\res.bat"
"IcoSet"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\IcoSet\\adjust.bat seticon"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"regcmdcons"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\cmdcons.cmd"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SC2"="C:\\WINDOWS\\system32\\scchk32.exe"
"GPLv3"="rundll32.exe \"C:\\WINDOWS\\system32\\saxknvso.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"Fraps"="C:\\FRAPS\\FRAPS.EXE"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Start WingMan Profiler"="\"C:\\Program Files\\Logitech\\Profiler\\lwemon.exe\" /noui"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{182B90A3-F372-438A-800C-6814B4DE417B}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuspo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfeccd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpolm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexz32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480


-- End of Deckard's System Scanner: finished at 2007-06-19 at 01:34:28 ---------
---

hope it helps

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:49 PM

Posted 18 June 2007 - 11:25 AM

It looks like we are running around in circles here - so infected this system is...

Please disconnect from the internet as soon as you get my next instructions, because as long as this terrible infected machine is still connected, it will download more and more malware again and in that case it can take a very long time to solve this...

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Copy next text present in the quotebox below and paste it in the View/edit script Window:

    Files to delete:
    C:\WINDOWS\system32\saxknvso.dll
    C:\WINDOWS\system32\ybltvage.dll
    C:\WINDOWS\system32\vdetkgxc.dll
    C:\WINDOWS\system32\oouqholx.dll
    C:\WINDOWS\system32\scaalcmf.dll
    C:\WINDOWS\system32\prqss.ini2
    C:\WINDOWS\system32\fpnlxkjp.dll
    C:\WINDOWS\system32\lgpbaxny.dll
    C:\WINDOWS\system32\pflutpce.dll
    C:\WINDOWS\system32\prqss.bak2
    C:\WINDOWS\system32\klikalka.exe
    C:\WINDOWS\system32\ssqrp.dll
    C:\WINDOWS\system32\awtuspo.dll
    C:\WINDOWS\system32\scchk32.exe

    Folders to Delete:
    C:\WINDOWS\system32\mevqvvvb

    registry keys to delete:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{036671E1-826E-4A07-8FC4-CC72F271E0E3}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0549E6CB-9985-42F6-8FD6-4EC017E6AAE1}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C0DB12-6184-3B20-A548-66E33B94FEE1}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37BB46A5-5770-4C18-A98D-DF6A60C56741}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3F0E769D-CC1B-4180-86F9-0B269296F141}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E8D4748-7B0E-4EBA-9494-9A045113935B}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ED6E46C-EE12-43FD-943E-19FA700E1A6D}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98112280-03AE-4E81-B7D2-35EBD60592FB}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B42C3D6E-DEF8-8D09-D10F-82ADDF9329B1}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA585145-E9DD-E67B-F79D-EBFBFA6475E3}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7497EE8-B62E-4A78-8F77-A67FA7BD281F}
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtuspo
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\gebyy
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\khfeccd
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpolm
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqo
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\winexz32

    registry values to delete:
    HKLM\software\microsoft\windows\currentversion\run | SC2
    HKLM\software\microsoft\windows\currentversion\run | GPLv3
    HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks | {182B90A3-F372-438A-800C-6814B4DE417B}


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, briefly open a black command window on your desktop, this is normal.
  • After the restart, create a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of avenger.txt into your reply along with a fresh HJT log by using Add/Reply
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SchueyFan

SchueyFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 19 June 2007 - 03:52 AM

Avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ambcdclk

*******************

Script file located at: \??\C:\Program Files\agh^qtuh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\saxknvso.dll deleted successfully.


File C:\WINDOWS\system32\ybltvage.dll not found!
Deletion of file C:\WINDOWS\system32\ybltvage.dll failed!

Could not process line:
C:\WINDOWS\system32\ybltvage.dll
Status: 0xc0000034

File C:\WINDOWS\system32\vdetkgxc.dll deleted successfully.
File C:\WINDOWS\system32\oouqholx.dll deleted successfully.


File C:\WINDOWS\system32\scaalcmf.dll not found!
Deletion of file C:\WINDOWS\system32\scaalcmf.dll failed!

