Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups Running Wild! :-( Please Help!


  • Please log in to reply
4 replies to this topic

#1 ToxicLuv07

ToxicLuv07

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 25 June 2007 - 06:55 PM

My pop up blocker is not blocking certain windows that pop up and my computer is running very very slow now. All the windows start with the address of: http://url.cpvfeed.com

Here is my log... Can anyone please help? I'm not sure where to start since my other programs can't detect it! Thanks!!!


Logfile of HijackThis v1.99.1
Scan saved at 7:36:13 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46F1BE74-24E6-4235-B757-C5BB6D4682CF} - C:\Program Files\Common Files\nixy43855.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\btrwjbue.dll (file missing)
O2 - BHO: (no name) - {64ED4F12-B929-4219-AFF8-595B5DEA5C48} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\urqronm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [qyvgctfA] C:\WINDOWS\qyvgctfA.exe
O4 - HKLM\..\Run: [{3F-F4-4A-A5-ZN}] c:\windows\system32\mrdsregl.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinsndt.exe CHD003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ojjkvylh.dll",realset
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinsndt.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll (file missing)
O20 - Winlogon Notify: urqronm - urqronm.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qyvgctf.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:02 PM

Posted 25 June 2007 - 11:15 PM

First, make sure HijackThis is run from its own folder. This will ensure we have back ups made and are kept securely. Backups allow the restoring of fixed entries when necessary.

On the Desktop, right click an empty area, select New > Folder, and name the folder Hijack This. place the HijackThis.exe file in it, and then run the program from its own folder from now on...

~~~~
Please go to: Start > Run, type: control
Press OK
Double-click on: Add/Remove Programs

On the list of Currently Installed Programs, look for and, if found, uninstall the following by selecting the entry and clicking on Remove:
ProfileWatcher

Next, search for and delete the following folder (bold):
C:\Program Files\ProfileWatcher

Restart the computer.

~~~~
Next, go to Start > Run, and type in the following commands one at a time and hit Enter after each line:
sc stop “Windows Overlay Components”
sc delete “Windows Overlay Components”


~~~~
Run HijackThis, Scan
Check box for:

O2 - BHO: (no name) - {46F1BE74-24E6-4235-B757-C5BB6D4682CF} - C:\Program Files\Common Files\nixy43855.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\btrwjbue.dll (file missing)
O2 - BHO: (no name) - {64ED4F12-B929-4219-AFF8-595B5DEA5C48} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\urqronm.dll (file missing)

O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
(This entry is probably gone from the log)

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [qyvgctfA] C:\WINDOWS\qyvgctfA.exe
O4 - HKLM\..\Run: [{3F-F4-4A-A5-ZN}] c:\windows\system32\mrdsregl.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinsndt.exe CHD003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ojjkvylh.dll",realset

O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinsndt.exe

O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll (file missing)
O20 - Winlogon Notify: urqronm - urqronm.dll (file missing)

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qyvgctf.exe (file missing)
(This entry is probably gone from the log)

Select: Fix checked

