TheTechGuide Forum

General Category => Tech Clinic => Topic started by: GrantHLiu on November 09, 2006, 07:13:13 PM

Title: Persistant Adware
Post by: GrantHLiu on November 09, 2006, 07:13:13 PM

Please help or point the way to some help, I've been infected by some awfully persistant Adware. Almost all at once too, I couldn't stop it. No more IE for me.........

I've tried everything I could find and I'm still getting pop-up IE instances that link to various sites (mtv buzz, advertising, news, "you have a problem download this to fix it", etc). This happens almost unfailingly every time a new IE is started up. It's happened when I start Firefox too.

I'm running windows XP pro, sp2 with all critical updates. I've also run these countermeasures:
- Adaware, VX2 plugin for Adaware
- Spybot (default clean, immunize, permanent blocking for IE)
- Mcafee Virus scan
- CCleaner (default settings and cleaned)
- Look2Me-Destroyer and Kill2Me
- cwshredder
- Windows Defender
- Windows Spyware removal tool

These have all yielded pretty results, with a ton of Trojans and Adware being removed in the process. Pop ads are much less now, but some still remain. Most notably, Look2Me and Cool Search have been found and  (supposedly) removed.
Another sympton is my Mcafee on-access scan is being (has been) messed with and the on-access doesn't auto start correctly anymore.
Here is my Hijack This log. Thanks in advance for any insight ('Inquira' and 'Software AG' are all safe apps):

Logfile of HijackThis v1.99.1
Scan saved at 2:03:02 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\j2re1.4.2_12\bin\javaw.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://Email (http://\"http://Email\") Removed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ (http://\"http://www.dell.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.241.32.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pmxuman.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\CROSOF~1\mmc.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.dollarrevenue.com
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://inquira.webex.com/client/T22L/webex/ieatgpc.cab (http://\"https://inquira.webex.com/client/T22L/webex/ieatgpc.cab\")
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Software AG EventLayer Service (argevtsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argevsrv.exe
O23 - Service: Software AG MILayer Service (argmlsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argmlsrv.exe
O23 - Service: Software AG CSLayer Service (argsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ConverterService - Unknown owner - C:\InQuira_7.2_staging\inquira\src\prep\ext\msofficeprep\.\converterservice.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Inquira-IM-JMS (IM_OpenJMS) - Unknown owner - C:\InQuira_7.2\InfoManager\servicewrapper\bin\wrapper.exe
O23 - Service: Inquira-bayer - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayer-infomanager - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayerrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprint - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev-workbench - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDevrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprintrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Software AG UTX Daemon (ServiceUTXDAEM) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
O23 - Service: Software AG UTX Event Logger (ServiceUTXEL) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Software AG XTS Directory Server (XTSDirSrv) - Software AG - C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe

Thanks again for reading,
Grant

Title: Persistant Adware
Post by: guestolo on November 09, 2006, 09:07:26 PM

Can you do the following for me please, then we'll do some fixes
First>>Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Afterwards, close Hijackthis,
RIGHT CLICK on Hijackthis.exe and rename it to
Grant.exe
Run a fresh scan and save logfile with Grant.exe (Hijackthis)
Post the fresh log too please

Title: Persistant Adware
Post by: GrantHLiu on November 09, 2006, 09:44:43 PM

Thanks for the reply.
More symptons (perhaps caused by adware removal): Active desktop startup failure sometimes, safe mode won't show desktop (when i run explorer.exe manually, it appears then dies). The adware seems to consistently show this URL too without the *'s (along with others): h*t*t*p:*//*59.148.220.121/apache2-default/cs/1.html

Unfortunately, Hijack This seems to close itself when I try to save an uninstall list, even in safe mode. I can get screenshots to you if that is acceptable. The ones that don't show in the windows version make me suspicious.......

Here's the startup log instead  (hopefully you can make use of this). I'll post another reply for a fresh hijack this log:

StartupList report, 11/9/2006, 6:41:21 PM
StartupList version: 1.52.2
Started from : C:\HJT\Grant.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\PuTTY\pageant.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Java\j2re1.4.2_12\bin\javaw.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\Grant.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Grant Liu\Start Menu\Programs\Startup]
Microsoft Office Outlook 2003.lnk = ?
Pageant.lnk = C:\Program Files\PuTTY\pageant.exe
Trillian.lnk = C:\Program Files\Trillian\trillian.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,pmxuman.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
Tair = "C:\PROGRA~1\COMMON~1\CROSOF~1\mmc.exe" -vt ndrv

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\awtqn.dll - {992C3C1A-D273-4CEA-8E79-9C14A04F1449}
(no name) - C:\WINDOWS\system32\kwbeqqgg.dll - {F18F04B0-9CF1-4b93-B004-77A288BEE28B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[LinkedIn ContactFinderControl]
InProcServer32 = C:\WINDOWS\DOWNLO~1\LINKED~1.DLL
CODEBASE = http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

