Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Being Hacked?


  • This topic is locked This topic is locked
21 replies to this topic

#1 piano

piano

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 12 July 2007 - 04:44 PM

Hello. Long story short I think I'm being hacked. My homepage keeps getting reset to google.com and other weird stuff keeps happening (hearing mouse clicking sounds etc.)

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:47 PM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Updater.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/
F2 - REG:system.ini: Shell=explorer.exe vmmdiag32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A023C00-F24C-40D1-82E5-7A7B31DA31A5} - C:\WINDOWS\System32\deskmo.dll
O2 - BHO: (no name) - {7FCBFDEB-6E91-4E4F-8EDB-8C4DDC7B8A30} - c:\windows\system32\dkgmdkg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT User Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} (DrsDnld Control) - http://www.mathtutor.ac.uk/functions/drs/DrsDnldProj1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: lfweaslx - C:\WINDOWS\SYSTEM32\dkgmdkg.dll
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks you very much,
piano

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 15 July 2007 - 07:08 PM

Hello piano,


Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
  • Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 piano

piano
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 16 July 2007 - 09:13 AM

Contents of haxlog.txt:

HAXFIX logfile - by Marckie

version 4.47
Mon 07/16/2007 2:54:02.48

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services




When I ran the scan it said it found 3 hidden files (or something like that). Should I have noted what those were?

Also, just in case, here is a fresh HJT log:

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:23 AM, on 7/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4431CAC6-78A1-4A68-A35C-C61CFDBDE15D} - c:\windows\system32\bawaxuma.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A023C00-F24C-40D1-82E5-7A7B31DA31A5} - C:\WINDOWS\System32\deskmo.dll
O2 - BHO: (no name) - {7FCBFDEB-6E91-4E4F-8EDB-8C4DDC7B8A30} - c:\windows\system32\dkgmdkg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - .DEFAULT User Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} (DrsDnld Control) - http://www.mathtutor.ac.uk/functions/drs/DrsDnldProj1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184370748875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: lfweaslx - C:\WINDOWS\SYSTEM32\dkgmdkg.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4295 bytes




Google is still being reset as my homepage and I'm getting a nasty reoccuring popup soon after I open Internet Explorer.

Thanks :thumbsup: :flowers: ,
piano

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 16 July 2007 - 11:02 AM

Hi piano,

When I ran the scan it said it found 3 hidden files (or something like that). Should I have noted what those were?

Yes, that may be helpful.
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Edited by SifuMike, 16 July 2007 - 11:09 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 piano

piano
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 16 July 2007 - 01:50 PM

haxfix.txt:

HAXFIX logfile - by Marckie

version 4.47
Mon 07/16/2007 13:32:45.06

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:
vmmdiag32.exe


checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

not needed


searching for services

not needed


searching for safeboot services

not needed


searching for files

vmmdiag32.exe exists
deleting vmmdiag32.exe
vmmdiag32.exe has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


--- Catchme logfile - thank you Gmer ---

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 13:35:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\hd_dirs.cfg
C:\Program Files\Audible\Admin\atm.log
C:\Program Files\Audible\Admin\playlist.ap

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3



Finished




log.txt from ComboFix:

"Owner" - 2007-07-16 14:23:17 - ComboFix 07-07-14.6 - Service Pack 1 NTFS

/wow section - STAGE #6I

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))




* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\36110103225.exe
C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk
C:\m.exe
C:\p.exe
C:\q.exe
C:\WINDOWS\system32\dkgmdkg.dll
C:\WINDOWS\system32\dkgmdkg.dll.bak
C:\WINDOWS\system32\drivers\hd_dirs.cfg
C:\WINDOWS\system32\drivers\hd_rkeys.cfg
C:\WINDOWS\system32\drivers\hd_rvals.cfg
C:\WINDOWS\system32\drivers\hflt_ipf.sys
C:\WINDOWS\system32\drivers\vxooflht.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GXKT78
-------\LEGACY_HFLT_IPF
-------\LEGACY_IPRIP
-------\LEGACY_SZQMMKEP
-------\LEGACY_TXZLXKMZ
-------\Iprip
-------\RpcApi
-------\szqmmkep
-------\txzlxkmz


