Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log


  • This topic is locked This topic is locked
12 replies to this topic

#1 WAVERAVE72

WAVERAVE72

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 05 July 2007 - 12:11 PM

I keep gettting Pop-ups, becasue I had Windows Anti Spyware, which I know now is a virus itself. By myself, I was able to get rid of the majority of the pop-ups, but I still am getting 4 or 5, and my computer is starting up ridiculously slow. I don't know if its still Windows Anti Virus, or another virus itself. Sorry if I posted this in the wrong section :thumbsup:. Can someone help find out why I am still getting Popups

Logfile of HijackThis v1.99.1
Scan saved at 10:09:15 AM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\TEJVU0QgTEJVU0Q\command.exe
C:\WINNT\system32\vrqopopu.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\plbkfuaA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\plbkfua.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\alg.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\??pPatch\??oolsv.exe
C:\DOCUME~1\Owner\APPLIC~1\ICROSO~1\netdde.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINNT\poolsv.exe"
O4 - HKLM\..\Run: [plbkfuaA] C:\WINNT\plbkfuaA.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINNT\system32\cpsjjwup.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Owner\APPLIC~1\ICROSO~1\netdde.exe" -vt yazb
O4 - Startup: Registration-Pinnacle Expression.lnk = C:\Program Files\Pinnacle\Pinnacle Expression\EReg\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TEJVU0QgTEJVU0Q\command.exe
O23 - Service: DomainService - - C:\WINNT\system32\vrqopopu.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\plbkfua.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

Edited by WAVERAVE72, 06 July 2007 - 01:06 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:25 PM

Posted 05 July 2007 - 12:55 PM

Hello,

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.


I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Also uninstall the following programs if present:

Network Monitor
Oin
Outerinfo
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


Reboot when done! Really important!

Also, I see you still have a real outdated version of AntiVir present... and I am pretty sure it's not being able to update anymore and this already for at least a year. So I recommend you uninstall AntiVir and install Avira instead (which is the updated version of AntiVir): http://www.free-av.com/
Please make sure you uninstalled AntiVir first and rebooted BEFORE you install the Avira version.

Then, after you installed Avira, let it perform a full scan and let it remove everything it is finding.
Then reboot once again.
After reboot, rescan with HijackThis and post the log in your next reply. Then we'll start from there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 WAVERAVE72

WAVERAVE72
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 06 July 2007 - 01:06 AM

EDIT:

Sorry, I posted that I had Windows Anti Virus.

I meant Windows Anti Spyware.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:25 PM

Posted 06 July 2007 - 01:54 AM

Hi,

Whatever Antispyware you are having, it didn't make a difference, because some older infections are still present as well which every Antispyware and Antivirus should catch.

So Please perform my above instructions and then post a new HijackThislog after you performed above.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 WAVERAVE72

WAVERAVE72
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 08 July 2007 - 02:38 AM

Thanks for all your help, I appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 12:37:49 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\system32\vrqopopu.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINNT\plbkfuaA.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\plbkfua.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINNT\poolsv.exe"
O4 - HKLM\..\Run: [plbkfuaA] C:\WINNT\plbkfuaA.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINNT\system32\rfhuselh.dll",realset
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Registration-Pinnacle Expression.lnk = C:\Program Files\Pinnacle\Pinnacle Expression\EReg\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TEJVU0QgTEJVU0Q\command.exe (file missing)
O23 - Service: DomainService - - C:\WINNT\system32\vrqopopu.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\plbkfua.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:25 PM

Posted 08 July 2007 - 03:40 AM

Hi,

Perform my instructions in the right order please..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [poolsv] "C:\WINNT\poolsv.exe"
O4 - HKLM\..\Run: [plbkfuaA] C:\WINNT\plbkfuaA.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINNT\system32\rfhuselh.dll",realset
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TEJVU0QgTEJVU0Q\command.exe (file missing)
O23 - Service: DomainService - - C:\WINNT\system32\vrqopopu.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\plbkfua.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 WAVERAVE72

WAVERAVE72
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 12 July 2007 - 12:36 AM

Now, I'm not getting pop-ups! Yay! But my comp is still slow starting up...

I really appreciate your help.



