Post by: Chris24 on May 12, 2008, 08:08:17 PM
my laptop got infected yesterday and its slowing my machine and opening different pop-ups..
Please help..
Here is the HyjackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 8:01:52 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.pctools.com (http://\"http://www.pctools.com\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab (http://\"http://dl.tvunetworks.com/TVUAx.cab\")
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab (http://\"http://picasaweb.google.com/s/v/25.23/uploader2.cab\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Please help................ :-(
Post by: guestolo on May 12, 2008, 08:40:04 PM
You have a few spywaretools running, we need to disable their protections so they won't interfere with any fixes we try
Window's Defender
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
Spyware Doctor
To deactivate Spyware Doctor's OnGuard Tools
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".
Afterwards: I would like you to try another scanner please
download Malwarebytes' Anti-Malware from Here (http://\"http://www.besttechie.net/tools/mbam-setup.exe\") or Here (http://\"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html\")
Save the installer to desktop
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
After you have posted that report from Malwarebytes
Please do the following
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Temporarily disable your AntiVirus software also so it won't interfere with this next tool
Physically disconnect the Internet cable to your computer
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When combofix is done, reenable your AntiVirus then connect back to the Internet
If you don't get connection, simply reboot the computer
Post in a seperate reply the log from Combofix please
Post by: Chris24 on May 12, 2008, 10:54:38 PM
Following is the MBAM log
Malwarebytes' Anti-Malware 1.12
Database version: 744
Scan type: Full Scan (C:\|)
Objects scanned: 192149
Time elapsed: 1 hour(s), 14 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 25
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayxvWMg.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab374ace-4320-4727-8cba-55bba8958486} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ab374ace-4320-4727-8cba-55bba8958486} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxvwmg (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM348c2f85 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdcbqi -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdcbqi -> Delete on reboot.
Folders Infected:
C:\Program Files\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din3 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\IQBcdccf.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\IQBcdccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rukgknlr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlnkgkur.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temp\wavvsnet.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temporary Internet Files\Content.IE5\B7HF7T8W\wavvsnet[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\TTC.dll (Adware.WebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.7.4\wbuninst.exe.vir (Adware.WebBuying) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.7.4\webbuying.exe.vir (Adware.WebBuying) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir (Adware.Softomate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087480.exe (Adware.Winpop) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087481.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087482.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din3\PI-setup03x.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hNF\srkawe3.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ndb2\BD-2bin.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdTMP\bvre32.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\Program Files\winvi\Uninst.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ktkuqcrk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxvWMg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\Click to Find and Fix Errors.url (Rogue.Link) -> Quarantined and deleted successfully.
Post by: Chris24 on May 12, 2008, 10:56:52 PM
Following is the combofix log:
ComboFix 08-05-12.1 - VAMSHI ATMAKUR 2008-05-12 22:28:36.1 - NTFSx86
Running from: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\ComboFix.exe
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acsegbhk.ini
C:\WINDOWS\system32\cbeeg.tmp2
C:\WINDOWS\system32\cyinxphn.ini
C:\WINDOWS\system32\IQBcdccf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\win
C:\WINDOWS\zxbowokA.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.