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 14:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 00:21 96,256 --a------ C:\WINDOWS\system32\evntagnt.dll
2007-07-16 00:21 84,992 --a------ C:\WINDOWS\system32\evntwin.exe
2007-07-16 00:21 8,192 --a------ C:\WINDOWS\system32\snmptrap.exe
2007-07-16 00:21 5,120 --a------ C:\WINDOWS\system32\snmpmib.dll
2007-07-16 00:21 35,328 --a------ C:\WINDOWS\system32\hostmib.dll
2007-07-16 00:21 33,280 --a------ C:\WINDOWS\system32\iprip.dll
2007-07-16 00:21 29,696 --a------ C:\WINDOWS\system32\snmp.exe
2007-07-16 00:21 29,184 --a------ C:\WINDOWS\system32\lmmib2.dll
2007-07-16 00:21 22,528 --a------ C:\WINDOWS\system32\evntcmd.exe
2007-07-16 00:21 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-07-15 23:23 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-07-15 23:23 9,006 --a------ C:\clean.bat
2007-07-15 23:23 86,528 --a------ C:\WINDOWS\system32\catchme.exe
2007-07-15 23:23 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-07-15 23:23 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-07-15 23:15 167,936 --a------ C:\WINDOWS\system32\drivers\Gxkt78.sys
2007-07-15 11:54 <DIR> d-------- C:\WINDOWS\system32\1024
2007-07-15 11:53 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-13 23:01 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-07-13 19:50 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-13 14:45 62,464 --a------ C:\WINDOWS\system32\bawaxuma.dll
2007-07-12 17:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 12:14 147,729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-07-12 12:09 93,696 --a------ C:\WINDOWS\system32\onzfavcr.dll
2007-07-12 12:09 751,616 --a------ C:\WINDOWS\system32\shljrlob.dll
2007-07-12 12:09 41,472 --a------ C:\WINDOWS\system32\lyejtbbr.dll
2007-07-12 12:09 122,880 --a------ C:\WINDOWS\system32\tgorzvpd.dll
2007-07-12 12:09 121,856 --a------ C:\WINDOWS\system32\tgorzvpd(6).dll
2007-07-12 12:09 121,856 --a------ C:\WINDOWS\system32\tgorzvpd(4).dll
2007-07-12 12:09 121,344 --a------ C:\WINDOWS\system32\tgorzvpd(5).dll
2007-07-12 12:09 121,344 --a------ C:\WINDOWS\system32\tgorzvpd(3).dll
2007-07-12 12:03 165,376 --a------ C:\WINDOWS\system32\drivers\Rjf29.sys
2007-07-12 12:02 85,134 --a------ C:\WINDOWS\system32\deskmo.dll
2007-07-01 18:32 <DIR> d-------- C:\Program Files\iTunes
2007-06-25 16:08 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-16 17:32:03 -------- d-----w C:\Program Files\Chessmaster 4000
2007-07-16 13:56:18 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-16 13:56:13 -------- d-----w C:\Program Files\Plaxo
2007-07-16 04:23:49 -------- d-----w C:\Program Files\Common Files\Real
2007-07-16 04:23:13 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Real
2007-07-16 04:07:14 -------- d-----w C:\Program Files\eMule
2007-07-15 15:55:08 -------- d-----w C:\Program Files\Messenger
2007-07-15 15:54:05 -------- d-----w C:\Program Files\Google
2007-07-13 23:52:29 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-02 13:05:22 -------- d-----w C:\Program Files\Palm
2007-07-01 22:33:12 -------- d-----w C:\Program Files\iPod
2007-06-25 20:21:57 -------- d-----w C:\Program Files\QuickTime
2007-05-28 16:44:19 -------- d-----w C:\Program Files\Quicken
2007-04-23 19:16:24 88,424 ----a-w C:\WINDOWS\hpoins06.dat
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2006-09-12 23:24:50 37,512 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2005-08-22 22:40:37 212,849 ----a-w C:\Program Files\hijackthis.zip
2005-08-20 02:40:30 6,224,992 ----a-w C:\Program Files\TrojanHunter.exe
2005-08-19 00:32:05 7,739,192 ----a-w C:\Program Files\DivXPlay.exe
2005-08-18 23:19:38 217,329 ----a-w C:\Program Files\gspot221.exe
2005-08-18 16:40:20 12,754,672 ----a-w C:\Program Files\MP10Setup.exe
2005-08-18 03:40:50 6,860,424 ----a-w C:\Program Files\MicrosoftAntiSpywareInstall.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\cvchost.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\dl.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\dllhelp.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\dlm.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\image.dll
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\msstasks.exe
2004-09-07 23:03:28 0 -csh--r C:\WINDOWS\mssys.com
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\mstaskss.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\ntldr.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\reg33.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\rocky.exe
2004-09-07 23:03:34 0 -csh--r C:\WINDOWS\seksdialer.exe
2003-08-01 16:21:26 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\system\system.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\system\wmscrop.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\system32\jac.dll
2004-09-07 23:03:34 0 -csh--r C:\WINDOWS\system32\mcc.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\system32\msxslab.dll
2004-09-07 23:03:34 0 -csh--r C:\WINDOWS\system32\system32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4431CAC6-78A1-4A68-A35C-C61CFDBDE15D}]
2007-07-13 14:45 62464 --a------ c:\windows\system32\bawaxuma.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A023C00-F24C-40D1-82E5-7A7B31DA31A5}]
2002-08-29 08:00 85134 --a------ C:\WINDOWS\System32\deskmo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FCBFDEB-6E91-4E4F-8EDB-8C4DDC7B8A30}]
c:\windows\system32\dkgmdkg.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 08:21]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll --a------ 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KYE_UDSI]
"C:\Program Files\USB Storage RW\udsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
"C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"