Combo Fix Log:


"Owner" - 2007-07-11 22:14:01 - ComboFix 07-07-12.3 - Service Pack 2

/wow section - STAGE #8

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\ddcyv.dll
C:\WINNT\system32\lvwngcdp.dll
C:\WINNT\system32\opnonnn.dll
C:\WINNT\system32\rfhuselh.dll
C:\WINNT\system32\urqpqrr.dll
C:\WINNT\system32\ixixyrfm.exe
C:\WINNT\system32\aieogmny.exe
C:\WINNT\system32\chfvrqqf.exe
C:\WINNT\system32\ybadd.bak1
C:\WINNT\system32\ybadd.bak2
C:\WINNT\system32\ybadd.ini
C:\WINNT\system32\vycdd.ini
C:\WINNT\system32\pdcgnwvl.ini
C:\WINNT\system32\hlesuhfr.ini
C:\WINNT\system32\ybadd.bak1
C:\WINNT\system32\ybadd.bak2
C:\WINNT\system32\ybadd.ini
C:\WINNT\system32\ybadd.tmp
C:\WINNT\system32\ddaby.dll
C:\WINNT\system32\cbxutus.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Messenger\poveh83122.dll
C:\Program Files\Windows NT\wuoqyprig.html
C:\WINNT\retadpu1000106.exe
C:\WINNT\retadpu77.exe
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\WINNT\system32\iiiffyup.exe
C:\WINNT\system32\vrqopopu.exe
C:\WINNT\system32\xybdels.dll
C:\WINNT\TEJVU0QgTEJVU0Q\asappsrv.dll
C:\WINNT\uninstall_nmon.vbs


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\cmdService
-------\DomainService
-------\Net Agent
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))


2007-07-11 22:12 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-11 22:07 66,580 --a------ C:\WINNT\system32\ejuowufo.dll
2007-07-11 22:04 66,068 --a------ C:\WINNT\system32\qlyxocli.exe
2007-07-08 00:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-07-07 23:47 <DIR> d-------- C:\Program Files\Hijack This
2007-07-07 23:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-07 23:34 50,708 --a------ C:\WINNT\system32\sxjdtugu.exe
2007-07-07 23:32 50,708 --a------ C:\WINNT\system32\dcftpblb.exe
2007-07-07 23:32 <DIR> d-------- C:\WINNT\system32\??mbols
2007-07-04 23:07 <DIR> d--hs---- C:\WINNT\TEJVU0QgTEJVU0Q
2007-07-04 23:07 <DIR> d-------- C:\Program Files\Network Monitor
2007-07-04 23:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-06-30 08:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-30 08:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-30 08:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 08:22 6,144 --a------ C:\WINNT\system32\stera.exe
2007-06-30 08:22 18,432 --a------ C:\WINNT\system32\drivers\ApiMon.sys
2007-06-30 08:21 <DIR> d-------- C:\Program Files\poolsv
2007-06-30 08:17 <DIR> d-------- C:\Program Files\svhost
2007-06-29 23:22 <DIR> d-------- C:\Program Files\InetGet2
2007-06-29 23:20 89,088 --a------ C:\WINNT\system32\atl71.dll
2007-06-29 23:20 79,872 --a------ C:\WINNT\system32\drivers\FOPN.sys
2007-06-29 23:20 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-06-29 23:20 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2007-06-29 23:20 1,060,864 --a------ C:\WINNT\system32\mfc71.dll
2007-06-29 23:20 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-29 23:20 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-06-29 23:19 46,592 --a------ C:\WINNT\plbkfua.exe
2007-06-29 23:19 34,816 --a------ C:\WINNT\rau001978.exe
2007-06-29 23:19 1,061,920 -r-hs---- C:\WINNT\plbkfuaA.exe
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X9
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X5
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X4
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X3
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X2
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X1
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\win
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\o09PrEz
2007-06-29 23:19 <DIR> d-------- C:\Temp\iee
2007-06-29 23:19 <DIR> d-------- C:\Temp\0b9
2007-06-29 23:19 <DIR> d-------- C:\Temp
2007-06-29 23:18 38,400 --a------ C:\WINNT\svhost.exe
2007-06-29 23:14 36,352 --a------ C:\WINNT\poolsv.exe
2007-06-12 04:12 99,855 --a------ C:\WINNT\b122.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 05:20:14 -------- d-----w C:\Program Files\Windows NT
2007-07-12 05:20:14 -------- d-----w C:\Program Files\Messenger
2007-07-08 06:55:33 -------- d-----w C:\Program Files\Viewpoint
2007-06-05 01:56:07 -------- d-----w C:\Program Files\iTunes
2007-06-05 01:55:54 -------- d-----w C:\Program Files\iPod
2007-06-05 01:52:41 -------- d-----w C:\Program Files\QuickTime
2007-06-04 22:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys
2007-06-03 17:39:59 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\U3
2007-05-16 15:12:02 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINNT\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2006-12-07 03:42:31 43,160 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-08-27 20:19:18 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2005-07-29 23:24:26 472 --sha-r C:\WINNT\TEJVU0QgTEJVU0Q\nHLpoXk0nHLpoXk.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2005-11-22 13:46 399352 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F53B7DA0-071B-456C-0593-2C89821F7410}]
C:\Program Files\Windows NT\sahubom647.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-26 17:21 C:\WINNT\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-25 13:49]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-25 13:47]
"Gateway Ink Monitor"="C:\Program Files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 20:33]
"AdaptecDirectCD"="c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 11:15]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 16:04]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\wuoqyprig.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-05 01:49:01 C:\WINNT\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 22:27:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-11 22:28:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 22:28

