Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unstoppable Pop Ups


  • Please log in to reply
20 replies to this topic

#1 Tiffany_Graham

Tiffany_Graham

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 20 June 2007 - 06:11 PM

Hello-
I've tried running Ad-Aware and Spybot SD (fully updated), but I can't stop the pop-ups. Stinger has also been run and the pop ups seem unstopable. Can anyone assist me with what to do next? Any help would be appreciated. Thank you so much.....
Tiffany


Logfile of HijackThis v1.99.1
Scan saved at 11:48:27 PM, on 6/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\gyjhhlyg.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\dls0523pmw.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\WINDOWS\System32\mwinondt.exe
C:\WINDOWS\jysyivcA.exe
C:\WINDOWS\?ppPatch\?ervices.exe
C:\WINDOWS\DOBE~1\javaw.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.136
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\mwinondt.exe CHD003
O4 - HKLM\..\Run: [jysyivcA] C:\WINDOWS\jysyivcA.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [WinAntiVirus Pro 2007] C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe /min
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\aurfngua.dll",realset
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Qikklh] "C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe"
O4 - HKCU\..\Run: [Rkw] C:\WINDOWS\?ppPatch\?ervices.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\DOBE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Eknxgp] C:\WINDOWS\system32\?asks\??anregw.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Mary\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139293800177
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\gyjhhlyg.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 20 June 2007 - 08:00 PM

Welcome to BC :thumbsup:

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#3 Tiffany_Graham

Tiffany_Graham
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 20 June 2007 - 09:18 PM

Thank you so much for your help. Here is the next log. Thanks, again!

"Mary" - 2007-06-20 20:54:03 Service Pack 1
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Mary\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ssqno.dll
C:\WINDOWS\system32\bacdd.bak1
C:\WINDOWS\system32\bacdd.bak2
C:\WINDOWS\system32\bacdd.ini
C:\WINDOWS\system32\onqss.ini
C:\WINDOWS\system32\bacdd.bak1
C:\WINDOWS\system32\bacdd.bak2
C:\WINDOWS\system32\bacdd.ini
C:\WINDOWS\system32\ddcab.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1281OinAdmin.exe"
"C:\WINDOWS\retadpu2000219.exe"
"C:\WINDOWS\system32\wnstsicomsv.exe"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\rau001978.exe"
"C:\WINDOWS\dls0523pmw.exe"
"C:\WINDOWS\cs_cache.ini"
"C:\Program Files\outerinfo"
"C:\Temp\tn3"

-- Purity Folders:

C:\WINDOWS\system32\ASKS~1
C:\WINDOWS\PPPATC~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent


((((((((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 ))))))))))))))))))))))))))))))))))


2007-06-19 21:55 124,436 --a------ C:\WINDOWS\system32\aurfngua.dll
2007-06-19 21:52 122,900 --a------ C:\WINDOWS\system32\gyjhhlyg.exe
2007-06-14 11:59 62,516 --a------ C:\WINDOWS\system32\sjmkrvuk.dll
2007-06-14 11:57 124,436 --a------ C:\WINDOWS\system32\emcvdyjt.dll
2007-06-11 21:51 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-06-11 21:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 21:36 <DIR> d-------- C:\Program Files\Google
2007-06-11 17:08 58,420 --a------ C:\WINDOWS\system32\ddqfhidq.dll
2007-06-11 17:08 2,580 --a------ C:\WINDOWS\system32\snjuunyh.exe
2007-06-11 17:00 <DIR> d--hs---- C:\UWA7P
2007-06-11 16:59 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-11 16:59 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-06-11 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-11 16:56 33,302 --a------ C:\WINDOWS\system32\tuvvsst.dll
2007-06-11 16:53 930 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-11 16:53 46,592 --a------ C:\WINDOWS\jysyivc.exe
2007-06-11 16:53 33,302 --a------ C:\WINDOWS\system32\opnomji.dll
2007-06-11 16:53 261,920 -r-hs---- C:\WINDOWS\jysyivcA.exe
2007-06-11 16:53 192,604 --a------ C:\WINDOWS\system32\mwinondt.exe
2007-06-11 16:53 172,544 --a------ C:\WINDOWS\system32\rlxhrlk.dll
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T4
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T3
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\pog
2007-06-11 16:53 <DIR> d-------- C:\Temp\x2b
2007-06-11 16:53 <DIR> d-------- C:\Temp\0b9
2007-06-10 21:23 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Share-to-Web Upload Folder
2007-06-10 20:47 60,928 --a------ C:\WINDOWS\system32\hpxukdze.dll
2007-06-04 19:51 60,928 --------- C:\WINDOWS\system32\pfkroko.dll
2007-06-03 19:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 19:31 <DIR> d-------- C:\VundoFix Backups
2007-05-20 22:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-20 22:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-20 15:19 <DIR> d-------- C:\WINDOWS\uuqr
2007-05-20 15:19 <DIR> d-------- C:\Program Files\Common Files\uuqr