[CTAdjust Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\clearadjust.dll
CODEBASE = http://download.microsoft.com/download/7/E...04/clearadj.cab (http://\"http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab\")

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
CODEBASE = https://inquira.webex.com/client/T22L/webex/ieatgpc.cab (http://\"https://inquira.webex.com/client/T22L/webex/ieatgpc.cab\")

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,328 bytes
Report generated in 0.062 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

Title: Persistant Adware
Post by: GrantHLiu on November 09, 2006, 09:45:44 PM

Fresh Hijack this log with Grant.exe:
Logfile of HijackThis v1.99.1
Scan saved at 6:40:22 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\PuTTY\pageant.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Java\j2re1.4.2_12\bin\javaw.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\Grant.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://Email (http://\"http://Email\") Removed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ (http://\"http://www.dell.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.241.32.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pmxuman.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {992C3C1A-D273-4CEA-8E79-9C14A04F1449} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\kwbeqqgg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\CROSOF~1\mmc.exe" -vt ndrv
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Startup: Pageant.lnk = C:\Program Files\PuTTY\pageant.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://inquira.webex.com/client/T22L/webex/ieatgpc.cab (http://\"https://inquira.webex.com/client/T22L/webex/ieatgpc.cab\")
O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Software AG EventLayer Service (argevtsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argevsrv.exe
O23 - Service: Software AG MILayer Service (argmlsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argmlsrv.exe
O23 - Service: Software AG CSLayer Service (argsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ConverterService - Unknown owner - C:\InQuira_7.2_staging\inquira\src\prep\ext\msofficeprep\.\converterservice.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Inquira-IM-JMS (IM_OpenJMS) - Unknown owner - C:\InQuira_7.2\InfoManager\servicewrapper\bin\wrapper.exe
O23 - Service: Inquira-bayer - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayer-infomanager - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayerrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprint - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev-workbench - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDevrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprintrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Software AG UTX Daemon (ServiceUTXDAEM) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
O23 - Service: Software AG UTX Event Logger (ServiceUTXEL) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Software AG XTS Directory Server (XTSDirSrv) - Software AG - C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe

Title: Persistant Adware
Post by: guestolo on November 09, 2006, 09:59:33 PM

Can you supply the following since you can't get the uninstall list
Download and unzip to your desktop InstalledPrograms.zip (http://\"http://www.billsway.com/vbspage/vbsfiles/InstalledPrograms.zip\")
Double click on InstalledPrograms.vbs

Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents

ALLOW this script to run if prompted by Windows Defender and/or AntiVirus

Title: Persistant Adware
Post by: GrantHLiu on November 09, 2006, 11:25:59 PM

As requested, VB script run:
INSTALLED SOFTWARE (178) - LOKI - 11/9/2006 8:22:41 PM