Contents of the 'Scheduled Tasks' folder
2007-07-08 22:24:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-07-17 01:51:00 C:\WINDOWS\tasks\easy Internet sign-up.job
2007-07-16 03:46:00 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#Deskjet#3420.job
2007-07-16 18:32:03 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-Dustin).job
2007-07-16 18:32:03 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-John).job
2007-07-16 18:34:00 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-Owner).job
2007-07-16 18:32:03 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-Stephanie).job
2007-07-14 00:04:01 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-07-15 17:11:57 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 14:32:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-16 14:35:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 14:35

--- E O F ---




Fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:05 PM, on 7/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4431CAC6-78A1-4A68-A35C-C61CFDBDE15D} - c:\windows\system32\bawaxuma.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A023C00-F24C-40D1-82E5-7A7B31DA31A5} - C:\WINDOWS\System32\deskmo.dll
O2 - BHO: (no name) - {7FCBFDEB-6E91-4E4F-8EDB-8C4DDC7B8A30} - c:\windows\system32\dkgmdkg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - .DEFAULT User Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} (DrsDnld Control) - http://www.mathtutor.ac.uk/functions/drs/DrsDnldProj1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184370748875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4320 bytes




I hope I didn't forget anything!
piano

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 16 July 2007 - 03:06 PM

Hello piano,

Looks much better, but we still have some items to delete.

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player




Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {4431CAC6-78A1-4A68-A35C-C61CFDBDE15D} - c:\windows\system32\bawaxuma.dll
O2 - BHO: (no name) - {5A023C00-F24C-40D1-82E5-7A7B31DA31A5} - C:\WINDOWS\System32\deskmo.dll
O2 - BHO: (no name) - {7FCBFDEB-6E91-4E4F-8EDB-8C4DDC7B8A30} - c:\windows\system32\dkgmdkg.dll



Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

c:\windows\system32\bawaxuma.dll <==file
C:\Program Files\Viewpoint\ <==folder




*******************************************


You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

We need to do some virus scans at Virus Total. http://www.virustotal.com/en/indexf.html
I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

To do the scans manually then go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\onzfavcr.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:


C:\WINDOWS\system32\shljrlob.dll
C:\WINDOWS\system32\lyejtbbr.dll
C:\WINDOWS\system32\tgorzvpd.dll
C:\WINDOWS\system32\tgorzvpd(6).dll
C:\WINDOWS\system32\tgorzvpd(4).dll
C:\WINDOWS\system32\tgorzvpd(5).dll
C:\WINDOWS\system32\tgorzvpd(3).dll
C:\WINDOWS\system32\drivers\Rjf29.sys


Once scanned, copy and paste the results also in your next reply.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot your computer, post the Total Virus results, a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 piano

piano
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 16 July 2007 - 10:55 PM