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 02:37:55 31,622 ----a-w C:\DOCUME~1\Mary\APPLIC~1\wklnhst.dat
2007-06-20 00:09:40 -------- d-----w C:\Program Files\PowerArchiver
2007-05-21 03:36:54 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Lavasoft
2007-05-21 03:22:56 -------- d-----w C:\Program Files\Common Files\AOL
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TWFyeQ\nqIVyk.vbs
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\NtzJ63G.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\MkpjPr5.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\KdfL6BY.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Xwe1Y.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Wjwi.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\RjaA.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Nxgo.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Iih96.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Cjo9gq88.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{029CA12C-89C1-46a7-A3C7-82F2F98635CB}=C:\Program Files\Kontiki\bin\bh304181.dll [2003-04-18 18:01]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 19:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\System32\sjmkrvuk.dll [2007-06-14 11:59]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\System32\opnomji.dll [2007-06-11 16:53]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 03:09]
{EC093B4C-DBAA-A976-D90A-89ADDCE573CF}=C:\WINDOWS\System32\hpxukdze.dll [2007-05-21 08:59]
{fb5e6593-3788-4910-a59e-68603965a85a}=C:\WINDOWS\System32\rlxhrlk.dll [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 07:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 07:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-07 01:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 17:08]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-08 18:52]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 12:42]
"Salestart"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
"WinAntiVirus Pro 2007"="C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Qikklh"="C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe" []
"Rkw"="C:\WINDOWS\?ppPatch\?ervices.exe" []
"Aaou"="C:\WINDOWS\DOBE~1\javaw.exe" [2007-06-11 16:53]
"Eknxgp"="C:\WINDOWS\system32\?asks\??anregw.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\System32\opnomji.dll" [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomji]
opnomji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4S2NSLA3QS#366]
C:\WINDOWS\System32\NtzJ63G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\System32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zq8u0f3]
C:\windows\temp\Zq8u0f3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"SBService"=2 (0x2)
"navapsvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Alerter"=3 (0x3)
"BITS"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-16 16:28:34 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-21 02:12:07 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 21:10:05
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????)??p?????????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-20 21:14:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-20 21:14

--- E O F ---

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 20 June 2007 - 11:34 PM

Please download the attached file named ComboFix-Do.txt and Save it to your Desktop.

Posted Image

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe


In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.


Do not run on any other computer!!!! The Attached file ComboFix-Do.txt is created for this specfic computer. Running it on another system could cause it to crash or worse.

Attached Files


Microsoft MVP Consumer Security--2007-2010

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 20 June 2007 - 11:37 PM

Note when you click on the attached file, a page my open with just txt. if so, then right-click on the page and choose Save Target As (IE) and Save Page As (Firefox). Let me know Thanks
Microsoft MVP Consumer Security--2007-2010

#6 Tiffany_Graham

Tiffany_Graham
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 24 June 2007 - 08:52 PM

Sorry for the delay in responding.... Thanks, again for helping me.


"Mary" - 2007-06-24 20:31:00 Service Pack 1
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Mary\"
Command switches used :: ""C:\Documents and Settings\Mary\Desktop\ComboFix_Do.txt""


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ilkmp.bak1
C:\WINDOWS\system32\ilkmp.ini
C:\WINDOWS\system32\ilkmp.bak1
C:\WINDOWS\system32\ilkmp.ini
C:\WINDOWS\system32\pmkli.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\wnstsicomsv.exe"
"C:\Program Files\outerinfo\OiUninstaller.exe"
"C:\Program Files\outerinfo\outerinfo.ico"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\Program Files\outerinfo"

-- Purity Folders:

C:\Program Files\Common Files\SKS~1



((((((((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 ))))))))))))))))))))))))))))))))))