Ad-Aware SE Personal    Ver: 1.06
Adobe Reader 7.0.7    Ver: 7.0.7    Installed: 2/22/2006
Advanced Batch Converter    
ALPS Touch Pad Driver    
Altova XMLSpy 2006 Home Edition    Ver: 2006.20    Installed: 3/28/2006
Analytics_7.2    Ver: 1.0.0.0    Installed: Fri Jun 16 09:52:06 PDT 2006
AOL Instant Messenger    
Apache HTTP Server 2.0.55    Ver: 2.0.55    Installed: 1/20/2006
ATI - Software Uninstall Utility    Ver: 6.14.10.1012
ATI Control Panel    Ver: 6.14.10.5154
ATI Display Driver    Ver: 8.131.1.2-050706a-025030C-Dell
Broadcom Advanced Control Suite 2    Ver: 7.73.01    Installed: 11/13/2005
Broadcom Advanced Control Suite 2    Ver: 7.73.01    Installed: 11/13/2005
Broadcom ASF Management Applications    Ver: 5.09.01    Installed: 11/13/2005
Broadcom ASF Management Applications    Ver: 5.09.01    Installed: 11/13/2005
CA AllFusion ERwin Data Modeler r7    Ver: 7.001.1075    Installed: 8/24/2006
Cavaj Java Decompiler    
CCleaner (remove only)    
CentraOne    
Codec Pack - All In 1 6.0.3.0    
Dell Printer Software    Ver: 1.00.000
EditPlus 2    
eRAS Extranet Access Client    
FileZilla (remove only)    
Google Toolbar for Internet Explorer    
HijackThis 1.99.1    Ver: 1.99.1
Hummingbird Exceed V7.0    Ver: 7.0.0.2    Installed: 8/30/2006
Information Manager    Ver: 1.0.0.0    Installed: Wed Jun 07 17:11:42 PDT 2006
Intel® PROSet/Wireless Software    Ver: 9.00.0000
Internal Network Card Power Management    Ver: 1.7.0
Java 2 Runtime Environment, SE v1.4.2_12    Ver: 1.4.2_12    Installed: 9/7/2006
Java 2 SDK, SE v1.4.2_09    Ver: 1.4.2_09    Installed: 1/20/2006
Java 2 SDK, SE v1.4.2_12    Ver: 1.4.2_12    Installed: 9/7/2006
Lavasoft VX2 Cleaner    
Macromedia Flash Player 8    Ver: 8
McAfee VirusScan Enterprise    Ver: 8.0.0    Installed: 1/25/2006
mCore    Ver: 1.19.0000    Installed: 11/13/2005
mDrWiFi    Ver: 1.19.0000    Installed: 11/13/2005
mHlpDell    Ver: 1.19.0000    Installed: 11/13/2005
Microsoft .NET Framework 1.1    
Microsoft .NET Framework 1.1    Ver: 1.1.4322    Installed: 1/19/2006
Microsoft .NET Framework 1.1 Hotfix (KB886903)    
Microsoft Office Professional Edition 2003    Ver: 11.0.5614.0    Installed: 1/19/2006
Microsoft Office Visio Professional 2003    Ver: 11.0.4301.6360    Installed: 7/28/2006
Microsoft SQL Server 2000    Ver: 8.00.194    Installed: 1-19-2006
mIWA    Ver: 1.19.0000    Installed: 11/13/2005
mIWCA    Ver: 1.19.0000    Installed: 11/13/2005
mLogView    Ver: 1.19.0000    Installed: 11/13/2005
mMHouse    Ver: 1.19.0000    Installed: 11/13/2005
Mozilla Firefox (1.5.0.8)    Ver: 1.5.0.8 (en-US)
Mozilla Thunderbird (1.5.0.4)    Ver: 1.5.0.4 (en-US)
mPfMgr    Ver: 1.19.0000    Installed: 11/13/2005
mPfWiz    Ver: 1.19.0000    Installed: 11/13/2005
mProSafe    Ver: 9.00.0000    Installed: 11/13/2005
MSN Music Assistant    
mSSO    Ver: 1.19.0000    Installed: 11/13/2005
mToolkit    Ver: 1.19.0000    Installed: 11/13/2005
mWlsSafe    Ver: 9.00.0000    Installed: 11/13/2005
mXML    Ver: 1.19.0000    Installed: 11/13/2005
mZConfig    Ver: 1.19.0000    Installed: 11/13/2005
Nextance    Ver: 1.0.0.0    Installed: Tue Jan 31 10:35:26 PST 2006
O2Micro Smartcard Driver    Ver: 2.21.0000    Installed: 11/13/2005
O2Micro Smartcard Driver    Ver: 2.21.0000    Installed: 11/13/2005
Password Safe    
PowerDVD 5.1    
ProServSDK    Ver: 2.0.0    Installed: 4/11/2006
PuTTY version 0.58    Ver: 0.58
Python 2.4.3    Ver: 2.4.3150    Installed: 4/27/2006
QuickSet    Ver: 3.9.4
QuickTime    
Security Update for Step By Step Interactive Training (KB898458)    Ver: 20050502.101010    Installed: 1/19/2006
Security Update for Windows Media Player (KB911564)        Installed: 2/15/2006
Security Update for Windows Media Player 10 (KB917734)        Installed: 11/9/2006
Security Update for Windows Media Player 9 (KB911565)        Installed: 2/15/2006
Security Update for Windows XP (KB890046)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB893066)    Ver: 2    Installed: 1/19/2006
Security Update for Windows XP (KB893756)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB896358)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB896422)    Ver: 1
Security Update for Windows XP (KB896423)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB896424)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB896428)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB899587)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB899589)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB899591)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB900725)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB901017)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB901214)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB902400)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB904706)    Ver: 2    Installed: 1/20/2006
Security Update for Windows XP (KB905414)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB905749)    Ver: 1    Installed: 1/19/2006
Security Update for Windows XP (KB905915)    Ver: 1    Installed: 1/20/2006