Could not process line:
C:\WINDOWS\system32\scaalcmf.dll
Status: 0xc0000034

File C:\WINDOWS\system32\prqss.ini2 deleted successfully.
File C:\WINDOWS\system32\fpnlxkjp.dll deleted successfully.
File C:\WINDOWS\system32\lgpbaxny.dll deleted successfully.
File C:\WINDOWS\system32\pflutpce.dll deleted successfully.
File C:\WINDOWS\system32\prqss.bak2 deleted successfully.
File C:\WINDOWS\system32\klikalka.exe deleted successfully.
File C:\WINDOWS\system32\ssqrp.dll deleted successfully.
File C:\WINDOWS\system32\awtuspo.dll deleted successfully.


File C:\WINDOWS\system32\scchk32.exe not found!
Deletion of file C:\WINDOWS\system32\scchk32.exe failed!

Could not process line:
C:\WINDOWS\system32\scchk32.exe
Status: 0xc0000034

Folder C:\WINDOWS\system32\mevqvvvb deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{036671E1-826E-4A07-8FC4-CC72F271E0E3} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C0DB12-6184-3B20-A548-66E33B94FEE1} deleted successfully.


Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37BB46A5-5770-4C18-A98D-DF6A60C56741} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37BB46A5-5770-4C18-A98D-DF6A60C56741} failed!
Status: 0xc0000034

Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3F0E769D-CC1B-4180-86F9-0B269296F141} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E8D4748-7B0E-4EBA-9494-9A045113935B} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ED6E46C-EE12-43FD-943E-19FA700E1A6D} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98112280-03AE-4E81-B7D2-35EBD60592FB} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B42C3D6E-DEF8-8D09-D10F-82ADDF9329B1} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA585145-E9DD-E67B-F79D-EBFBFA6475E3} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7497EE8-B62E-4A78-8F77-A67FA7BD281F} deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtuspo deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\gebyy deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\khfeccd deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpolm deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqo deleted successfully.
Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\winexz32 deleted successfully.
Registry value HKLM\software\microsoft\windows\currentversion\run|SC2 deleted successfully.
Registry value HKLM\software\microsoft\windows\currentversion\run|GPLv3 deleted successfully.
Registry value HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{182B90A3-F372-438A-800C-6814B4DE417B} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

---
[b]HijackThis
---
Logfile of HijackThis v1.99.1
Scan saved at 6:49:48 PM, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {1D5C8A9E-9015-4F07-9D41-1B6B0D49619F} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra 'Tools' menuitem: &Popup - {B17DB9D4-F9F1-4566-B46B-87503D771F75} - C:\Program Files\Popup Preventer\Popup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161483010468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161482993843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2542663-1FC3-4B45-A177-2F0BDF7F9DD1}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7FDB2A7-FE25-4B26-B04C-048C6CF6EE8D}: NameServer = 10.0.0.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
---

also, the problems that i mentioned at the start seem to be getting better slowly, so it looks like something is working

Edited by SchueyFan, 19 June 2007 - 04:24 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:49 PM

Posted 19 June 2007 - 06:38 AM

Hi,

That worked..

Check and fix next leftover in Hijackhis:

O2 - BHO: (no name) - {1D5C8A9E-9015-4F07-9D41-1B6B0D49619F} - C:\WINDOWS\system32\ssqrp.dll (file missing)

Then, try Combofix and post the log in your next reply. This to make sure no new files were downloaded again while you were infected.
If Combofix still won't run, use Deckard System scanner again as you did previously...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SchueyFan

SchueyFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 20 June 2007 - 04:31 AM

here you go...