2007-06-21 22:33 124,436 --a------ C:\WINDOWS\system32\bhpgiwod.dll
2007-06-21 22:32 122,900 --a------ C:\WINDOWS\system32\exptvjyw.exe
2007-06-21 22:29 60,928 --a------ C:\WINDOWS\system32\hegvm.dll
2007-06-19 21:55 124,436 --a------ C:\WINDOWS\system32\aurfngua.dll
2007-06-19 21:52 122,900 --a------ C:\WINDOWS\system32\gyjhhlyg.exe
2007-06-14 11:59 62,516 --a------ C:\WINDOWS\system32\sjmkrvuk.dll
2007-06-14 11:57 124,436 --a------ C:\WINDOWS\system32\emcvdyjt.dll
2007-06-11 21:51 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-06-11 21:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 21:36 <DIR> d-------- C:\Program Files\Google
2007-06-11 17:08 58,420 --a------ C:\WINDOWS\system32\ddqfhidq.dll
2007-06-11 17:08 2,580 --a------ C:\WINDOWS\system32\snjuunyh.exe
2007-06-11 17:00 <DIR> d--hs---- C:\UWA7P
2007-06-11 16:59 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-11 16:59 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-06-11 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-11 16:56 33,302 --a------ C:\WINDOWS\system32\tuvvsst.dll
2007-06-11 16:53 930 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-11 16:53 46,592 --a------ C:\WINDOWS\jysyivc.exe
2007-06-11 16:53 33,302 --a------ C:\WINDOWS\system32\opnomji.dll
2007-06-11 16:53 261,920 -r-hs---- C:\WINDOWS\jysyivcA.exe
2007-06-11 16:53 192,604 --a------ C:\WINDOWS\system32\mwinondt.exe
2007-06-11 16:53 172,544 --a------ C:\WINDOWS\system32\rlxhrlk.dll
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T4
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T3
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\pog
2007-06-11 16:53 <DIR> d-------- C:\Temp\x2b
2007-06-11 16:53 <DIR> d-------- C:\Temp\0b9
2007-06-10 21:23 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Share-to-Web Upload Folder
2007-06-04 19:51 60,928 --------- C:\WINDOWS\system32\pfkroko.dll
2007-06-03 19:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 19:31 <DIR> d-------- C:\VundoFix Backups


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 21:37:35 31,696 ----a-w C:\DOCUME~1\Mary\APPLIC~1\wklnhst.dat
2007-06-20 00:09:40 -------- d-----w C:\Program Files\PowerArchiver
2007-06-12 04:17:41 -------- d-----w C:\Program Files\Common Files\uuqr
2007-05-21 03:36:54 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Lavasoft
2007-05-21 03:36:38 -------- d-----w C:\Program Files\Lavasoft
2007-05-21 03:36:02 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 03:22:56 -------- d-----w C:\Program Files\Common Files\AOL
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TWFyeQ\nqIVyk.vbs
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\NtzJ63G.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\MkpjPr5.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\KdfL6BY.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Xwe1Y.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Wjwi.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\RjaA.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Nxgo.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Iih96.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Cjo9gq88.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{029CA12C-89C1-46a7-A3C7-82F2F98635CB}=C:\Program Files\Kontiki\bin\bh304181.dll [2003-04-18 18:01]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 19:39]
{1A6864DC-886B-F1B5-1A16-888DBE2082C5}=C:\WINDOWS\System32\hegvm.dll [2007-06-20 09:49]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\System32\sjmkrvuk.dll [2007-06-14 11:59]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\System32\opnomji.dll [2007-06-11 16:53]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 03:09]
{fb5e6593-3788-4910-a59e-68603965a85a}=C:\WINDOWS\System32\rlxhrlk.dll [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 07:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 07:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-07 01:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 17:08]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-08 18:52]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 12:42]
"Salestart"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
"WinAntiVirus Pro 2007"="C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Qikklh"="C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe" []
"Rkw"="C:\WINDOWS\?ppPatch\?ervices.exe" []
"Aaou"="C:\WINDOWS\DOBE~1\javaw.exe" [2007-06-11 16:53]
"Eknxgp"="C:\WINDOWS\system32\?asks\??anregw.exe" []
"Bisuof"="C:\Program Files\Common Files\??sks\n?tdde.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\System32\opnomji.dll" [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomji]
opnomji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4S2NSLA3QS#366]
C:\WINDOWS\System32\NtzJ63G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\System32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zq8u0f3]
C:\windows\temp\Zq8u0f3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"SBService"=2 (0x2)
"navapsvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Alerter"=3 (0x3)
"BITS"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-23 10:48:38 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-25 01:43:24 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 20:43:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????)??p?????????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-24 20:47:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 20:46
C:\ComboFix2.txt ... 2007-06-20 21:14