Virus Total:

onzfavcr.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.16 no virus found
DrWeb 4.33 2007.07.16 Trojan.Sentinel
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 W32/BHO.QG
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 93696 bytes
MD5: d61ff4328bd55aac17fa249bbc88bf6b
SHA1: b9d61da6b6530fcf9f27859d571ed48a83a0dca9
packers: MORPHINE, UPX, BINARYRES, MORPHINE




shljrlob.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 Generic5.GHL
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.16 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 Trojan.Win32.Delf.acu
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 W32/BHO.QG
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 751616 bytes
MD5: 205f823fecab62afd323ba113092ab72
SHA1: 5e836f6dca9ba03abf0e59f71e3fa078328d27b3
packers: MORPHINE, UPX, UPX, UPX, UPX




lyejtbbr.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 Generic5.GHI
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.16 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 W32/CrazyCrunch-based!Maximus
Ikarus T3.1.1.8 2007.07.16 Trojan.Win32.Delf.zj
Kaspersky 4.0.2.24 2007.07.17 Trojan.Win32.Delf.zj
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 W32/BHO.QG
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 Hacktool.Proxy
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 41472 bytes
MD5: f5342d70a3d729d67096f82cb255a7ce
SHA1: 3100d88798009520820a890bfede87d67cfce103
packers: MORPHINE, UPX




tgorzvpd.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.16 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 W32/BHO.QG
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 122880 bytes
MD5: 40e87b3b983457cd241c06e3448e2095
SHA1: bb5c7dd312358d09042f7623a4314332794104d7
packers: MORPHINE, UPX




tgorzvpd(6).dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 Obfustat.AIP
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.16 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 W32/BHO.QG
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 121856 bytes
MD5: 39b339f2dd0c95ee169384513bcebf1f
SHA1: 4296020ad994c40dd3a5c0e57c3893477d6cce46
packers: MORPHINE, UPX




tgorzvpd(4).dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 Obfustat.AIP
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 W32/BHO.QG
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 121856 bytes
MD5: 39b339f2dd0c95ee169384513bcebf1f
SHA1: 4296020ad994c40dd3a5c0e57c3893477d6cce46
packers: MORPHINE, UPX




tgorzvpd(5).dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 Suspicious Trojan/Worm
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 no virus found
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 121344 bytes
MD5: 5932c6f07efe70fef9b5aaecd1b02504
SHA1: ff9360e23d3dc826bf2d412c764ab456cbf3b575
packers: MORPHINE, UPX




tgorzvpd(3).dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 Suspicious Trojan/Worm
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 no virus found
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 121344 bytes
MD5: 5932c6f07efe70fef9b5aaecd1b02504
SHA1: ff9360e23d3dc826bf2d412c764ab456cbf3b575
packers: MORPHINE, UPX




tgorzvpd(3).dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 Suspicious Trojan/Worm
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.16 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 no virus found
Norman 5.80.02 2007.07.16 no virus found
Panda 9.0.0.4 2007.07.16 Suspicious file
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 Trojan.Dldr.ConHook.Gen

Aditional information
File size: 121344 bytes
MD5: 5932c6f07efe70fef9b5aaecd1b02504
SHA1: ff9360e23d3dc826bf2d412c764ab456cbf3b575
packers: MORPHINE, UPX




drivers/Rjf29.sys

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.16 no virus found
AntiVir 7.4.0.42 2007.07.16 no virus found
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 Win32:Agent-FTK
AVG 7.5.0.476 2007.07.16 BackDoor.Generic7.PAU
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.16 no virus found
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3788 2007.07.16 no virus found
Ewido 4.0 2007.07.16 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.17 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.16 Rootkit.Win32.Agent.ea
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2401 2007.07.17 a variant of Win32/Rootkit.Agent.NBN
Norman 5.80.02 2007.07.16 no virus found
Panda 9.0.0.4 2007.07.16 no virus found
Sophos 4.19.0 2007.07.16 Troj/RKAgen-Fam
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 no virus found

Aditional information
File size: 165376 bytes
MD5: 2c3a15762cf408d2e330b1db969a65ee
SHA1: 308a7d372681d0ebf70558cbd85ac4369615fe7c




Fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:34 PM, on 7/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - .DEFAULT User Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} (DrsDnld Control) - http://www.mathtutor.ac.uk/functions/drs/DrsDnldProj1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184370748875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3939 bytes





Umm...I haven't seen that popup in a while. I really hope it's gone. And my homepage has been staying and not resetting to google. Time will tell.