ComboFix 07-06-18.2 - C:\Virus Checking-Removal\ComboFix.exe
"Edward" - 2007-06-20 18:57:22 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dsxmoman.dll
C:\WINDOWS\system32\echlcmtx.dll
C:\WINDOWS\system32\fehurevd.dll
C:\WINDOWS\system32\ieqidkpm.dll
C:\WINDOWS\system32\rlpbmppp.dll
C:\WINDOWS\system32\sgvoxpay.dll
C:\WINDOWS\system32\uapoabvp.dll
C:\WINDOWS\system32\uvptbrop.dll
C:\WINDOWS\system32\namomxsd.ini
C:\WINDOWS\system32\xtmclhce.ini
C:\WINDOWS\system32\dveruhef.ini
C:\WINDOWS\system32\mpkdiqei.ini
C:\WINDOWS\system32\pppmbplr.ini
C:\WINDOWS\system32\yapxovgs.ini
C:\WINDOWS\system32\pvbaopau.ini
C:\WINDOWS\system32\porbtpvu.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-19 19:38 399,872 --a------ C:\TexResizer 2.4.exe
2007-06-19 02:27 264,192 --a------ C:\cmagic4.exe
2007-06-17 12:22 <DIR> d-------- C:\Deckard
2007-06-16 20:36 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 21:53 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-06-15 21:53 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-06-15 21:53 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-06-15 21:53 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-06-15 21:53 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-06-15 21:53 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-06-15 21:53 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-06-15 21:52 <DIR> d-------- C:\Program Files\Sygate
2007-06-15 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-15 20:09 <DIR> d-------- C:\DOCUME~1\EDWARD~1.000\.housecall6.6
2007-06-07 22:49 <DIR> d-------- C:\Program Files\lo2k Tools
2007-05-25 23:14 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-05-25 22:44 1,131,008 --a------ C:\GP4 Builder 1.06.1.exe
2007-05-25 00:43 <DIR> d-a------ C:\TexResizer User Guide_files


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 04:02:06 -------- d-----w C:\Program Files\ZaZ Gp4 Tools
2007-06-16 05:18:58 -------- d-----w C:\DOCUME~1\EDWARD~1.000\APPLIC~1\AdobeUM
2007-06-15 12:40:27 -------- d-----w C:\Program Files\GTR2
2007-06-09 09:05:05 402,976 ---ha-w C:\viewport.dll
2007-05-30 13:28:02 -------- d-----w C:\Program Files\iTunes
2007-05-30 13:27:42 -------- d-----w C:\Program Files\iPod
2007-05-30 13:21:57 -------- d-----w C:\Program Files\QuickTime
2007-05-30 12:43:32 -------- d-----w C:\Program Files\Apple Software Update
2007-05-18 13:36:18 -------- d-----w C:\Program Files\GIMP-2.0
2007-05-18 07:25:33 -------- d-----w C:\Program Files\TrackMania
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 05:23:21 -------- d-----w C:\Program Files\Infogrames
2007-05-12 12:38:42 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-12 09:57:11 -------- d-----w C:\Program Files\Xvid
2007-05-12 09:57:10 -------- d-----w C:\Program Files\DivX
2007-05-12 09:57:08 -------- d-----w C:\Program Files\F1Career
2007-05-12 09:30:20 -------- d-----w C:\Program Files\Paint.NET
2007-05-12 08:16:34 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-24 08:45:08 7,160,678 ----a-w C:\WINDOWS\system32\AUSTRALIAN GP 2007.scr
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\cmd.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\netstat.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\ping.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\taskkill.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tasklist.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tracert.com


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-06-06 08:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 14:23]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 15:01]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45]
"_SetRes"="c:\hp\bin\cloaker c:\hp\bin\res.bat" []
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-09 22:11]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 01:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll,nViewLoadHook" []
"Fraps"="C:\FRAPS\FRAPS.EXE" [2005-12-03 21:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-05-19 16:42]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\RpcSs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-05-22 08:32:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-11-26 09:31:00 C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 09:17:12 C:\WINDOWS\tasks\MP Scheduled Scan.job
2006-09-28 13:22:40 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-18 17:23:00 C:\WINDOWS\tasks\WebReg 20060926032352.job
2007-06-18 17:00:00 C:\WINDOWS\tasks\XoftSpySE.job
2005-07-16 02:02:00 C:\WINDOWS\tasks\{A273CEA5-7A92-4670-8EB9-F5C5BD9ECEE4}_YOUR-7U2NFIGQ42_Edward.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 19:17:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-20 19:19:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-20 19:19
C:\ComboFix2.txt ... 2007-06-16 22:21