--- E O F ---



HijackThisLog:


Logfile of HijackThis v1.99.1
Scan saved at 10:35:24 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {F53B7DA0-071B-456C-0593-2C89821F7410} - C:\Program Files\Windows NT\sahubom647.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Registration-Pinnacle Expression.lnk = C:\Program Files\Pinnacle\Pinnacle Expression\EReg\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:25 PM

Posted 12 July 2007 - 12:53 AM

Hello,

Perform next steps in the right order...

First of all, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\Windows NT\wuoqyprig.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINNT\system32\ejuowufo.dll
C:\WINNT\system32\qlyxocli.exe
C:\WINNT\system32\sxjdtugu.exe
C:\WINNT\system32\dcftpblb.exe
C:\WINNT\system32\drivers\FOPN.sys
C:\WINNT\svhost.exe
C:\WINNT\poolsv.exe
C:\WINNT\b122.exe
C:\WINNT\plbkfua.exe
C:\WINNT\rau001978.exe
C:\WINNT\plbkfuaA.exe
C:\WINNT\system32\stera.exe
C:\WINNT\system32\drivers\ApiMon.sys

Folder::
C:\WINNT\TEJVU0QgTEJVU0Q
C:\Program Files\Network Monitor
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\poolsv
C:\Program Files\svhost
C:\Program Files\InetGet2
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\WINNT\system32\X9
C:\WINNT\system32\X5
C:\WINNT\system32\X4
C:\WINNT\system32\X3
C:\WINNT\system32\X2
C:\WINNT\system32\X1
C:\WINNT\system32\win
C:\WINNT\system32\o09PrEz
C:\Temp

Driver::
FOPN
ApiMon

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F53B7DA0-071B-456C-0593-2C89821F7410}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 WAVERAVE72

WAVERAVE72
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 12 July 2007 - 01:30 AM

ComboFix:

"Owner" - 2007-07-11 22:14:01 - ComboFix 07-07-12.3 - Service Pack 2

/wow section - STAGE #8

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\ddcyv.dll
C:\WINNT\system32\lvwngcdp.dll
C:\WINNT\system32\opnonnn.dll
C:\WINNT\system32\rfhuselh.dll
C:\WINNT\system32\urqpqrr.dll
C:\WINNT\system32\ixixyrfm.exe
C:\WINNT\system32\aieogmny.exe
C:\WINNT\system32\chfvrqqf.exe
C:\WINNT\system32\ybadd.bak1
C:\WINNT\system32\ybadd.bak2
C:\WINNT\system32\ybadd.ini
C:\WINNT\system32\vycdd.ini
C:\WINNT\system32\pdcgnwvl.ini
C:\WINNT\system32\hlesuhfr.ini
C:\WINNT\system32\ybadd.bak1
C:\WINNT\system32\ybadd.bak2
C:\WINNT\system32\ybadd.ini
C:\WINNT\system32\ybadd.tmp
C:\WINNT\system32\ddaby.dll
C:\WINNT\system32\cbxutus.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Messenger\poveh83122.dll
C:\Program Files\Windows NT\wuoqyprig.html
C:\WINNT\retadpu1000106.exe
C:\WINNT\retadpu77.exe
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\WINNT\system32\iiiffyup.exe
C:\WINNT\system32\vrqopopu.exe
C:\WINNT\system32\xybdels.dll
C:\WINNT\TEJVU0QgTEJVU0Q\asappsrv.dll
C:\WINNT\uninstall_nmon.vbs


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\cmdService
-------\DomainService
-------\Net Agent
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))