Security Update for Windows XP (KB908519)    Ver: 1    Installed: 1/20/2006
Security Update for Windows XP (KB911562)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB911567)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB911927)    Ver: 1    Installed: 2/15/2006
Security Update for Windows XP (KB912919)    Ver: 1    Installed: 1/20/2006
Security Update for Windows XP (KB913446)    Ver: 1    Installed: 2/18/2006
Security Update for Windows XP (KB913580)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB914388)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB914389)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB917344)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB917422)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB917953)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB918439)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB918899)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB919007)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB920214)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB920670)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB920683)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB920685)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB921398)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB921883)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB922616)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB922819)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB923191)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB923414)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB924191)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB924496)    Ver: 1    Installed: 11/9/2006
Security Update for Windows XP (KB925486)    Ver: 1    Installed: 11/9/2006
Skype 2.5    Ver: 2.5
Software AG Base Technology    Ver: 4.4.1.6    Installed: 1/20/2006
Software AG Base Technology    Ver: 4.4.1.6    Installed: 1/20/2006
Software AG Extended Transport Service    Ver: 2.1.1.19    Installed: 1/20/2006
Software AG Extended Transport Service    Ver: 2.1.1.27    Installed: 1/20/2006
Software AG Extended Transport Service    Ver: 2.1.1.27    Installed: 1/20/2006
Software AG System Management Hub    Ver: 3.4.1.6    Installed: 1/20/2006
Software AG System Management Hub    Ver: 3.4.1.6    Installed: 1/20/2006
Software AG Tamino XML Server 4.2.1    Ver: 4.2.1.1    Installed: 1/20/2006
Software AG Tamino XML Server 4.2.1    Ver: 4.2.1.1    Installed: 1/20/2006
Software AG Tamino XML Server 4.2.1    Ver: 4.2.1.8    Installed: 1/20/2006
Software AG Tamino XML Server 4.2.1    Ver: 4.2.1.811    Installed: 1/20/2006
Software AG Tamino XML Server 4.2.1 Patch 811    Ver: 4.2.1.811    Installed: 1/20/2006
Software AG Tamino XML Server 4.2.1 Update 8    Ver: 4.2.1.8    Installed: 1/20/2006
Software AG Universal Transaction Platform    Ver: 1.2.1.8    Installed: 1/20/2006
Software AG Universal Transaction Platform    Ver: 1.2.1.8    Installed: 1/20/2006
Sonic DLA    Ver: 4.95    Installed: 11/13/2005
Sonic RecordNow! Plus    Ver: 7.3    Installed: 11/13/2005
Sonic Update Manager    Ver: 2.9    Installed: 11/13/2005
Spybot - Search & Destroy 1.4    Ver: 1.4
SpywareBlaster v3.5.1    Ver: 3.5.1
Subversion 1.3.0-r17949    Ver: 1.3.0-r17949
Tar-1.13 Binaries (GnuWin32)    Ver: 1.13
Toad for Oracle Freeware    
Trillian    
Update for Windows XP (KB894391)    Ver: 1    Installed: 1/19/2006
Update for Windows XP (KB898461)    Ver: 1    Installed: 1/19/2006
Update for Windows XP (KB900485)    Ver: 2    Installed: 11/9/2006
Update for Windows XP (KB908531)    Ver: 2    Installed: 11/9/2006
Update for Windows XP (KB910437)    Ver: 1    Installed: 1/20/2006
Update for Windows XP (KB911280)    Ver: 2    Installed: 11/9/2006
Update for Windows XP (KB916595)    Ver: 1    Installed: 11/9/2006
Update for Windows XP (KB920872)    Ver: 1    Installed: 11/9/2006
Update for Windows XP (KB922582)    Ver: 1    Installed: 11/9/2006
VMware Workstation    Ver: 5.5.0.19175    Installed: 1/24/2006
VPN Client    
WebEx    
WebFldrs XP    Ver: 9.50.7523    Installed: 8/11/2004
Windows Defender    Ver: 1.1.1592.0    Installed: 11/8/2006
Windows Installer 3.1 (KB893803)    Ver: 3.1
Windows Media Format Runtime    
Windows Media Player 10    
Windows XP Hotfix - KB873339    Ver: 20041117.092459
Windows XP Hotfix - KB885250    Ver: 20050118.202711
Windows XP Hotfix - KB885835    Ver: 20041027.181713
Windows XP Hotfix - KB885836    Ver: 20041028.173203
Windows XP Hotfix - KB885855    Ver: 20040930.104104
Windows XP Hotfix - KB886185    Ver: 20041021.090540
Windows XP Hotfix - KB887472    Ver: 20041014.162858
Windows XP Hotfix - KB887742    Ver: 20041103.095002
Windows XP Hotfix - KB888113    Ver: 20041116.131036
Windows XP Hotfix - KB888302    Ver: 20041207.111426
Windows XP Hotfix - KB888310    Ver: 20041027.095746
Windows XP Hotfix - KB890175    Ver: 20041201.233338
Windows XP Hotfix - KB890859    Ver: 1    Installed: 1/19/2006
Windows XP Hotfix - KB890923    Ver: 1    Installed: 11/13/2005
Windows XP Hotfix - KB891781    Ver: 20050110.165439