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dsxmoman.dll
C:\WINDOWS\system32\echlcmtx.dll
C:\WINDOWS\system32\fehurevd.dll
C:\WINDOWS\system32\ieqidkpm.dll
C:\WINDOWS\system32\rlpbmppp.dll
C:\WINDOWS\system32\sgvoxpay.dll
C:\WINDOWS\system32\uapoabvp.dll
C:\WINDOWS\system32\uvptbrop.dll
C:\WINDOWS\system32\namomxsd.ini
C:\WINDOWS\system32\xtmclhce.ini
C:\WINDOWS\system32\dveruhef.ini
C:\WINDOWS\system32\mpkdiqei.ini
C:\WINDOWS\system32\pppmbplr.ini
C:\WINDOWS\system32\yapxovgs.ini
C:\WINDOWS\system32\pvbaopau.ini
C:\WINDOWS\system32\porbtpvu.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-15 20:09 <DIR> d-------- C:\DOCUME~1\EDWARD~1.000\.housecall6.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 04:02:06 -------- d-----w C:\Program Files\ZaZ Gp4 Tools
2007-06-16 05:18:58 -------- d-----w C:\DOCUME~1\EDWARD~1.000\APPLIC~1\AdobeUM
2007-06-15 12:40:27 -------- d-----w C:\Program Files\GTR2
2007-06-09 09:05:05 402,976 ---ha-w C:\viewport.dll
2007-05-30 13:28:02 -------- d-----w C:\Program Files\iTunes
2007-05-30 13:27:42 -------- d-----w C:\Program Files\iPod
2007-05-30 13:21:57 -------- d-----w C:\Program Files\QuickTime
2007-05-30 12:43:32 -------- d-----w C:\Program Files\Apple Software Update
2007-05-18 13:36:18 -------- d-----w C:\Program Files\GIMP-2.0
2007-05-18 07:25:33 -------- d-----w C:\Program Files\TrackMania
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 05:23:21 -------- d-----w C:\Program Files\Infogrames
2007-05-12 12:38:42 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-12 09:57:11 -------- d-----w C:\Program Files\Xvid
2007-05-12 09:57:10 -------- d-----w C:\Program Files\DivX
2007-05-12 09:57:08 -------- d-----w C:\Program Files\F1Career
2007-05-12 09:30:20 -------- d-----w C:\Program Files\Paint.NET
2007-05-12 08:16:34 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-24 08:45:08 7,160,678 ----a-w C:\WINDOWS\system32\AUSTRALIAN GP 2007.scr
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\cmd.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\netstat.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\ping.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\taskkill.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tasklist.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tracert.com


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-06-06 08:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 14:23]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 15:01]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45]
"_SetRes"="c:\hp\bin\cloaker c:\hp\bin\res.bat" []
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-09 22:11]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 01:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll,nViewLoadHook" []
"Fraps"="C:\FRAPS\FRAPS.EXE" [2005-12-03 21:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-05-19 16:42]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\RpcSs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-05-22 08:32:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-11-26 09:31:00 C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 09:17:12 C:\WINDOWS\tasks\MP Scheduled Scan.job
2006-09-28 13:22:40 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-18 17:23:00 C:\WINDOWS\tasks\WebReg 20060926032352.job
2007-06-18 17:00:00 C:\WINDOWS\tasks\XoftSpySE.job
2005-07-16 02:02:00 C:\WINDOWS\tasks\{A273CEA5-7A92-4670-8EB9-F5C5BD9ECEE4}_YOUR-7U2NFIGQ42_Edward.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 19:21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-20 19:22:30 - machine was rebooted