Thanks,
piano

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 16 July 2007 - 11:16 PM

Hello piano,

Looks like I hit 100% on the bad files :thumbsup:

Run this file through the Total Virus scanner and post the results:
C:\WINDOWS\system32\deskmo.dll

*************************

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\onzfavcr.dll
    C:\WINDOWS\system32\shljrlob.dll
    C:\WINDOWS\system32\lyejtbbr.dll
    C:\WINDOWS\system32\tgorzvpd.dll
    C:\WINDOWS\system32\tgorzvpd(6).dll
    C:\WINDOWS\system32\tgorzvpd(4).dll
    C:\WINDOWS\system32\tgorzvpd(5).dll
    C:\WINDOWS\system32\tgorzvpd(3).dll
    C:\WINDOWS\system32\drivers\Rjf29.sys


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


*************************

Download and Save Blacklight Beta (graphical user interface version) to your desktop.

Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe" :!:

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers). Copy and paste this log in your next reply.

Edited by SifuMike, 16 July 2007 - 11:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 piano

piano
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 17 July 2007 - 11:50 AM

When I went to browse to the file "deskmo.dll" it didn't exist. I hope I didn't overlook something.

Here are the results of OTMoveIt:

DllUnregisterServer procedure not found in C:\WINDOWS\system32\onzfavcr.dll
C:\WINDOWS\system32\onzfavcr.dll NOT unregistered.
C:\WINDOWS\system32\onzfavcr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\shljrlob.dll
C:\WINDOWS\system32\shljrlob.dll NOT unregistered.
C:\WINDOWS\system32\shljrlob.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lyejtbbr.dll
C:\WINDOWS\system32\lyejtbbr.dll NOT unregistered.
C:\WINDOWS\system32\lyejtbbr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tgorzvpd.dll
C:\WINDOWS\system32\tgorzvpd.dll NOT unregistered.
C:\WINDOWS\system32\tgorzvpd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tgorzvpd(6).dll
C:\WINDOWS\system32\tgorzvpd(6).dll NOT unregistered.
C:\WINDOWS\system32\tgorzvpd(6).dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tgorzvpd(4).dll
C:\WINDOWS\system32\tgorzvpd(4).dll NOT unregistered.
C:\WINDOWS\system32\tgorzvpd(4).dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tgorzvpd(5).dll
C:\WINDOWS\system32\tgorzvpd(5).dll NOT unregistered.
C:\WINDOWS\system32\tgorzvpd(5).dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tgorzvpd(3).dll
C:\WINDOWS\system32\tgorzvpd(3).dll NOT unregistered.
C:\WINDOWS\system32\tgorzvpd(3).dll moved successfully.
C:\WINDOWS\system32\drivers\Rjf29.sys moved successfully.

Created on 07/17/2007 12:24:22




Here are the contents of fsbl-20070717162835.log:

07/17/07 12:28:35 [Info]: BlackLight Engine 1.0.64 initialized
07/17/07 12:28:35 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/17/07 12:28:35 [Note]: 7019 4
07/17/07 12:28:35 [Note]: 7005 0
07/17/07 12:28:41 [Note]: 7006 0
07/17/07 12:28:41 [Note]: 7011 18976
07/17/07 12:28:42 [Note]: 7026 0
07/17/07 12:28:42 [Note]: 7026 0
07/17/07 12:28:48 [Note]: FSRAW library version 1.7.1022
07/17/07 12:44:50 [Note]: 2000 1012
07/17/07 12:47:52 [Note]: 7007 0

It said something like there were no hidden files found.

Thanks,
piano

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 17 July 2007 - 12:13 PM

Hi Piano,

Blacklight looks clean, and OTmoveIt moved everything successfully. :thumbsup:

Please run ComobFix again and post the ComobFix log. I think we got all the bad files, but want to make sure.