2008-05-12 21:05 . 2008-05-12 21:05 114,688 --a------ C:\WINDOWS\system32\hijnffgr.dll
2008-05-12 21:05 . 2008-05-12 22:41 474 ---hs---- C:\WINDOWS\system32\rgffnjih.ini
2008-05-12 21:02 . 2008-05-12 21:02 132,608 --a------ C:\WINDOWS\system32\vwnbyduq.dll
2008-05-12 21:02 . 2008-05-12 21:02 2,048 --a------ C:\WINDOWS\system32\mbempmqt.exe
2008-05-12 20:59 . 2008-05-12 22:20 124,416 --------- C:\WINDOWS\system32\ktkuqcrk.dll
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 20:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 20:55 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-11 21:22 . 2008-05-12 20:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 16:10 . 2008-05-11 16:10 2,048 --a------ C:\WINDOWS\system32\kstbripf.exe
2008-05-11 16:08 . 2008-05-11 16:08 125,440 --a------ C:\WINDOWS\system32\iorvuhgh.dll
2008-05-11 16:08 . 2008-05-12 20:59 109,807 --a------ C:\WINDOWS\BM348c2f85.xml
2008-05-11 16:04 . 2008-05-12 22:20 372,224 --------- C:\WINDOWS\system32\fccdcBQI.dll
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\vdTMP
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\Ndb2
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\hNF
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\WINDOWS\system32\2033b
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\Temp\maxsv15
2008-05-11 15:57 . 2008-05-12 22:20 52,736 --------- C:\WINDOWS\system32\yayxvWMg.dll
2008-05-04 09:52 . 2008-05-04 09:53 <DIR> d-------- C:\Program Files\SopCast
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 23:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 21:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-11 21:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-11 21:34 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-07 13:29 47,344 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\GDIPFONTCACHEV1.DAT
2006-01-08 17:03 560 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\ViewerApp.dat
2004-08-21 14:51 21,447 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Favorites.zip
2004-07-31 16:23 0 --sh--r C:\Program Files\q330994.exe
2004-07-23 01:45 1,160,964 ----a-w C:\Documents and Settings\Guest\wrar34b2.exe
2004-07-23 01:44 9,228,986 ----a-w C:\Documents and Settings\Guest\vlc-0.7.2-win32.exe
2004-07-23 01:41 3,292,584 ----a-w C:\Documents and Settings\Guest\DivXPlayerInstaller.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\cvchost.exe
2004-06-28 09:02 2,926 --sha-w C:\WINDOWS\egcng.dat
2004-07-03 03:37 2,926 --sha-w C:\WINDOWS\givip.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msstasks.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mssys.com
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mstaskss.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msxmidi.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\ntldr.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\rocky.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\seksdialer.exe
2004-07-04 04:47 2,926 --sha-w C:\WINDOWS\vjrkb.dat
2004-06-21 09:24 2,926 --sha-w C:\WINDOWS\vsdbk.dat
2004-07-03 22:27 2,926 --sha-w C:\WINDOWS\worst.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\system.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\wmscrop.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.dll
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.exe
2004-07-10 03:00 2,926 --sha-w C:\WINDOWS\system32\dntwj.dat
2004-07-07 21:08 2,926 --sha-w C:\WINDOWS\system32\hahhu.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\jac.dll
2004-07-10 00:28 2,926 --sha-w C:\WINDOWS\system32\lmzri.dat
2004-06-27 23:19 2,926 --sha-w C:\WINDOWS\system32\lqvef.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\msxslab.dll
2004-07-13 10:44 2,926 --sha-w C:\WINDOWS\system32\qjeuv.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20AFE46C-B5B2-46FB-820B-75AB0066558A}]
C:\WINDOWS\system32\geebc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8709e651-514d-424f-ac80-b4de631f6762}]
2008-05-12 21:02 132608 --a------ C:\WINDOWS\system32\vwnbyduq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d905490f-7eef-48be-8bc5-1ce778714bac}]
C:\WINDOWS\system32\ypuigup.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f611b61e-b4c8-471d-932b-8466e2bb9f75}]
C:\WINDOWS\System32\cdfesk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"uninstal"="regsvr32 /u /s image.dll" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00 335872]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23 90112]
"MMTray"="" []
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 20:23 868352]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-02-05 18:26 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-02-05 18:26 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 20:49 397312]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-23 10:39 180269]
"37bf1c19"="C:\WINDOWS\system32\hijnffgr.dll" [2008-05-12 21:05 114688]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2004-07-24 11:10:43 18432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdfesk]
cdfesk.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 17:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 12:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 14:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-22 05:05]