~~~~
Please download ComboFix to the Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

~~~~
Next, download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Reboot to Safe Mode :
-When the machine starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
in Safe Mode, launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the following in your reply:
The ComboFix.txt
The AVG AS report
A new HijackThis log

Old duck...


#3 ToxicLuv07

ToxicLuv07
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 26 June 2007 - 03:14 PM

Here are the log files: (The AVG AS did not produve a report it said "NO REPORT FOUND". It did find over 170 things to delete though!)

Hijack This...

Logfile of HijackThis v1.99.1
Scan saved at 3:58:47 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


COMBOFIX log:


ComboFix 07-06-18.2 - C:\Documents and Settings\Compaq_Owner\My Documents\ComboFix.exe
"Compaq_Owner" - 2007-06-26 10:08:22 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ojjkvylh.dll
C:\WINDOWS\system32\hlyvkjjo.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\COMPAQ~1\APPLIC~1\Install.dat
C:\Program Files\winupdate
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\offun.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 10:03 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 21:00 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-25 20:57 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-06-25 18:57 <DIR> d-------- C:\Program Files\Bazooka Scanner
2007-06-25 18:56 <DIR> d-------- C:\Program Files\Opera
2007-06-21 12:50 <DIR> d-------- C:\Program Files\ExtractNow
2007-06-21 12:39 <DIR> d-------- C:\Program Files\VoiceMX
2007-06-18 18:36 21,056 --a------ C:\WINDOWS\system32\MS6Md4ck.exe
2007-06-18 10:03 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\PC Tools
2007-06-18 10:00 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-06-18 10:00 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-06-18 10:00 15,872 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-06-18 10:00 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-06-18 10:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-06-18 09:33 1,051,920 -r-hs---- C:\WINDOWS\qyvgctfA.exe
2007-06-18 09:31 617,619 --a------ C:\temp\aZ001.exe
2007-06-18 09:30 <DIR> d-------- C:\temp\iee
2007-06-09 12:24 <DIR> d-------- C:\Program Files\MySpace
2007-06-05 09:24 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\vlc
2007-06-05 09:19 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-03 23:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SRS Labs
2007-06-03 23:51 47,360 -ra------ C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2007-06-03 23:51 46,592 -ra------ C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2007-06-03 23:51 39,552 -ra------ C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2007-06-03 23:51 37,248 -ra------ C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2007-06-03 23:51 32,000 -ra------ C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 00:02:12 -------- d-----w C:\Program Files\EZT_Partner
2007-06-22 00:02:53 28,937 ----a-w C:\dae6.dat
2007-06-18 21:27:05 -------- d-----w C:\Program Files\TBONBin
2007-06-18 21:20:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 20:58:42 -------- d-----w C:\Program Files\LimeWire
2007-06-13 14:51:29 -------- d-----w C:\Program Files\Ulead Systems
2007-06-09 00:35:31 -------- d-----w C:\Program Files\InterActual
2007-05-24 23:01:24 -------- d-----w C:\Program Files\Digital Audio Editor
2007-05-23 19:08:26 -------- d-----w C:\Program Files\EZT
2007-04-30 19:12:48 -------- d-----w C:\Program Files\Reallusion
2007-04-30 19:01:25 -------- d-----w C:\Program Files\Morpheus Photo Morpher
2007-04-30 18:28:21 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Morpheus Software
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-14 11:50]
{BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2004-08-30 14:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2007-01-30 00:39]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-30 00:39]
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2007-01-30 00:39]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2007-01-30 00:39]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2007-01-30 00:39]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2007-01-30 00:39]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-30 00:39]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-30 00:39]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 03:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-06-18 10:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 11:50]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 15:49]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe


Contents of the 'Scheduled Tasks' folder
2007-06-26 04:00:30 C:\WINDOWS\tasks\At1.job
2007-06-26 13:00:10 C:\WINDOWS\tasks\At10.job
2007-06-26 14:00:30 C:\WINDOWS\tasks\At11.job
2007-06-25 15:00:30 C:\WINDOWS\tasks\At12.job
2007-06-25 16:00:30 C:\WINDOWS\tasks\At13.job
2007-06-25 17:00:30 C:\WINDOWS\tasks\At14.job
2007-06-25 18:00:30 C:\WINDOWS\tasks\At15.job
2007-06-25 19:00:30 C:\WINDOWS\tasks\At16.job
2007-06-25 20:00:30 C:\WINDOWS\tasks\At17.job
2007-06-25 21:00:30 C:\WINDOWS\tasks\At18.job
2007-06-25 22:00:30 C:\WINDOWS\tasks\At19.job
2007-06-26 05:00:30 C:\WINDOWS\tasks\At2.job
2007-06-25 23:01:27 C:\WINDOWS\tasks\At20.job
2007-06-26 00:00:33 C:\WINDOWS\tasks\At21.job
2007-06-26 01:01:03 C:\WINDOWS\tasks\At22.job
2007-06-26 02:00:31 C:\WINDOWS\tasks\At23.job
2007-06-26 03:00:31 C:\WINDOWS\tasks\At24.job
2007-06-26 06:00:30 C:\WINDOWS\tasks\At3.job
2007-06-26 07:00:30 C:\WINDOWS\tasks\At4.job