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dsxmoman.dll
C:\WINDOWS\system32\echlcmtx.dll
C:\WINDOWS\system32\fehurevd.dll
C:\WINDOWS\system32\ieqidkpm.dll
C:\WINDOWS\system32\rlpbmppp.dll
C:\WINDOWS\system32\sgvoxpay.dll
C:\WINDOWS\system32\uapoabvp.dll
C:\WINDOWS\system32\uvptbrop.dll
C:\WINDOWS\system32\namomxsd.ini
C:\WINDOWS\system32\xtmclhce.ini
C:\WINDOWS\system32\dveruhef.ini
C:\WINDOWS\system32\mpkdiqei.ini
C:\WINDOWS\system32\pppmbplr.ini
C:\WINDOWS\system32\yapxovgs.ini
C:\WINDOWS\system32\pvbaopau.ini
C:\WINDOWS\system32\porbtpvu.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-15 20:09 <DIR> d-------- C:\DOCUME~1\EDWARD~1.000\.housecall6.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 04:02:06 -------- d-----w C:\Program Files\ZaZ Gp4 Tools
2007-06-16 05:18:58 -------- d-----w C:\DOCUME~1\EDWARD~1.000\APPLIC~1\AdobeUM
2007-06-15 12:40:27 -------- d-----w C:\Program Files\GTR2
2007-06-09 09:05:05 402,976 ---ha-w C:\viewport.dll
2007-05-30 13:28:02 -------- d-----w C:\Program Files\iTunes
2007-05-30 13:27:42 -------- d-----w C:\Program Files\iPod
2007-05-30 13:21:57 -------- d-----w C:\Program Files\QuickTime
2007-05-30 12:43:32 -------- d-----w C:\Program Files\Apple Software Update
2007-05-18 13:36:18 -------- d-----w C:\Program Files\GIMP-2.0
2007-05-18 07:25:33 -------- d-----w C:\Program Files\TrackMania
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 05:23:21 -------- d-----w C:\Program Files\Infogrames
2007-05-12 12:38:42 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-12 09:57:11 -------- d-----w C:\Program Files\Xvid
2007-05-12 09:57:10 -------- d-----w C:\Program Files\DivX
2007-05-12 09:57:08 -------- d-----w C:\Program Files\F1Career
2007-05-12 09:30:20 -------- d-----w C:\Program Files\Paint.NET
2007-05-12 08:16:34 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-24 08:45:08 7,160,678 ----a-w C:\WINDOWS\system32\AUSTRALIAN GP 2007.scr
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\cmd.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\netstat.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\ping.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\taskkill.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tasklist.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tracert.com


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-06-06 08:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 14:23]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 15:01]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45]
"_SetRes"="c:\hp\bin\cloaker c:\hp\bin\res.bat" []
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-09 22:11]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 01:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll,nViewLoadHook" []
"Fraps"="C:\FRAPS\FRAPS.EXE" [2005-12-03 21:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-05-19 16:42]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\RpcSs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-05-22 08:32:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-11-26 09:31:00 C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 09:17:12 C:\WINDOWS\tasks\MP Scheduled Scan.job
2006-09-28 13:22:40 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-18 17:23:00 C:\WINDOWS\tasks\WebReg 20060926032352.job
2007-06-18 17:00:00 C:\WINDOWS\tasks\XoftSpySE.job
2005-07-16 02:02:00 C:\WINDOWS\tasks\{A273CEA5-7A92-4670-8EB9-F5C5BD9ECEE4}_YOUR-7U2NFIGQ42_Edward.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 19:23:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-20 19:23:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-20 19:23