R3 WedgeTransport;IPSec Adapter;C:\WINDOWS\system32\DRIVERS\VIPSecMP.sys [2004-03-09 18:20]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 16:00]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\VAMSHI~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 P1001VID;Creative WebCam (WDM);C:\WINDOWS\system32\DRIVERS\P1001Vid.sys [2002-06-03 21:38]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-02-09 15:50]
S4 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
S4 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice []
S4 OracleServiceVAMSHI;OracleServiceVAMSHI;c:\oracle\ora92\bin\ORACLE.EXE VAMSHI []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 03:42:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-07-23 23:08:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-05-12 22:41:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\hijnffgr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Yahoo!\Antivirus\iSafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-12 22:51:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 03:50:40
ComboFix2.txt 2007-06-18 01:16:17
Pre-Run: 23,515,140,096 bytes free
Post-Run: 24,015,654,912 bytes free
213 --- E O F --- 2008-05-09 02:59:52
Post by: guestolo on May 13, 2008, 08:56:22 AM
Temporarily disable your AntiVirus software
Please run a free online scan with the [color=\"blue\"]ESET Online Scanner[/color] (http://\"http://www.eset.eu/online-scanner\")[/url]
Note: You will need to use Internet Explorer for this scan[/i].[list=1]
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan
Wait for the scan to finish - Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
Post by: Chris24 on May 13, 2008, 11:16:20 PM
Following is the eset log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3096 (20080513)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=17ab7f944722ff4daae1e8ba992eeea1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-05-14 04:15:41
# local_time=2008-05-13 11:15:41 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1076803
# found=11
# scan_time=10096
C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.33375 probably a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2007-06-17_201249.35.zip Win32/Rootkit.Agent.EQ trojan (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2007-06-17_201249.35.zip »ZIP »core.sys Win32/Rootkit.Agent.EQ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\zxbowokA.exe.vir probably a variant of Win32/TrojanDownloader.VB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\dwncfpac.dll.vir Win32/Adware.Virtumonde.KI application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\geebc.dll.bad Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\pmnnoon.dll.bad Win32/TrojanDownloader.ConHook.NAI trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\browser.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\kstbripf.exe Win32/PrivacySet.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mbempmqt.exe Win32/PrivacySet.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\bkEur01\bkEur011065.exe a variant of Win32/TrojanDownloader.VB.AW trojan (unable to clean - deleted) 00000000000000000000000000000000
Please advise.
Post by: guestolo on May 14, 2008, 07:07:56 AM
Then redownload a fresh copy from [color=\"#FF0000\"]HERE[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
Again, ONLY save it to your desktop
==Open notepad
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]File::
C:\WINDOWS\system32\hijnffgr.dll
C:\WINDOWS\system32\rgffnjih.ini
C:\WINDOWS\system32\vwnbyduq.dll
C:\WINDOWS\system32\mbempmqt.exe
C:\WINDOWS\system32\ktkuqcrk.dll
C:\WINDOWS\system32\iorvuhgh.dll
C:\WINDOWS\BM348c2f85.xml
C:\WINDOWS\system32\fccdcBQI.dll
C:\WINDOWS\system32\yayxvWMg.dll
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\egcng.dat
C:\WINDOWS\givip.dat
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\vjrkb.dat
C:\WINDOWS\vsdbk.dat
C:\WINDOWS\worst.dat
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.exe
C:\WINDOWS\system32\dntwj.dat
C:\WINDOWS\system32\hahhu.dat
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\lmzri.dat
C:\WINDOWS\system32\lqvef.dat
C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\qjeuv.dat
Folder::
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\Ndb2
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\2033b
C:\Temp\maxsv15
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdfesk]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20AFE46C-B5B2-46FB-820B-75AB0066558A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8709e651-514d-424f-ac80-b4de631f6762}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d905490f-7eef-48be-8bc5-1ce778714bac}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f611b61e-b4c8-471d-932b-8466e2bb9f75}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uninstal"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"=-
"TkBellExe"=-
"37bf1c19"=-
DirLook::
C:\Temp
[/color]
Save this as txtfile on your desktop
name it:
CFScript
Temporarily disable your AntiVirus software again
(http://i184.photobucket.com/albums/x99/guestolo/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Take notice: Combofix may prompt that the computer needs to reboot, don't interupt it
Allow it too
When finished, it shall produce a log for you with the name C:\ComboFix.txt..