Title: Persistant Adware
Post by: guestolo on November 09, 2006, 11:42:50 PM

Your version of Sun Java is out of date and should be updated for security reasons
==Download the latest version of  Java Runtime Environment (JRE) 5.0 Update 9 (http://\"http://java.sun.com/javase/downloads/index.jsp\")

• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Check the box that says: "Accept License Agreement".
  
• The page will refresh.
• Click on the link to download Windows Offline Installation Multi-language
  

Save the file to your Desktop.
Don't install it yet

Access your Add/remove programs via Control Panel
Search in the list for all previous installed versions of Java. (J2SE or Java 2 Runtime Environment.... )
They should have the following icon next to it:  (http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Select it and click Remove on all of them

Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/combofix.exe\") and save it too desktop
We will need it later

Download [color=\"blue\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")
to your desktop.
We'll need it later

We must disable Windows Defender's realtime protections so they won't interfere with any Fixes we are about to try
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
Please leave these disabled till we are all done here please

Vundofix.exe

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files,  click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
  

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

When that's done
Go ahead and install the latest version of Sun Java from the Installer on your desktop
You can delete the installer afterwards

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back all the following please

1. Post the log from combofix
2. Post a fresh Hijackthis log
3. Post the log from Vundofix>>C:\Vundofix.txt

Title: Persistant Adware
Post by: GrantHLiu on November 10, 2006, 12:33:12 AM

I saw some sweet Vundo action. Hopefully that did the trick:

***********Hijack this log (fresh with another rename):
Logfile of HijackThis v1.99.1
Scan saved at 9:27:22 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\Hijack_this.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://Email (http://\"http://Email\") Removed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ (http://\"http://www.dell.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.241.32.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pmxuman.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {992C3C1A-D273-4CEA-8E79-9C14A04F1449} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\kwbeqqgg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\CROSOF~1\mmc.exe" -vt ndrv
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Startup: Pageant.lnk = C:\Program Files\PuTTY\pageant.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://inquira.webex.com/client/T22L/webex/ieatgpc.cab (http://\"https://inquira.webex.com/client/T22L/webex/ieatgpc.cab\")
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Software AG EventLayer Service (argevtsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argevsrv.exe
O23 - Service: Software AG MILayer Service (argmlsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argmlsrv.exe
O23 - Service: Software AG CSLayer Service (argsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ConverterService - Unknown owner - C:\InQuira_7.2_staging\inquira\src\prep\ext\msofficeprep\.\converterservice.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Inquira-IM-JMS (IM_OpenJMS) - Unknown owner - C:\InQuira_7.2\InfoManager\servicewrapper\bin\wrapper.exe
O23 - Service: Inquira-bayer - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayer-infomanager - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayerrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprint - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev-workbench - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDevrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprintrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Software AG UTX Daemon (ServiceUTXDAEM) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
O23 - Service: Software AG UTX Event Logger (ServiceUTXEL) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Software AG XTS Directory Server (XTSDirSrv) - Software AG - C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe



**********Combo fix log
Grant Liu - 06-11-09 21:20:46.98    Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Grant Liu\Desktop\Destroy Spyware"

(((((((((((((((((((((((((((((((((((((((((((   E-Give / Ssk's Log   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Grant Liu\Application Data\Dxcuknwrd.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 

C:\WINDOWS\system32\wtssvcc.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1\??crosoft

 
(((((((((((((((((((((((((((((((   Files Created from 2006-10-09 to 2006-11-09  ))))))))))))))))))))))))))))))))))
 
 
2006-11-09    11:40    60,436    --a------    C:\WINDOWS\system32\kwbeqqgg.dll
2006-11-08    23:09    139,536    --a------    C:\WINDOWS\system32\javaee.dll
2006-11-08    10:36    60,436    --a------    C:\WINDOWS\system32\irtpncxy.dll
2006-11-08    10:36    110,612    --a------    C:\WINDOWS\system32\warrrojv.exe
2006-11-08    10:16    131,072    --a------    C:\WINDOWS\system32\vqvpd.dll
2006-11-08    10:15    45,056    --a------    C:\mpnaaq7.exe
2006-11-08    10:15    323,072    --a------    C:\165.exe
2006-11-08    10:15    28,672    --a------    C:\WINDOWS\system32hlvi6wkjc.exe
2006-11-08    10:15    28,672    --a------    C:\WINDOWS\system32\pfbo0yj.exe
2006-11-08    10:15    28,672    --a------    C:\WINDOWS\system32\hlvi6wkjc.exe
2006-11-08    10:15    24,576    --a------    C:\WINDOWS\system32ysjaevwx.exe
2006-11-08    10:15    24,576    --a------    C:\WINDOWS\system32\ysjaevwx.exe
2006-11-08    10:15    217,276    --a------    C:\WINDOWS\srviityu.exe
2006-11-08    10:15    20,480    --a------    C:\WINDOWS\stub_mm3.exe
2006-11-08    10:15    0    --a------    C:\WINDOWS\system32nrnqetwbz.exe
2006-11-08    10:14    40,973    ---hs----    C:\WINDOWS\system32\qomklkh.dll