2007-07-11 22:12 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-11 22:07 66,580 --a------ C:\WINNT\system32\ejuowufo.dll
2007-07-11 22:04 66,068 --a------ C:\WINNT\system32\qlyxocli.exe
2007-07-08 00:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-07-07 23:47 <DIR> d-------- C:\Program Files\Hijack This
2007-07-07 23:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-07 23:34 50,708 --a------ C:\WINNT\system32\sxjdtugu.exe
2007-07-07 23:32 50,708 --a------ C:\WINNT\system32\dcftpblb.exe
2007-07-07 23:32 <DIR> d-------- C:\WINNT\system32\??mbols
2007-07-04 23:07 <DIR> d--hs---- C:\WINNT\TEJVU0QgTEJVU0Q
2007-07-04 23:07 <DIR> d-------- C:\Program Files\Network Monitor
2007-07-04 23:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-06-30 08:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-30 08:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-30 08:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 08:22 6,144 --a------ C:\WINNT\system32\stera.exe
2007-06-30 08:22 18,432 --a------ C:\WINNT\system32\drivers\ApiMon.sys
2007-06-30 08:21 <DIR> d-------- C:\Program Files\poolsv
2007-06-30 08:17 <DIR> d-------- C:\Program Files\svhost
2007-06-29 23:22 <DIR> d-------- C:\Program Files\InetGet2
2007-06-29 23:20 89,088 --a------ C:\WINNT\system32\atl71.dll
2007-06-29 23:20 79,872 --a------ C:\WINNT\system32\drivers\FOPN.sys
2007-06-29 23:20 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-06-29 23:20 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2007-06-29 23:20 1,060,864 --a------ C:\WINNT\system32\mfc71.dll
2007-06-29 23:20 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-29 23:20 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-06-29 23:19 46,592 --a------ C:\WINNT\plbkfua.exe
2007-06-29 23:19 34,816 --a------ C:\WINNT\rau001978.exe
2007-06-29 23:19 1,061,920 -r-hs---- C:\WINNT\plbkfuaA.exe
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X9
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X5
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X4
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X3
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X2
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X1
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\win
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\o09PrEz
2007-06-29 23:19 <DIR> d-------- C:\Temp\iee
2007-06-29 23:19 <DIR> d-------- C:\Temp\0b9
2007-06-29 23:19 <DIR> d-------- C:\Temp
2007-06-29 23:18 38,400 --a------ C:\WINNT\svhost.exe
2007-06-29 23:14 36,352 --a------ C:\WINNT\poolsv.exe
2007-06-12 04:12 99,855 --a------ C:\WINNT\b122.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 05:20:14 -------- d-----w C:\Program Files\Windows NT
2007-07-12 05:20:14 -------- d-----w C:\Program Files\Messenger
2007-07-08 06:55:33 -------- d-----w C:\Program Files\Viewpoint
2007-06-05 01:56:07 -------- d-----w C:\Program Files\iTunes
2007-06-05 01:55:54 -------- d-----w C:\Program Files\iPod
2007-06-05 01:52:41 -------- d-----w C:\Program Files\QuickTime
2007-06-04 22:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys
2007-06-03 17:39:59 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\U3
2007-05-16 15:12:02 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINNT\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2006-12-07 03:42:31 43,160 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-08-27 20:19:18 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2005-07-29 23:24:26 472 --sha-r C:\WINNT\TEJVU0QgTEJVU0Q\nHLpoXk0nHLpoXk.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2005-11-22 13:46 399352 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F53B7DA0-071B-456C-0593-2C89821F7410}]
C:\Program Files\Windows NT\sahubom647.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-26 17:21 C:\WINNT\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-25 13:49]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-25 13:47]
"Gateway Ink Monitor"="C:\Program Files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 20:33]
"AdaptecDirectCD"="c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 11:15]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 16:04]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\wuoqyprig.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-05 01:49:01 C:\WINNT\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 22:27:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-11 22:28:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 22:28

--- E O F ---


HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:29:51 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Registration-Pinnacle Expression.lnk = C:\Program Files\Pinnacle\Pinnacle Expression\EReg\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:25 PM

Posted 12 July 2007 - 06:16 AM

Hi,

Above Combofix log is the same one as you posted previously. I can't do anything with that log.
Please post the C:\Combofix.txt as requested. Don't post the combofix2.txt, combofix3.txt etc.. because that are older logs and most probably you have been posting Combofix2.txt here.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 WAVERAVE72

WAVERAVE72
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 12 July 2007 - 11:27 AM

My computer is no longer starting up slowly. Anyways, here (Sorry).