I'll need to see that log
NOTE:
# Combofix will disconnect your machine from the Internet as soon as it starts
# Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
# If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Post back all the following:
1. Post the log from ComboFix
2. Update and post a Hijackthis log
Delete your copy of Hijackthis
Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color] (http://\"http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe\")
For an alternate download location, you can try HERE (http://\"http://fileforum.betanews.com/detail/HijackThis/1071179190/1\")
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install
Hijackthis v2.0.2 will open
Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum
Post by: Chris24 on May 14, 2008, 07:00:23 PM
ComboFix 08-05-12.1 - VAMSHI ATMAKUR 2008-05-14 18:24:29.2 - NTFSx86
Running from: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\CFScript.txt
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\maxsv15
C:\Temp\maxsv15\rLCubd.log
C:\VundoFix Backups
C:\VundoFix Backups\cbeeg.bak1.bad
C:\VundoFix Backups\cbeeg.bak2.bad
C:\VundoFix Backups\cbeeg.ini.bad
C:\VundoFix Backups\cbeeg.ini2.bad
C:\VundoFix Backups\cbeeg.tmp.bad
C:\WINDOWS\system32\2033b
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\Ndb2
C:\WINDOWS\system32\rgffnjih.ini
C:\WINDOWS\system32\vdTMP
.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.
2008-05-14 18:16 . 2008-05-14 18:16 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-13 20:24 . 2008-05-13 23:15 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-12 21:05 . 2008-05-12 21:05 114,688 --a------ C:\WINDOWS\system32\hijnffgr.dll
2008-05-12 21:02 . 2008-05-12 21:02 132,608 --a------ C:\WINDOWS\system32\vwnbyduq.dll
2008-05-12 20:59 . 2008-05-12 22:20 124,416 --------- C:\WINDOWS\system32\ktkuqcrk.dll
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 20:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 20:55 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-11 21:22 . 2008-05-12 20:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 16:08 . 2008-05-11 16:08 125,440 --a------ C:\WINDOWS\system32\iorvuhgh.dll
2008-05-11 16:08 . 2008-05-12 20:59 109,807 --a------ C:\WINDOWS\BM348c2f85.xml
2008-05-11 16:04 . 2008-05-12 22:20 372,224 --------- C:\WINDOWS\system32\fccdcBQI.dll
2008-05-11 15:57 . 2008-05-12 22:20 52,736 --------- C:\WINDOWS\system32\yayxvWMg.dll
2008-05-04 09:52 . 2008-05-04 09:53 <DIR> d-------- C:\Program Files\SopCast
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 23:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 21:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-11 21:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-11 21:34 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-07 13:29 47,344 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\GDIPFONTCACHEV1.DAT
2006-01-08 17:03 560 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\ViewerApp.dat
2004-08-21 14:51 21,447 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Favorites.zip
2004-07-31 16:23 0 --sh--r C:\Program Files\q330994.exe
2004-07-23 01:45 1,160,964 ----a-w C:\Documents and Settings\Guest\wrar34b2.exe
2004-07-23 01:44 9,228,986 ----a-w C:\Documents and Settings\Guest\vlc-0.7.2-win32.exe
2004-07-23 01:41 3,292,584 ----a-w C:\Documents and Settings\Guest\DivXPlayerInstaller.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\cvchost.exe
2004-06-28 09:02 2,926 --sha-w C:\WINDOWS\egcng.dat
2004-07-03 03:37 2,926 --sha-w C:\WINDOWS\givip.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msstasks.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mssys.com
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mstaskss.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msxmidi.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\ntldr.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\rocky.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\seksdialer.exe
2004-07-04 04:47 2,926 --sha-w C:\WINDOWS\vjrkb.dat
2004-06-21 09:24 2,926 --sha-w C:\WINDOWS\vsdbk.dat
2004-07-03 22:27 2,926 --sha-w C:\WINDOWS\worst.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\system.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\wmscrop.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.dll
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.exe
2004-07-10 03:00 2,926 --sha-w C:\WINDOWS\system32\dntwj.dat
2004-07-07 21:08 2,926 --sha-w C:\WINDOWS\system32\hahhu.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\jac.dll
2004-07-10 00:28 2,926 --sha-w C:\WINDOWS\system32\lmzri.dat
2004-06-27 23:19 2,926 --sha-w C:\WINDOWS\system32\lqvef.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\msxslab.dll