How is the computer working? :flowers:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 piano

piano
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 17 July 2007 - 12:33 PM

Hello,

I ran ComboFix again. Here is the log:

"Owner" - 2007-07-17 13:18:33 - ComboFix 07-07-14.6 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-17 06:30 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-17 06:30 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-16 21:45 <DIR> d-------- C:\Program Files\CCleaner
2007-07-16 14:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 00:21 96,256 --a------ C:\WINDOWS\system32\evntagnt.dll
2007-07-16 00:21 84,992 --a------ C:\WINDOWS\system32\evntwin.exe
2007-07-16 00:21 8,192 --a------ C:\WINDOWS\system32\snmptrap.exe
2007-07-16 00:21 5,120 --a------ C:\WINDOWS\system32\snmpmib.dll
2007-07-16 00:21 35,328 --a------ C:\WINDOWS\system32\hostmib.dll
2007-07-16 00:21 33,280 --a------ C:\WINDOWS\system32\iprip.dll
2007-07-16 00:21 29,696 --a------ C:\WINDOWS\system32\snmp.exe
2007-07-16 00:21 29,184 --a------ C:\WINDOWS\system32\lmmib2.dll
2007-07-16 00:21 22,528 --a------ C:\WINDOWS\system32\evntcmd.exe
2007-07-16 00:21 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-07-15 23:23 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-07-15 23:23 9,006 --a------ C:\clean.bat
2007-07-15 23:23 86,528 --a------ C:\WINDOWS\system32\catchme.exe
2007-07-15 23:23 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-07-15 23:23 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-07-15 23:15 167,936 --a------ C:\WINDOWS\system32\drivers\Gxkt78.sys
2007-07-15 11:54 <DIR> d-------- C:\WINDOWS\system32\1024
2007-07-15 11:53 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-13 23:01 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-07-13 19:54 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-07-13 19:54 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-07-13 19:50 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-12 17:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 12:14 147,729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-07-01 18:32 <DIR> d-------- C:\Program Files\iTunes
2007-06-25 16:08 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 03:22:50 -------- d-----w C:\Program Files\ewido anti-malware
2007-07-16 17:32:03 -------- d-----w C:\Program Files\Chessmaster 4000
2007-07-16 13:56:18 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-16 13:56:13 -------- d-----w C:\Program Files\Plaxo
2007-07-16 04:23:49 -------- d-----w C:\Program Files\Common Files\Real
2007-07-16 04:23:13 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Real
2007-07-16 04:07:14 -------- d-----w C:\Program Files\eMule
2007-07-15 15:55:08 -------- d-----w C:\Program Files\Messenger
2007-07-15 15:54:05 -------- d-----w C:\Program Files\Google
2007-07-13 23:52:29 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-02 13:05:22 -------- d-----w C:\Program Files\Palm
2007-07-01 22:33:12 -------- d-----w C:\Program Files\iPod
2007-06-25 20:21:57 -------- d-----w C:\Program Files\QuickTime
2007-05-28 16:44:19 -------- d-----w C:\Program Files\Quicken
2007-04-23 19:16:24 88,424 ----a-w C:\WINDOWS\hpoins06.dat
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2006-09-12 23:24:50 37,512 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2005-08-22 22:40:37 212,849 ----a-w C:\Program Files\hijackthis.zip
2005-08-20 02:40:30 6,224,992 ----a-w C:\Program Files\TrojanHunter.exe
2005-08-19 00:32:05 7,739,192 ----a-w C:\Program Files\DivXPlay.exe
2005-08-18 23:19:38 217,329 ----a-w C:\Program Files\gspot221.exe
2005-08-18 16:40:20 12,754,672 ----a-w C:\Program Files\MP10Setup.exe
2005-08-18 03:40:50 6,860,424 ----a-w C:\Program Files\MicrosoftAntiSpywareInstall.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\cvchost.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\dl.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\dllhelp.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\dlm.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\image.dll
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\msstasks.exe
2004-09-07 23:03:28 0 -csh--r C:\WINDOWS\mssys.com
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\mstaskss.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\ntldr.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\reg33.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\rocky.exe
2004-09-07 23:03:34 0 -csh--r C:\WINDOWS\seksdialer.exe
2003-08-01 16:21:26 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\system\system.exe
2004-09-07 23:03:31 0 -csh--r C:\WINDOWS\system\wmscrop.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\system32\jac.dll
2004-09-07 23:03:34 0 -csh--r C:\WINDOWS\system32\mcc.exe
2004-09-07 23:03:30 0 -csh--r C:\WINDOWS\system32\msxslab.dll
2004-09-07 23:03:34 0 -csh--r C:\WINDOWS\system32\system32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 08:21]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll --a------ 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KYE_UDSI]
"C:\Program Files\USB Storage RW\udsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
"C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"