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 8:48:13 PM, on 6/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\gyjhhlyg.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DOBE~1\javaw.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Documents and Settings\Mary\Desktop\hijack this\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.136
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1A6864DC-886B-F1B5-1A16-888DBE2082C5} - C:\WINDOWS\System32\hegvm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\System32\sjmkrvuk.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\System32\opnomji.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {fb5e6593-3788-4910-a59e-68603965a85a} - C:\WINDOWS\System32\rlxhrlk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [WinAntiVirus Pro 2007] C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe /min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Qikklh] "C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe"
O4 - HKCU\..\Run: [Rkw] C:\WINDOWS\?ppPatch\?ervices.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\DOBE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Eknxgp] C:\WINDOWS\system32\?asks\??anregw.exe
O4 - HKCU\..\Run: [Bisuof] "C:\Program Files\Common Files\??sks\n?tdde.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139293800177
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: opnomji - C:\WINDOWS\SYSTEM32\opnomji.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\gyjhhlyg.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#7 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 24 June 2007 - 09:37 PM

The combofix log is old "Mary" - 2007-06-24 20:31:00 Service Pack 1. Were you able to run ComboFix-Do???
Microsoft MVP Consumer Security--2007-2010

#8 Tiffany_Graham

Tiffany_Graham
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 24 June 2007 - 09:46 PM

That was the log from running the Combo Fix- do from earlier today......

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 24 June 2007 - 10:07 PM

Did you save the txt file ComboFix-Do.txt and move it into ComboFix.exe. Because the fix didn't work. Please run it again and post the results. Thanks.
Microsoft MVP Consumer Security--2007-2010

#10 Tiffany_Graham

Tiffany_Graham
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 25 June 2007 - 12:34 AM

I reran Combo-Fix:

"Mary" - 2007-06-24 22:32:33 Service Pack 1
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Mary\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 ))))))))))))))))))))))))))))))))))


2007-06-21 22:33 124,436 --a------ C:\WINDOWS\system32\bhpgiwod.dll
2007-06-21 22:32 122,900 --a------ C:\WINDOWS\system32\exptvjyw.exe
2007-06-21 22:29 60,928 --a------ C:\WINDOWS\system32\hegvm.dll
2007-06-19 21:55 124,436 --a------ C:\WINDOWS\system32\aurfngua.dll
2007-06-19 21:52 122,900 --a------ C:\WINDOWS\system32\gyjhhlyg.exe
2007-06-14 11:59 62,516 --a------ C:\WINDOWS\system32\sjmkrvuk.dll
2007-06-14 11:57 124,436 --a------ C:\WINDOWS\system32\emcvdyjt.dll
2007-06-11 21:51 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-06-11 21:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 21:36 <DIR> d-------- C:\Program Files\Google
2007-06-11 17:08 58,420 --a------ C:\WINDOWS\system32\ddqfhidq.dll
2007-06-11 17:08 2,580 --a------ C:\WINDOWS\system32\snjuunyh.exe
2007-06-11 17:00 <DIR> d--hs---- C:\UWA7P
2007-06-11 16:59 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-11 16:59 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-06-11 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-11 16:56 33,302 --a------ C:\WINDOWS\system32\tuvvsst.dll
2007-06-11 16:53 930 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-11 16:53 46,592 --a------ C:\WINDOWS\jysyivc.exe
2007-06-11 16:53 33,302 --a------ C:\WINDOWS\system32\opnomji.dll
2007-06-11 16:53 261,920 -r-hs---- C:\WINDOWS\jysyivcA.exe
2007-06-11 16:53 192,604 --a------ C:\WINDOWS\system32\mwinondt.exe
2007-06-11 16:53 172,544 --a------ C:\WINDOWS\system32\rlxhrlk.dll
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T4
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T3
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\pog
2007-06-11 16:53 <DIR> d-------- C:\Temp\x2b
2007-06-11 16:53 <DIR> d-------- C:\Temp\0b9
2007-06-10 21:23 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Share-to-Web Upload Folder
2007-06-04 19:51 60,928 --------- C:\WINDOWS\system32\pfkroko.dll
2007-06-03 19:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 19:31 <DIR> d-------- C:\VundoFix Backups