2004-07-13 10:44 2,926 --sha-w C:\WINDOWS\system32\qjeuv.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Temp ----
2008-05-11 15:57 1858 --a------ C:\Temp\maxsv15\rLCubd.log
2006-01-22 16:02 18179 --a------ C:\Temp\fftrace.log
2005-12-15 21:05 851 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-12-15-2005-20-02-54.log
2005-11-07 21:54 879 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-11-07-2005-20-52-01.log
2005-10-18 20:42 1562 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-10-18-2005-20-39-35.log
2005-08-20 12:13 1618 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-08-20-2005-12-10-27.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-41.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-39.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-16.log
2005-05-01 18:08 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-05-59.log
2005-05-01 18:06 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-03-20.log
2005-05-01 17:52 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-17-49-17.log
2003-11-18 09:31 69101 --------- C:\Temp\ETH1.jpg
2003-11-18 09:26 112 --------- C:\Temp\QuickStartGuide.html
((((((((((((((((((((((((((((( snapshot@2008-05-12_22.50.06.34 (snapshot@2008-05-12_22.50.06.34) )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 03:39:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 23:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-06 18:17:40 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00 335872]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23 90112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 20:23 868352]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-02-05 18:26 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-02-05 18:26 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 20:49 397312]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2004-07-24 11:10:43 18432]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 17:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 12:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 14:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-22 05:05]
R3 WedgeTransport;IPSec Adapter;C:\WINDOWS\system32\DRIVERS\VIPSecMP.sys [2004-03-09 18:20]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 16:00]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\VAMSHI~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 P1001VID;Creative WebCam (WDM);C:\WINDOWS\system32\DRIVERS\P1001Vid.sys [2002-06-03 21:38]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-02-09 15:50]
S4 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
S4 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice []
S4 OracleServiceVAMSHI;OracleServiceVAMSHI;c:\oracle\ora92\bin\ORACLE.EXE VAMSHI []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 23:15:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-07-23 23:08:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-05-14 18:31:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-05-14 18:41:07
ComboFix-quarantined-files.txt 2008-05-14 23:40:53
ComboFix2.txt 2008-05-13 03:51:14
ComboFix3.txt 2007-06-18 01:16:17
Pre-Run: 23,959,216,128 bytes free
Post-Run: 23,951,253,504 bytes free
203 --- E O F --- 2008-05-09 02:59:52
Post by: Chris24 on May 14, 2008, 07:01:35 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:40 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.pctools.com (http://\"http://www.pctools.com\")
O15 - Trusted Zone: http://yahoo.sbc.com (http://\"http://yahoo.sbc.com\")
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com (http://\"http://www.corp.smith.com\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab (http://\"http://dl.tvunetworks.com/TVUAx.cab\")
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab (http://\"http://photo.walgreens.com/WalgreensActivia.cab\")
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab (http://\"http://picasaweb.google.com/s/v/25.23/uploader2.cab\")
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab (http://\"http://www.eset.eu/OnlineScanner.cab\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157908995765 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157908995765\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_mywebe...bex/ieatgpc.cab (http://\"https://freetrial.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab\")
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab (http://\"https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab\")
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 9199 bytes
Please advise.
Post by: guestolo on May 14, 2008, 11:08:50 PM
Can you do the following please
download the [color=\"red\"]OTMoveIt2 by OldTimer[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\")[/url].