Contents of the 'Scheduled Tasks' folder
2007-07-08 22:24:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-07-17 01:51:00 C:\WINDOWS\tasks\easy Internet sign-up.job
2007-07-17 03:46:00 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#Deskjet#3420.job
2007-07-17 17:22:00 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-Dustin).job
2007-07-17 16:01:46 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-John).job
2007-07-17 17:24:00 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-Owner).job
2007-07-17 16:01:46 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-SZ6X6SEFXO-Stephanie).job
2007-07-14 00:04:01 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-07-17 05:11:16 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-17 13:25:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-17 13:26:21
C:\ComboFix-quarantined-files.txt ... 2007-07-17 13:25
C:\ComboFix2.txt ... 2007-07-16 14:35

--- E O F ---




Why did it delete my shortcut to Internet Explorer on my desktop? I did get it back (by right clicking and send to -> desktop (shortcut)) I'm just curious as to why it deleted it.

My computer is running really fast and smoothly. Thank you! Sometimes when I keep the computer on overnight or for a while I have to restart it to get the internet to work (it reads "cannot find server"). How can I change this?

Also, my homepage has been staying and not resetting and there have been no more popups.

Thanks,
piano

Edited by piano, 17 July 2007 - 12:37 PM.


#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 17 July 2007 - 12:59 PM

Hi Piano,


Why did it delete my shortcut to Internet Explorer on my desktop? I did get it back (by right clicking and send to -> desktop (shortcut)) I'm just curious as to why it deleted it.


I dont know why, but will ask the programs author and get back to you. :thumbsup:



I see about 20 very old files (from 2004) on your computer that I think are bad.

Rather than do a Total Virus on all twenty of them (which takes quite a while), lets see if BitDefender Online Scanner will remove them.
That will save us some time and effort.



You will need to use Internet Explorer for this scan.

Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

Edited by SifuMike, 17 July 2007 - 01:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 17 July 2007 - 02:36 PM

tip of the hat to sUBs for this

C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk is not a valid shortcut.

The original/legit IE shortcut is not an LNK file. Malware has been known to delete the original & replace it with a dupe which in actuality is a shortcut to a infected webpage which will load tons of malware onto the machine.

To restore the original IE shortcut, go to Control Panel > Display > Desktop >Customize Desktop
Under the General tab, ensure "Internet Explorer" is ticked & then click OK to exit



Lets dig deeper on those old files.

Open notepad and copy/paste the text in the quotebox below into it:


@echo off
vfind -tf -s0 %systemroot%\*.exe >log.txt
notepad log.txt
del log.txt
del %0



Save this as find.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on find.bat & allow it to run

Post back to tell me what it says
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 piano

piano
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 18 July 2007 - 12:43 AM

Here is the BitDefender Scan Report:

BitDefender Online Scanner



Scan report generated at: Wed, Jul 18, 2007 - 01:17:37





Scan path: A:\;C:\;D:\;E:\;F:\;G:\;







Statistics

Time
01:49:23

Files
367612

Folders
10909

Boot Sectors
3

Archives
19574

Packed Files
20152




Results

Identified Viruses
8

Infected Files
15

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
15




Engines Info

Virus Definitions
672631

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Default User\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.PurityScan.K

C:\Documents and Settings\Default User\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Deleted

C:\Documents and Settings\Default User\Application Data\rawh\ctxad-203.0000=>(NSIS o)
Update failed

C:\Documents and Settings\Dustin.YOUR-SZ6X6SEFXO\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.PurityScan.K

C:\Documents and Settings\Dustin.YOUR-SZ6X6SEFXO\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Deleted

C:\Documents and Settings\Dustin.YOUR-SZ6X6SEFXO\Application Data\rawh\ctxad-203.0000=>(NSIS o)
Update failed

C:\Documents and Settings\Dustin.YOUR-SZ6X6SEFXO.000\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.PurityScan.K

C:\Documents and Settings\Dustin.YOUR-SZ6X6SEFXO.000\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Deleted

C:\Documents and Settings\Dustin.YOUR-SZ6X6SEFXO.000\Application Data\rawh\ctxad-203.0000=>(NSIS o)
Update failed

C:\Documents and Settings\John.YOUR-SZ6X6SEFXO\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.PurityScan.K

C:\Documents and Settings\John.YOUR-SZ6X6SEFXO\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Deleted