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dsxmoman.dll
C:\WINDOWS\system32\echlcmtx.dll
C:\WINDOWS\system32\fehurevd.dll
C:\WINDOWS\system32\ieqidkpm.dll
C:\WINDOWS\system32\rlpbmppp.dll
C:\WINDOWS\system32\sgvoxpay.dll
C:\WINDOWS\system32\uapoabvp.dll
C:\WINDOWS\system32\uvptbrop.dll
C:\WINDOWS\system32\namomxsd.ini
C:\WINDOWS\system32\xtmclhce.ini
C:\WINDOWS\system32\dveruhef.ini
C:\WINDOWS\system32\mpkdiqei.ini
C:\WINDOWS\system32\pppmbplr.ini
C:\WINDOWS\system32\yapxovgs.ini
C:\WINDOWS\system32\pvbaopau.ini
C:\WINDOWS\system32\porbtpvu.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-20 18:57 64 --a------ C:\ComboFix.bat
2007-06-15 20:09 <DIR> d-------- C:\DOCUME~1\EDWARD~1.000\.housecall6.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 04:02:06 -------- d-----w C:\Program Files\ZaZ Gp4 Tools
2007-06-16 05:18:58 -------- d-----w C:\DOCUME~1\EDWARD~1.000\APPLIC~1\AdobeUM
2007-06-15 12:40:27 -------- d-----w C:\Program Files\GTR2
2007-06-09 09:05:05 402,976 ---ha-w C:\viewport.dll
2007-05-30 13:28:02 -------- d-----w C:\Program Files\iTunes
2007-05-30 13:27:42 -------- d-----w C:\Program Files\iPod
2007-05-30 13:21:57 -------- d-----w C:\Program Files\QuickTime
2007-05-30 12:43:32 -------- d-----w C:\Program Files\Apple Software Update
2007-05-18 13:36:18 -------- d-----w C:\Program Files\GIMP-2.0
2007-05-18 07:25:33 -------- d-----w C:\Program Files\TrackMania
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 05:23:21 -------- d-----w C:\Program Files\Infogrames
2007-05-12 12:38:42 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-12 09:57:11 -------- d-----w C:\Program Files\Xvid
2007-05-12 09:57:10 -------- d-----w C:\Program Files\DivX
2007-05-12 09:57:08 -------- d-----w C:\Program Files\F1Career
2007-05-12 09:30:20 -------- d-----w C:\Program Files\Paint.NET
2007-05-12 08:16:34 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-24 08:45:08 7,160,678 ----a-w C:\WINDOWS\system32\AUSTRALIAN GP 2007.scr
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\cmd.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\netstat.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\ping.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\taskkill.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tasklist.com
2007-02-25 02:48:02 0 --sh--w C:\WINDOWS\system32\tracert.com


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-06-06 08:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 14:23]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 15:01]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45]
"_SetRes"="c:\hp\bin\cloaker c:\hp\bin\res.bat" []
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 14:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-09 22:11]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 01:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll,nViewLoadHook" []
"Fraps"="C:\FRAPS\FRAPS.EXE" [2005-12-03 21:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-05-19 16:42]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\RpcSs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-05-22 08:32:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-11-26 09:31:00 C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 09:17:12 C:\WINDOWS\tasks\MP Scheduled Scan.job
2006-09-28 13:22:40 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-18 17:23:00 C:\WINDOWS\tasks\WebReg 20060926032352.job
2007-06-18 17:00:00 C:\WINDOWS\tasks\XoftSpySE.job
2005-07-16 02:02:00 C:\WINDOWS\tasks\{A273CEA5-7A92-4670-8EB9-F5C5BD9ECEE4}_YOUR-7U2NFIGQ42_Edward.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 19:27:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-20 19:28:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-20 19:28

--- E O F ---

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:49 PM

Posted 20 June 2007 - 06:53 AM

Hi,

I see next two files were dropped Yesterday on your C:\

C:\TexResizer 2.4.exe
C:\cmagic4.exe

Did you download them? They look like they are no installers for programs anyway since the filesizes are too small... which makes me think it's one of these malware installers that you can find on cracksites and other illegal sites. They pretend to be installers for programs, but actually they are an selfextracting package and install malware.

Don't delete them yet, I want to be sure what they are, so do next..

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:
C:\TexResizer 2.4.exe

Select it and click ok
Then click the Send File button below.

Do the same for next file:

C:\cmagic4.exe

Then, Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SchueyFan

SchueyFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 20 June 2007 - 08:33 AM

these (texresizer, cmagic) are editors i use for a pc game. i trust the people who have made them, and i have used them for a few years without problems. I already had them in another folder, but over one of the last few days i moved them to the C:\ folder

should i still do the instructions?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users