"Owner" - 2007-07-11 23:17:24 - ComboFix 07-07-12.3 - Service Pack 2

Command switches used :: C:\Documents and Settings\Owner\My Documents\CFScript.txt

/wow section - STAGE #8

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\fopn


((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))


2007-07-11 22:12 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-11 22:07 66,580 --a------ C:\WINNT\system32\ejuowufo.dll
2007-07-11 22:04 66,068 --a------ C:\WINNT\system32\qlyxocli.exe
2007-07-08 00:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-07-07 23:47 <DIR> d-------- C:\Program Files\Hijack This
2007-07-07 23:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-07 23:34 50,708 --a------ C:\WINNT\system32\sxjdtugu.exe
2007-07-07 23:32 50,708 --a------ C:\WINNT\system32\dcftpblb.exe
2007-07-07 23:32 <DIR> d-------- C:\WINNT\system32\??mbols
2007-07-04 23:07 <DIR> d--hs---- C:\WINNT\TEJVU0QgTEJVU0Q
2007-07-04 23:07 <DIR> d-------- C:\Program Files\Network Monitor
2007-07-04 23:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-06-30 08:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-30 08:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-30 08:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 08:22 6,144 --a------ C:\WINNT\system32\stera.exe
2007-06-30 08:22 18,432 --a------ C:\WINNT\system32\drivers\ApiMon.sys
2007-06-30 08:17 <DIR> d-------- C:\Program Files\svhost
2007-06-29 23:22 <DIR> d-------- C:\Program Files\InetGet2
2007-06-29 23:20 89,088 --a------ C:\WINNT\system32\atl71.dll
2007-06-29 23:20 79,872 --a------ C:\WINNT\system32\drivers\FOPN.sys
2007-06-29 23:20 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-06-29 23:20 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2007-06-29 23:20 1,060,864 --a------ C:\WINNT\system32\mfc71.dll
2007-06-29 23:20 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-29 23:20 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-06-29 23:19 46,592 --a------ C:\WINNT\plbkfua.exe
2007-06-29 23:19 34,816 --a------ C:\WINNT\rau001978.exe
2007-06-29 23:19 1,061,920 -r-hs---- C:\WINNT\plbkfuaA.exe
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X9
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X5
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X4
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X3
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X2
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\X1
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\win
2007-06-29 23:19 <DIR> d-------- C:\WINNT\system32\o09PrEz
2007-06-29 23:19 <DIR> d-------- C:\Temp\iee
2007-06-29 23:19 <DIR> d-------- C:\Temp\0b9
2007-06-29 23:19 <DIR> d-------- C:\Temp
2007-06-29 23:18 38,400 --a------ C:\WINNT\svhost.exe
2007-06-29 23:14 36,352 --a------ C:\WINNT\poolsv.exe
2007-06-12 04:12 99,855 --a------ C:\WINNT\b122.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 05:20:14 -------- d-----w C:\Program Files\Windows NT
2007-07-12 05:20:14 -------- d-----w C:\Program Files\Messenger
2007-07-08 06:55:33 -------- d-----w C:\Program Files\Viewpoint
2007-06-05 01:56:07 -------- d-----w C:\Program Files\iTunes
2007-06-05 01:55:54 -------- d-----w C:\Program Files\iPod
2007-06-05 01:52:41 -------- d-----w C:\Program Files\QuickTime
2007-06-04 22:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys
2007-06-03 17:39:59 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\U3
2007-05-16 15:12:02 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINNT\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2006-12-07 03:42:31 43,160 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-08-27 20:19:18 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2005-07-29 23:24:26 472 --sha-r C:\WINNT\TEJVU0QgTEJVU0Q\nHLpoXk0nHLpoXk.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2005-11-22 13:46 399352 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-26 17:21 C:\WINNT\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-25 13:49]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-25 13:47]
"Gateway Ink Monitor"="C:\Program Files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 20:33]
"AdaptecDirectCD"="c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 11:15]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 16:04]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-05 01:49:01 C:\WINNT\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 23:23:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-11 23:25:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 23:25
C:\ComboFix2.txt ... 2007-07-11 22:28

--- E O F ---

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:25 PM

Posted 12 July 2007 - 11:48 AM

I guess you did something wrong here. Did you create the CFScript exactly as I described? Because it didn't delete anything except for the drivers.
I assume you used notepad? Because you may not use any other txt editor instead of notepad.

Anyway, delete the Combofix present on your desktop and redownload it from here: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Don't run Combofix, but recreate the CFScript again and drag it into Combofix.exe
Then normally it should reboot afterwards.
After reboot, post the contents of C:\Combofix.txt in your next reply

Edited by miekiemoes, 12 July 2007 - 11:49 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:25 PM

Posted 21 July 2007 - 03:00 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users