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 21:37:35 31,696 ----a-w C:\DOCUME~1\Mary\APPLIC~1\wklnhst.dat
2007-06-20 00:09:40 -------- d-----w C:\Program Files\PowerArchiver
2007-06-12 04:17:41 -------- d-----w C:\Program Files\Common Files\uuqr
2007-05-21 03:36:54 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Lavasoft
2007-05-21 03:36:38 -------- d-----w C:\Program Files\Lavasoft
2007-05-21 03:36:02 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 03:22:56 -------- d-----w C:\Program Files\Common Files\AOL
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TWFyeQ\nqIVyk.vbs
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\NtzJ63G.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\MkpjPr5.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\KdfL6BY.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Xwe1Y.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Wjwi.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\RjaA.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Nxgo.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Iih96.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Cjo9gq88.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{029CA12C-89C1-46a7-A3C7-82F2F98635CB}=C:\Program Files\Kontiki\bin\bh304181.dll [2003-04-18 18:01]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 19:39]
{1A6864DC-886B-F1B5-1A16-888DBE2082C5}=C:\WINDOWS\System32\hegvm.dll [2007-06-20 09:49]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\System32\sjmkrvuk.dll [2007-06-14 11:59]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\System32\opnomji.dll [2007-06-11 16:53]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 03:09]
{fb5e6593-3788-4910-a59e-68603965a85a}=C:\WINDOWS\System32\rlxhrlk.dll [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 07:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 07:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-07 01:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 17:08]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-08 18:52]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 12:42]
"Salestart"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
"WinAntiVirus Pro 2007"="C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Qikklh"="C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe" []
"Rkw"="C:\WINDOWS\?ppPatch\?ervices.exe" []
"Aaou"="C:\WINDOWS\DOBE~1\javaw.exe" [2007-06-11 16:53]
"Eknxgp"="C:\WINDOWS\system32\?asks\??anregw.exe" []
"Bisuof"="C:\Program Files\Common Files\??sks\n?tdde.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\System32\opnomji.dll" [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomji]
opnomji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4S2NSLA3QS#366]
C:\WINDOWS\System32\NtzJ63G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\System32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zq8u0f3]
C:\windows\temp\Zq8u0f3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"SBService"=2 (0x2)
"navapsvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Alerter"=3 (0x3)
"BITS"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-23 10:48:38 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-25 03:42:04 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 22:42:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????)??p?????????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-24 22:43:47
C:\ComboFix-quarantined-files.txt ... 2007-06-24 22:43
C:\ComboFix2.txt ... 2007-06-24 20:47
C:\ComboFix3.txt ... 2007-06-20 21:14

--- E O F ---


Then I ran Combo-Fix with the 'Do it' list:


"Mary" - 2007-06-25 0:20:07 Service Pack 1
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Mary\"
Command switches used :: ""C:\Documents and Settings\Mary\Desktop\ComboFix_Do.txt""


((((((((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 ))))))))))))))))))))))))))))))))))


2007-06-21 22:33 124,436 --a------ C:\WINDOWS\system32\bhpgiwod.dll
2007-06-21 22:32 122,900 --a------ C:\WINDOWS\system32\exptvjyw.exe
2007-06-21 22:29 60,928 --a------ C:\WINDOWS\system32\hegvm.dll
2007-06-19 21:55 124,436 --a------ C:\WINDOWS\system32\aurfngua.dll
2007-06-19 21:52 122,900 --a------ C:\WINDOWS\system32\gyjhhlyg.exe
2007-06-14 11:59 62,516 --a------ C:\WINDOWS\system32\sjmkrvuk.dll
2007-06-14 11:57 124,436 --a------ C:\WINDOWS\system32\emcvdyjt.dll
2007-06-11 21:51 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-06-11 21:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 21:36 <DIR> d-------- C:\Program Files\Google
2007-06-11 17:08 58,420 --a------ C:\WINDOWS\system32\ddqfhidq.dll
2007-06-11 17:08 2,580 --a------ C:\WINDOWS\system32\snjuunyh.exe
2007-06-11 17:00 <DIR> d--hs---- C:\UWA7P
2007-06-11 16:59 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-11 16:59 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-06-11 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-11 16:56 33,302 --a------ C:\WINDOWS\system32\tuvvsst.dll
2007-06-11 16:53 930 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-11 16:53 46,592 --a------ C:\WINDOWS\jysyivc.exe
2007-06-11 16:53 33,302 --a------ C:\WINDOWS\system32\opnomji.dll
2007-06-11 16:53 261,920 -r-hs---- C:\WINDOWS\jysyivcA.exe
2007-06-11 16:53 192,604 --a------ C:\WINDOWS\system32\mwinondt.exe
2007-06-11 16:53 172,544 --a------ C:\WINDOWS\system32\rlxhrlk.dll
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T4
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T3
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-11 16:53 <DIR> d-------- C:\WINDOWS\system32\pog
2007-06-11 16:53 <DIR> d-------- C:\Temp\x2b
2007-06-11 16:53 <DIR> d-------- C:\Temp\0b9
2007-06-10 21:23 <DIR> d-------- C:\DOCUME~1\Mary\APPLIC~1\Share-to-Web Upload Folder
2007-06-04 19:51 60,928 --------- C:\WINDOWS\system32\pfkroko.dll
2007-06-03 19:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 19:31 <DIR> d-------- C:\VundoFix Backups