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))    


2006-11-09 21:22    --------    d--------    C:\Program Files\Common Files
2006-11-09 21:19    --------    d--------    C:\Program Files\Java
2006-11-09 21:18    --------    d--------    C:\Program Files\Common Files\Java
2006-11-09 21:14    --------    d--------    C:\Program Files\Trillian
2006-11-09 18:45    --------    d--------    C:\Program Files\Mozilla Firefox
2006-11-09 16:47    --------    d--------    C:\Program Files\SpywareBlaster
2006-11-09 14:08    --------    d--------    C:\Program Files\CentraOne
2006-11-08 23:26    --------    d--------    C:\Documents and Settings\Grant Liu\Application Data\çasks
2006-11-08 23:10    --------    d--------    C:\Program Files\Internet Explorer
2006-11-08 23:04    --------    d--------    C:\Program Files\Outlook Express
2006-11-08 23:04    --------    d--------    C:\Program Files\Common Files\System
2006-11-08 22:32    --------    d--------    C:\Program Files\Windows Defender
2006-11-08 22:14    --------    d--------    C:\Program Files\CCleaner
2006-11-08 16:11    --------    d--------    C:\Program Files\Windows NT
2006-11-08 16:04    --------    d--------    C:\Program Files\Messenger
2006-11-08 12:45    --------    d--------    C:\Program Files\Lavasoft
2006-11-08 12:45    --------    d--------    C:\Documents and Settings\Grant Liu\Application Data\Lavasoft
2006-11-08 11:50    --------    d--------    C:\Program Files\Advanced Batch Converter
2006-11-08 10:36    --------    d--------    C:\Program Files\VSAdd-in
2006-11-08 10:27    --------    d--------    C:\Documents and Settings\Grant Liu\Application Data\Skype
2006-11-06 15:27    --------    d--------    C:\Documents and Settings\Grant Liu\Application Data\LinkedIn
2006-10-17 17:03    --------    d--h-----    C:\Program Files\InstallShield Installation Information
2006-10-17 17:03    --------    d--------    C:\Program Files\ATI Technologies
2006-10-17 13:23    --------    d--------    C:\Program Files\Google
2006-10-04 10:44    --------    d--------    C:\Program Files\ReaSoft
2006-09-30 11:11    --------    d--------    C:\Program Files\QuickTime
2006-09-30 11:11    --------    d--------    C:\Program Files\Apoint
2006-09-28 07:58    186954    --a------    C:\WINDOWS\system32\atasnt40.dll
2006-09-25 12:44    --------    d--------    C:\Program Files\EditPlus 2
2006-09-22 16:03    --------    d--------    C:\Program Files\Sprint eRAS
2006-09-21 08:25    --------    d--------    C:\Program Files\eRAS
2006-09-20 10:19    50688    --a------    C:\WINDOWS\system32\wbhelp2.dll
2006-09-18 15:21    --------    d--------    C:\Documents and Settings\Grant Liu\Application Data\Google
2006-09-15 13:16    53248    --a------    C:\WINDOWS\uni_e6h.exe
2006-09-15 09:21    --------    d--------    C:\Program Files\Mozilla Thunderbird
2006-09-12 21:01    1084416    --a------    C:\WINDOWS\system32\msxml3.dll
2006-08-25 07:45    617472    --a------    C:\WINDOWS\system32\comctl32.dll
2006-08-21 04:21    16896    --a------    C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14    23040    --a------    C:\WINDOWS\system32\fltmc.exe
2006-08-16 03:58    100352    --a------    C:\WINDOWS\system32\6to4svc.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Tair"="\"C:\\PROGRA~1\\COMMON~1\\CROSOF~1\\mmc.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000000
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="C:\\Program Files\\Windows NT\\meceweqyq.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,b4,00,00,00,58,02,00,00,c8,00,00,00,e8,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Messenger\\pofozos.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,b4,00,00,00,58,02,00,00,c8,00,00,00,ea,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]    
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-09 21:24:50.54
C:\ComboFix.txt ... 06-11-09 21:24



*********Vundo log

VundoFix V6.2.8

Checking Java version...

Scan started at 9:00:04 PM 11/9/2006

Listing files found while scanning....

C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\nqtwa.tmp

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awtqn.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\nqtwa.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\nqtwa.tmp
C:\WINDOWS\system32\nqtwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.8

Checking Java version...

Scan started at 9:15:24 PM 11/9/2006

Listing files found while scanning....