C:\Documents and Settings\John.YOUR-SZ6X6SEFXO\Application Data\rawh\ctxad-203.0000=>(NSIS o)
Update failed

C:\Documents and Settings\Owner\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.PurityScan.K

C:\Documents and Settings\Owner\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Deleted

C:\Documents and Settings\Owner\Application Data\rawh\ctxad-203.0000=>(NSIS o)
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>BlackBox.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>BlackBox.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>BlackBox.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>VerifierBug.class
Infected with: Java.Trojan.Exploit.Bytverify.C

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>VerifierBug.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>VerifierBug.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>Dummy.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>Dummy.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>Dummy.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>Beyond.class
Infected with: Java.Trojan.Exploit.Bytverify.C

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>Beyond.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)=>Beyond.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\07883B8D.jar
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\77E27E72.chm=>(Quarantine-2)=>/main.htm=>(JAVASCRIPT 1)
Infected with: Generic.XPL.ADODB.DF7276EA

C:\Program Files\Norton AntiVirus\Quarantine\77E27E72.chm=>(Quarantine-2)=>/main.htm=>(JAVASCRIPT 1)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\77E27E72.chm=>(Quarantine-2)=>/main.htm=>(JAVASCRIPT 1)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\77E27E72.chm=>(Quarantine-2)=>/main.htm
Updated

C:\Program Files\Norton AntiVirus\Quarantine\77E27E72.chm=>(Quarantine-2)
Update failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018623.dll
Infected with: Trojan.Clicker.Agent.AC

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018623.dll
Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018624.exe
Infected with: Trojan.Downloader.APG

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018624.exe
Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018624.exe
Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018625.sys
Infected with: Trojan.Rootkit.GEF

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018625.sys
Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP95\A0018625.sys
Deleted

C:\WINDOWS\system32\Cache\setup.exe=>(NSIS o)=>zlib_nsis0005
Infected with: Trojan.Downloader.Adload.A

C:\WINDOWS\system32\Cache\setup.exe=>(NSIS o)=>zlib_nsis0005
Disinfection failed

C:\WINDOWS\system32\Cache\setup.exe=>(NSIS o)=>zlib_nsis0005
Deleted

C:\WINDOWS\system32\Cache\setup.exe=>(NSIS o)
Update failed

C:\WINDOWS\system32\config\systemprofile\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.PurityScan.K

C:\WINDOWS\system32\config\systemprofile\Application Data\rawh\ctxad-203.0000=>(NSIS o)=>zlib_nsis0001
Deleted

C:\WINDOWS\system32\config\systemprofile\Application Data\rawh\ctxad-203.0000=>(NSIS o)
Update failed




Sorry this log isn't formatted well. I didn't know how to cope/paste it and preserve the formatting.




Here is the .txt file find.bat produced:

C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dllhelp.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system32\mcc.exe




Also, my toolbar has been changed. I might have caused this when I clicked on some ms-dos file/program when the program files were not hidden (I have since hidden them again). After I clicked on this thing a message came up saying something about a windows component (I really should have noted exactly what it said). I figured the message would keep coming up but it hasn't. The only evidence is that my toolbar is a different color and style. It's not a drastic problem. I'm not worried about my toolbar, I'm worried about my machine. When I go into toolbar->appearance and theme I no longer see how to reselect the toolbar I had before.

Thank you so much for all of your attention!!!
piano

Edited by piano, 18 July 2007 - 12:48 AM.


#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 18 July 2007 - 01:31 AM

Hi Piano,

Sorry this log isn't formatted well. I didn't know how to cope/paste it and preserve the formatting.

That is the way it always looks, so dont worry about it. As long as I can read it, then it is fine. :thumbsup:


We will get rid of all those files.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\cvchost.exe
    C:\WINDOWS\dl.exe
    C:\WINDOWS\dllhelp.exe
    C:\WINDOWS\dlm.exe
    C:\WINDOWS\msstasks.exe
    C:\WINDOWS\mstaskss.exe
    C:\WINDOWS\ntldr.exe
    C:\WINDOWS\reg33.exe
    C:\WINDOWS\rocky.exe
    C:\WINDOWS\seksdialer.exe
    C:\WINDOWS\system\system.exe
    C:\WINDOWS\system\wmscrop.exe
    C:\WINDOWS\system32\mcc.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users