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 21:37:35 31,696 ----a-w C:\DOCUME~1\Mary\APPLIC~1\wklnhst.dat
2007-06-20 00:09:40 -------- d-----w C:\Program Files\PowerArchiver
2007-06-12 04:17:41 -------- d-----w C:\Program Files\Common Files\uuqr
2007-05-21 03:36:54 -------- d-----w C:\DOCUME~1\Mary\APPLIC~1\Lavasoft
2007-05-21 03:36:38 -------- d-----w C:\Program Files\Lavasoft
2007-05-21 03:36:02 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 03:22:56 -------- d-----w C:\Program Files\Common Files\AOL
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TWFyeQ\nqIVyk.vbs
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\NtzJ63G.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\MkpjPr5.exe
2004-04-19 04:08:19 458,762 --sh--w C:\WINDOWS\system32\KdfL6BY.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Xwe1Y.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Wjwi.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\RjaA.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Nxgo.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Iih96.exe
2004-04-19 04:08:19 233,482 --sh--w C:\WINDOWS\system32\Cjo9gq88.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{029CA12C-89C1-46a7-A3C7-82F2F98635CB}=C:\Program Files\Kontiki\bin\bh304181.dll [2003-04-18 18:01]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 19:39]
{1A6864DC-886B-F1B5-1A16-888DBE2082C5}=C:\WINDOWS\System32\hegvm.dll [2007-06-20 09:49]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\System32\sjmkrvuk.dll [2007-06-14 11:59]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\System32\opnomji.dll [2007-06-11 16:53]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 03:09]
{fb5e6593-3788-4910-a59e-68603965a85a}=C:\WINDOWS\System32\rlxhrlk.dll [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 07:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 07:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-07 01:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 17:08]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-08 18:52]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 12:42]
"Salestart"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
"WinAntiVirus Pro 2007"="C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"Qikklh"="C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe" []
"Rkw"="C:\WINDOWS\?ppPatch\?ervices.exe" []
"Aaou"="C:\WINDOWS\DOBE~1\javaw.exe" [2007-06-11 16:53]
"Eknxgp"="C:\WINDOWS\system32\?asks\??anregw.exe" []
"Bisuof"="C:\Program Files\Common Files\??sks\n?tdde.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\System32\opnomji.dll" [2007-06-11 16:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomji]
opnomji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4S2NSLA3QS#366]
C:\WINDOWS\System32\NtzJ63G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\System32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zq8u0f3]
C:\windows\temp\Zq8u0f3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"SBService"=2 (0x2)
"navapsvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Alerter"=3 (0x3)
"BITS"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-23 10:48:38 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-25 05:22:05 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 00:26:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????)??p?????????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-25 0:27:58
C:\ComboFix-quarantined-files.txt ... 2007-06-25 00:27
C:\ComboFix2.txt ... 2007-06-25 00:16
C:\ComboFix3.txt ... 2007-06-24 20:47

--- E O F ---

Then I ran Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 12:29:43 AM, on 6/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\gyjhhlyg.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DOBE~1\javaw.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mary\Desktop\hijack this\HijackThis.exe
C:\Documents and Settings\Mary\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.136
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1A6864DC-886B-F1B5-1A16-888DBE2082C5} - C:\WINDOWS\System32\hegvm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\System32\sjmkrvuk.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\System32\opnomji.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {fb5e6593-3788-4910-a59e-68603965a85a} - C:\WINDOWS\System32\rlxhrlk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [WinAntiVirus Pro 2007] C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe /min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Qikklh] "C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe"
O4 - HKCU\..\Run: [Rkw] C:\WINDOWS\?ppPatch\?ervices.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\DOBE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Eknxgp] C:\WINDOWS\system32\?asks\??anregw.exe
O4 - HKCU\..\Run: [Bisuof] "C:\Program Files\Common Files\??sks\n?tdde.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139293800177
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: opnomji - C:\WINDOWS\SYSTEM32\opnomji.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\gyjhhlyg.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#11 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 25 June 2007 - 07:12 AM

Please navigate to Add/Remove Programs in your Control Panel and remove the following:
Windows Core Components