No infected files were found.

Title: Persistant Adware
Post by: guestolo on November 10, 2006, 01:14:48 AM

I'm just on my way to bed
If you could do the following in the meantime please

Download The Avenger.zip (http://\"http://swandog46.geekstogo.com/avenger.zip\") by Swandog46 to your Desktop.

    * Click on Avenger.zip to open the file
    * Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\system32\kwbeqqgg.dll
C:\WINDOWS\system32\irtpncxy.dll
C:\WINDOWS\system32\warrrojv.exe
C:\WINDOWS\system32\vqvpd.dll
C:\mpnaaq7.exe
C:\165.exe
C:\WINDOWS\system32hlvi6wkjc.exe
C:\WINDOWS\system32\pfbo0yj.exe
C:\WINDOWS\system32\hlvi6wkjc.exe
C:\WINDOWS\system32ysjaevwx.exe
C:\WINDOWS\system32\ysjaevwx.exe
C:\WINDOWS\srviityu.exe
C:\WINDOWS\stub_mm3.exe
C:\WINDOWS\system32nrnqetwbz.exe
C:\WINDOWS\system32\qomklkh.dll
C:\WINDOWS\uni_e6h.exe
C:\Program Files\Messenger\pofozos.html
C:\Program Files\Windows NT\meceweqyq.html

Folders to delete:
C:\Program Files\VSAdd-in[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

Can you run CCleaner again with default settings
Afterwards
Do a "System scan only" with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pmxuman.exe
O2 - BHO: (no name) - {992C3C1A-D273-4CEA-8E79-9C14A04F1449} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\kwbeqqgg.dll
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\CROSOF~1\mmc.exe" -vt ndrv

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer one more time

I would take the time to do the following as a followup
Download>>Install [color=\"#000099\"]AVG Anti-Spyware 7.5[/color] (http://\"http://www.ewido.net/en/download/\") from Ewido networks

• Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Select the "Scanner" tab
• Click the "Settings" tab and then change the recommended action to Quarantine and ensure that  Automatically generate report after every scan is selected
  
• Click back to the "Scan" tab and then click on Complete System Scan.
  
• Let this scan complete
• AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  
  
• Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).

Reboot one last time

Come back here and post all the following
I'll look over the logs at first chance
Let me know how things are running

1. Post a fresh hijackthis log
2. Post the report from AVG-Antispyware
3. Post the log from Avenger, found here>>C:\Avenger.txt

Title: Persistant Adware
Post by: GrantHLiu on November 10, 2006, 12:06:36 PM

Here are the logs after following your instructions to the word. I'll be using the machine today for some work,
so I'll follow up with how it is running. I'll keep activity to a minimum though, until I hear back from you again,
in case there are remaining infections and they mutate. Thanks!
 
**********Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\grydkhny

*******************

Script file located at: \??\C:\WINDOWS\oimfcqgr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\kwbeqqgg.dll deleted successfully.
File C:\WINDOWS\system32\irtpncxy.dll deleted successfully.
File C:\WINDOWS\system32\warrrojv.exe deleted successfully.
File C:\WINDOWS\system32\vqvpd.dll deleted successfully.
File C:\mpnaaq7.exe deleted successfully.
File C:\165.exe deleted successfully.
File C:\WINDOWS\system32hlvi6wkjc.exe deleted successfully.
File C:\WINDOWS\system32\pfbo0yj.exe deleted successfully.
File C:\WINDOWS\system32\hlvi6wkjc.exe deleted successfully.
File C:\WINDOWS\system32ysjaevwx.exe deleted successfully.
File C:\WINDOWS\system32\ysjaevwx.exe deleted successfully.
File C:\WINDOWS\srviityu.exe deleted successfully.
File C:\WINDOWS\stub_mm3.exe deleted successfully.
File C:\WINDOWS\system32nrnqetwbz.exe deleted successfully.
File C:\WINDOWS\system32\qomklkh.dll deleted successfully.
File C:\WINDOWS\uni_e6h.exe deleted successfully.


File C:\Program Files\Messenger\pofozos.html not found!
Deletion of file C:\Program Files\Messenger\pofozos.html failed!

Could not process line:
C:\Program Files\Messenger\pofozos.html
Status: 0xc0000034



File C:\Program Files\Windows NT\meceweqyq.html not found!
Deletion of file C:\Program Files\Windows NT\meceweqyq.html failed!

Could not process line:
C:\Program Files\Windows NT\meceweqyq.html
Status: 0xc0000034

Folder C:\Program Files\VSAdd-in deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


************AVG
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:    8:56:31 AM 11/10/2006

 + Scan result:    



C:\avenger\backup.zip/avenger/VSAdd-in/VSAdd-in.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/stub_mm3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/vqvpd.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/hlvi6wkjc.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/system32hlvi6wkjc.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/mpnaaq7.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/irtpncxy.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/kwbeqqgg.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/system32ysjaevwx.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/ysjaevwx.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).