2007-06-26 08:00:30 C:\WINDOWS\tasks\At5.job
2007-06-26 09:00:30 C:\WINDOWS\tasks\At6.job
2007-06-26 10:00:30 C:\WINDOWS\tasks\At7.job
2007-06-25 11:00:30 C:\WINDOWS\tasks\At8.job
2007-06-26 12:00:31 C:\WINDOWS\tasks\At9.job
2007-06-16 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job
2005-05-14 23:54:39 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 10:22:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-26 10:25:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-26 10:24

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ojjkvylh.dll
C:\WINDOWS\system32\hlyvkjjo.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\COMPAQ~1\APPLIC~1\Install.dat
C:\Program Files\winupdate
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\offun.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 10:36 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 19:39:43 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-26 19:39:42 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-26 15:00:04 -------- d-----w C:\Program Files\NCH Swift Sound
2007-06-26 00:02:12 -------- d-----w C:\Program Files\EZT_Partner
2007-06-22 00:02:53 28,937 ----a-w C:\dae6.dat
2007-06-18 21:20:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 20:58:42 -------- d-----w C:\Program Files\LimeWire
2007-06-13 14:51:29 -------- d-----w C:\Program Files\Ulead Systems
2007-06-09 00:35:31 -------- d-----w C:\Program Files\InterActual
2007-05-24 23:01:24 -------- d-----w C:\Program Files\Digital Audio Editor
2007-05-23 19:08:26 -------- d-----w C:\Program Files\EZT
2007-04-30 19:12:48 -------- d-----w C:\Program Files\Reallusion
2007-04-30 19:01:25 -------- d-----w C:\Program Files\Morpheus Photo Morpher
2007-04-30 18:28:21 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Morpheus Software
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2004-08-30 14:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" []
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" []
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" []
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 03:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-06-18 10:02]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 11:50]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 15:49]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-06-26 04:00:30 C:\WINDOWS\tasks\At1.job
2007-06-26 13:00:10 C:\WINDOWS\tasks\At10.job
2007-06-26 14:00:30 C:\WINDOWS\tasks\At11.job
2007-06-25 15:00:30 C:\WINDOWS\tasks\At12.job
2007-06-25 16:00:30 C:\WINDOWS\tasks\At13.job
2007-06-25 17:00:30 C:\WINDOWS\tasks\At14.job
2007-06-25 18:00:30 C:\WINDOWS\tasks\At15.job
2007-06-25 19:00:30 C:\WINDOWS\tasks\At16.job
2007-06-26 20:01:24 C:\WINDOWS\tasks\At17.job
2007-06-25 21:00:30 C:\WINDOWS\tasks\At18.job
2007-06-25 22:00:30 C:\WINDOWS\tasks\At19.job
2007-06-26 05:00:30 C:\WINDOWS\tasks\At2.job
2007-06-25 23:01:27 C:\WINDOWS\tasks\At20.job
2007-06-26 00:00:33 C:\WINDOWS\tasks\At21.job
2007-06-26 01:01:03 C:\WINDOWS\tasks\At22.job
2007-06-26 02:00:31 C:\WINDOWS\tasks\At23.job
2007-06-26 03:00:31 C:\WINDOWS\tasks\At24.job
2007-06-26 06:00:30 C:\WINDOWS\tasks\At3.job
2007-06-26 07:00:30 C:\WINDOWS\tasks\At4.job
2007-06-26 08:00:30 C:\WINDOWS\tasks\At5.job
2007-06-26 09:00:30 C:\WINDOWS\tasks\At6.job
2007-06-26 10:00:30 C:\WINDOWS\tasks\At7.job
2007-06-25 11:00:30 C:\WINDOWS\tasks\At8.job
2007-06-26 12:00:31 C:\WINDOWS\tasks\At9.job
2007-06-16 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job
2005-05-14 23:54:39 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 16:02:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-26 16:03:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-26 16:03

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ojjkvylh.dll
C:\WINDOWS\system32\hlyvkjjo.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\COMPAQ~1\APPLIC~1\Install.dat
C:\Program Files\winupdate
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\offun.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 19:39:43 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-26 19:39:42 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-26 15:00:04 -------- d-----w C:\Program Files\NCH Swift Sound
2007-06-26 00:02:12 -------- d-----w C:\Program Files\EZT_Partner
2007-06-22 00:02:53 28,937 ----a-w C:\dae6.dat
2007-06-18 21:20:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 20:58:42 -------- d-----w C:\Program Files\LimeWire
2007-06-13 14:51:29 -------- d-----w C:\Program Files\Ulead Systems
2007-06-09 00:35:31 -------- d-----w C:\Program Files\InterActual
2007-05-24 23:01:24 -------- d-----w C:\Program Files\Digital Audio Editor
2007-05-23 19:08:26 -------- d-----w C:\Program Files\EZT
2007-04-30 19:12:48 -------- d-----w C:\Program Files\Reallusion
2007-04-30 19:01:25 -------- d-----w C:\Program Files\Morpheus Photo Morpher
2007-04-30 18:28:21 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Morpheus Software
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


THANKS!!!!

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:02 PM

Posted 26 June 2007 - 11:00 PM

We need to find out what alll these Scheduled Tasks Atxx.job are launching.

Please download SilentRunners:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the Desktop and double-click on SilentRunners.vbs


If an alert about scripting appears from your anti-virus, choose to allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.

Provide the content of the SilentRunners log in your reply.

Old duck...


#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:02 PM

Posted 29 June 2007 - 05:34 PM

How is it going?

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users