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\aurfngua.dll
C:\WINDOWS\system32\gyjhhlyg.exe
C:\WINDOWS\system32\sjmkrvuk.dll
C:\WINDOWS\system32\emcvdyjt.dll
C:\WINDOWS\system32\ddqfhidq.dll
C:\WINDOWS\system32\snjuunyh.exe
C:\WINDOWS\system32\tuvvsst.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\jysyivc.exe
C:\WINDOWS\system32\opnomji.dll
C:\WINDOWS\jysyivcA.exe
C:\WINDOWS\system32\mwinondt.exe
C:\WINDOWS\system32\rlxhrlk.dll
C:\WINDOWS\system32\hpxukdze.dll
C:\WINDOWS\DOBE~1\javaw.exe
C:\WINDOWS\system32\NtzJ63G.exe
C:\WINDOWS\system32\MkpjPr5.exe
C:\WINDOWS\system32\KdfL6BY.exe
C:\WINDOWS\system32\Xwe1Y.exe
C:\WINDOWS\system32\Wjwi.exe
C:\WINDOWS\system32\RjaA.exe
C:\WINDOWS\system32\Nxgo.exe
C:\WINDOWS\system32\Iih96.exe
C:\WINDOWS\system32\Cjo9gq88.exe
C:\WINDOWS\system32\pfkroko.dll
C:\WINDOWS\TWFyeQ\nqIVyk.vbs
C:\WINDOWS\DOBE~1\javaw.exe

Folders to delete:
C:\UWA7P
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T1QaSQ
C:\WINDOWS\system32\pog
C:\Temp\x2b
C:\Temp\0b9
C:\Program Files\Kontiki

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029CA12C-89C1-46a7-A3C7-82F2F98635CB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A61098D-612B-4EF2-943D-64E920684061}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EC093B4C-DBAA-A976-D90A-89ADDCE573CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fb5e6593-3788-4910-a59e-68603965a85a}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomji
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4S2NSLA3QS#366
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zq8u0f3]

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | WinAntiVirus Pro 2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Salestart
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Qikklh
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Rkw
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Aaou
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Eknxgp
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Bisuof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {8A61098D-612B-4EF2-943D-64E920684061}


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


================================

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

In your next reply, please include a fresh Hijackthis log, Avenger log, and Panda Activescan log. Thanks
Microsoft MVP Consumer Security--2007-2010

#12 Tiffany_Graham

Tiffany_Graham
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 26 June 2007 - 10:25 PM

Before your instructions in step 1 you mention to remove "windows core components"- is there a certain specific component I'm supposed to remove or is there something that's supposed to be called "windows core components" in the add / remove files? If there is, I don't believe it's installed on my computer....

:
Please navigate to Add/Remove Programs in your Control Panel and remove the following:
Windows Core Components

1. Please download The Avenger by Swandog46 to your Desktop


#13 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 27 June 2007 - 05:24 PM

Yes it should be in Add/Remove Programs, if not, then good. You can proceed with the rest of my instructions.
Microsoft MVP Consumer Security--2007-2010

#14 Tiffany_Graham

Tiffany_Graham
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 28 June 2007 - 09:25 PM

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Qikklh


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Rkw


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Aaou


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Eknxgp


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Bisuof


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uqbdcpkk

*******************

Script file located at: \??\C:\WINDOWS\System32\cbjbpjvt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\aurfngua.dll deleted successfully.
File C:\WINDOWS\system32\gyjhhlyg.exe deleted successfully.
File C:\WINDOWS\system32\sjmkrvuk.dll deleted successfully.
File C:\WINDOWS\system32\emcvdyjt.dll deleted successfully.
File C:\WINDOWS\system32\ddqfhidq.dll deleted successfully.
File C:\WINDOWS\system32\snjuunyh.exe deleted successfully.
File C:\WINDOWS\system32\tuvvsst.dll deleted successfully.
File C:\WINDOWS\system32\winpfz32.sys deleted successfully.
File C:\WINDOWS\jysyivc.exe deleted successfully.
File C:\WINDOWS\system32\opnomji.dll deleted successfully.
File C:\WINDOWS\jysyivcA.exe deleted successfully.
File C:\WINDOWS\system32\mwinondt.exe deleted successfully.
File C:\WINDOWS\system32\rlxhrlk.dll deleted successfully.


File C:\WINDOWS\system32\hpxukdze.dll not found!
Deletion of file C:\WINDOWS\system32\hpxukdze.dll failed!