::Report end


*********Hijack This
Logfile of HijackThis v1.99.1
Scan saved at 8:58:18 AM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\Hijack__this.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://Email (http://\"http://Email\") Removed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ (http://\"http://www.dell.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.241.32.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Startup: Pageant.lnk = C:\Program Files\PuTTY\pageant.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://inquira.webex.com/client/T22L/webex/ieatgpc.cab (http://\"https://inquira.webex.com/client/T22L/webex/ieatgpc.cab\")
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Software AG EventLayer Service (argevtsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argevsrv.exe
O23 - Service: Software AG MILayer Service (argmlsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argmlsrv.exe
O23 - Service: Software AG CSLayer Service (argsrv) - Software AG - C:\Program Files\Software AG\System Management Hub\bin\argsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ConverterService - Unknown owner - C:\InQuira_7.2_staging\inquira\src\prep\ext\msofficeprep\.\converterservice.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Inquira-IM-JMS (IM_OpenJMS) - Unknown owner - C:\InQuira_7.2\InfoManager\servicewrapper\bin\wrapper.exe
O23 - Service: Inquira-bayer - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayer-infomanager - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-bayerrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprint - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDev-workbench - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-SprintDevrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Inquira-sprintrt1 - Unknown owner - C:\InQuira_7.2\bin\win32\inquira.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Software AG UTX Daemon (ServiceUTXDAEM) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxdaem.exe
O23 - Service: Software AG UTX Event Logger (ServiceUTXEL) - Software AG - C:\Program Files\Software AG\Universal Transaction Platform\bin\utxel.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Software AG XTS Directory Server (XTSDirSrv) - Software AG - C:\Program Files\Software AG\Extended Transport Service\xtsdssvc.exe

Title: Persistant Adware
Post by: guestolo on November 10, 2006, 07:03:55 PM

That looks better
If everything is running good
I suggest you do the following
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and click create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the 'More Options' tab
and click Cleanup under System Restore
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

I see you have SpywareBlaster installed
Ensure it is the latest version 3.5.1
and keep it updated

Go back and reenable Windows Defender's realtime protections if still disabled

You can delete the following
InstalledPrograms.zip and Installedprograms.vbs
Also the text file it produced

Vundofix.exe
Combofix.exe
Avenger.zip and Avenger.exe
C:\Avenger.txt
C:\Vundofix.txt
C:\combofix.txt

Folders
C:\avenger
C:\VundoFix Backups
C:\Qoobox

If you don't plan on holding onto Hijackthis
Go ahead and remove it from Add/remove programs
Then delete Hijackthis.exe and the backup folder

NOTE: AVG-Antispyware is fully functional for 30 days
After which time it will become a free limited version
It will still update and remove malware after the trial period
Up to you to keep it or uninstall it
If you do hold onto it
And you have Windows Defender Realtime protections enabled
It should be unnecessary to keep AVG enabled also
Right click the Icon by the clock>>Uncheck "Resident Shield"
"Automatic Updates" and "Start with Windows"
You can manually update
Run a scan every once in awhile

Stay safe  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Persistant Adware
Post by: GrantHLiu on November 10, 2006, 07:34:30 PM

You're like some sort of god to me now. My machine is running much cleaner. No pop-ups, though Mcafee is being quirky.

Curious to know, how did you glean such quick info from the Hijack this logs. Some looked suspicious to me, but some were a surprise. Is it from experience, after looking at a million logs? Doing my own research and googling didn't help my cause too much. You seemed to pick just the right weapons for the battle too, which was awesome. Curious to know what your thought process was while doing that. I assume it's experience combined with good ol' problem solving and intuition.

Thanks again. You the man.

Grant

Title: Persistant Adware
Post by: guestolo on November 11, 2006, 03:40:08 PM

I've read thousands of logs, you get use to what's good or bad
Some are more difficult than others

I'm curious about what you mean by McAfee's is quirky
Can you expand on that, has your subscription expired?

Thanks you very much for the donation, it is very appreciated

Title: Persistant Adware
Post by: GrantHLiu on November 14, 2006, 05:08:18 PM

Mcafee on-access scan doesn't autostart although i enabled that.
Once I manually enable it, it doesn't show in the task bar until i click "statistics".

Title: Persistant Adware
Post by: guestolo on November 14, 2006, 05:33:10 PM

I don't use McAfee
You appear to have Enterprise 8.0 installed
Have you manually check for updates from McAfee site?
Do you need any patches?

http://www.mcafee.com/us/smb/support/index.html (http://\"http://www.mcafee.com/us/smb/support/index.html\")