Could not process line:
C:\WINDOWS\system32\hpxukdze.dll
Status: 0xc0000034

File C:\WINDOWS\DOBE~1\javaw.exe deleted successfully.
File C:\WINDOWS\system32\NtzJ63G.exe deleted successfully.
File C:\WINDOWS\system32\MkpjPr5.exe deleted successfully.
File C:\WINDOWS\system32\KdfL6BY.exe deleted successfully.
File C:\WINDOWS\system32\Xwe1Y.exe deleted successfully.
File C:\WINDOWS\system32\Wjwi.exe deleted successfully.
File C:\WINDOWS\system32\RjaA.exe deleted successfully.
File C:\WINDOWS\system32\Nxgo.exe deleted successfully.
File C:\WINDOWS\system32\Iih96.exe deleted successfully.
File C:\WINDOWS\system32\Cjo9gq88.exe deleted successfully.
File C:\WINDOWS\system32\pfkroko.dll deleted successfully.
File C:\WINDOWS\TWFyeQ\nqIVyk.vbs deleted successfully.


File C:\WINDOWS\DOBE~1\javaw.exe not found!
Deletion of file C:\WINDOWS\DOBE~1\javaw.exe failed!

Could not process line:
C:\WINDOWS\DOBE~1\javaw.exe
Status: 0xc0000034

Folder C:\UWA7P deleted successfully.
Folder C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007 deleted successfully.
Folder C:\WINDOWS\system32\TQ0 deleted successfully.
Folder C:\WINDOWS\system32\T7 deleted successfully.
Folder C:\WINDOWS\system32\T6 deleted successfully.
Folder C:\WINDOWS\system32\T4 deleted successfully.
Folder C:\WINDOWS\system32\T3 deleted successfully.
Folder C:\WINDOWS\system32\T1QaSQ deleted successfully.
Folder C:\WINDOWS\system32\pog deleted successfully.
Folder C:\Temp\x2b deleted successfully.
Folder C:\Temp\0b9 deleted successfully.
Folder C:\Program Files\Kontiki deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029CA12C-89C1-46a7-A3C7-82F2F98635CB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A61098D-612B-4EF2-943D-64E920684061} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EC093B4C-DBAA-A976-D90A-89ADDCE573CF} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EC093B4C-DBAA-A976-D90A-89ADDCE573CF} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fb5e6593-3788-4910-a59e-68603965a85a} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomji deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4S2NSLA3QS#366 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL deleted successfully.


Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zq8u0f3] not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zq8u0f3] failed!
Status: 0xc0000034

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|WinAntiVirus Pro 2007 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Salestart deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{8A61098D-612B-4EF2-943D-64E920684061} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 9:21:55 PM, on 6/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Documents and Settings\Mary\Desktop\hijack this\HijackThis.exe
C:\Documents and Settings\Mary\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.136
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1A6864DC-886B-F1B5-1A16-888DBE2082C5} - C:\WINDOWS\System32\hegvm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Qikklh] "C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe"
O4 - HKCU\..\Run: [Rkw] C:\WINDOWS\?ppPatch\?ervices.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\DOBE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Eknxgp] C:\WINDOWS\system32\?asks\??anregw.exe
O4 - HKCU\..\Run: [Bisuof] "C:\Program Files\Common Files\??sks\n?tdde.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139293800177
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\gyjhhlyg.exe (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



I wasn't sure if I was supposed to run panda next. Also, there were some errors when trying to delete the registry keys, specifically the ones that looks like jumbles of letters.

Thank you again so much for your help!

#15 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:37 AM

Posted 29 June 2007 - 05:51 PM

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O2 - BHO: (no name) - {1A6864DC-886B-F1B5-1A16-888DBE2082C5} - C:\WINDOWS\System32\hegvm.dll
O4 - HKCU\..\Run: [Qikklh] "C:\Documents and Settings\Mary\Application Data\?asks\w?crtupd.exe"
O4 - HKCU\..\Run: [Rkw] C:\WINDOWS\?ppPatch\?ervices.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\DOBE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Eknxgp] C:\WINDOWS\system32\?asks\??anregw.exe
O4 - HKCU\..\Run: [Bisuof] "C:\Program Files\Common Files\??sks\n?tdde.exe"

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."


======================================

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\System32\hegvm.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


===============================================


Please perform a scan with Kaspersky Webscan Online Virus Scanner
1. Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
2. Read the Requirements and Privacy statement, then select "Accept".
3. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
4. Click "Yes or select "Install" to download the ActiveX controls that allows ActiveScan to run.
5. When the download is complete it will say ready, click "Next".
6. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
7. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
8. Click "OK".
9. Under "Select a target to scan", click on "My Computer".
10. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users