- Save it to your desktop.
- Double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard in blue below by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
==============================================================================
[color=\"#4169E1\"]C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\egcng.dat
C:\WINDOWS\givip.dat
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\vjrkb.dat
C:\WINDOWS\vsdbk.dat
C:\WINDOWS\worst.dat
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.exe
C:\WINDOWS\system32\dntwj.dat
C:\WINDOWS\system32\hahhu.dat
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\lmzri.dat
C:\WINDOWS\system32\lqvef.dat
C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\qjeuv.dat
C:\Temp
C:\WINDOWS\system32\hijnffgr.dll
C:\WINDOWS\system32\vwnbyduq.dll
C:\WINDOWS\system32\ktkuqcrk.dll
C:\WINDOWS\system32\iorvuhgh.dll
C:\WINDOWS\BM348c2f85.xml
C:\WINDOWS\system32\fccdcBQI.dll
C:\WINDOWS\system32\yayxvWMg.dll
[/color]
============================================================================== - Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" and choose Paste.
- Click the red [color=\"red\"]Moveit![/color] button.
- When done Close OTMoveIt2
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <--Indicates date/time of log
Please post that log
In addition, run a fresh hijackthis log and post it and let me know how things are running please
Post by: Chris24 on May 15, 2008, 09:43:25 PM
C:\Program Files\q330994.exe moved successfully.
C:\WINDOWS\cvchost.exe moved successfully.
C:\WINDOWS\egcng.dat moved successfully.
C:\WINDOWS\givip.dat moved successfully.
C:\WINDOWS\msstasks.exe moved successfully.
C:\WINDOWS\mssys.com moved successfully.
C:\WINDOWS\mstaskss.exe moved successfully.
C:\WINDOWS\msxmidi.exe moved successfully.
C:\WINDOWS\ntldr.exe moved successfully.
C:\WINDOWS\rocky.exe moved successfully.
C:\WINDOWS\seksdialer.exe moved successfully.
C:\WINDOWS\vjrkb.dat moved successfully.
C:\WINDOWS\vsdbk.dat moved successfully.
C:\WINDOWS\worst.dat moved successfully.
C:\WINDOWS\system\system.exe moved successfully.
C:\WINDOWS\system\wmscrop.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.dll NOT unregistered.
C:\WINDOWS\system32\d2kpax.dll moved successfully.
C:\WINDOWS\system32\d2kpax.exe moved successfully.
C:\WINDOWS\system32\dntwj.dat moved successfully.
C:\WINDOWS\system32\hahhu.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\jac.dll NOT unregistered.
C:\WINDOWS\system32\jac.dll moved successfully.
C:\WINDOWS\system32\lmzri.dat moved successfully.
C:\WINDOWS\system32\lqvef.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\msxslab.dll NOT unregistered.
C:\WINDOWS\system32\msxslab.dll moved successfully.
C:\WINDOWS\system32\qjeuv.dat moved successfully.
C:\Temp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hijnffgr.dll
C:\WINDOWS\system32\hijnffgr.dll NOT unregistered.
C:\WINDOWS\system32\hijnffgr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vwnbyduq.dll
C:\WINDOWS\system32\vwnbyduq.dll NOT unregistered.
C:\WINDOWS\system32\vwnbyduq.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ktkuqcrk.dll
C:\WINDOWS\system32\ktkuqcrk.dll NOT unregistered.
C:\WINDOWS\system32\ktkuqcrk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iorvuhgh.dll
C:\WINDOWS\system32\iorvuhgh.dll NOT unregistered.
C:\WINDOWS\system32\iorvuhgh.dll moved successfully.
C:\WINDOWS\BM348c2f85.xml moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\fccdcBQI.dll
C:\WINDOWS\system32\fccdcBQI.dll NOT unregistered.
C:\WINDOWS\system32\fccdcBQI.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\yayxvWMg.dll
C:\WINDOWS\system32\yayxvWMg.dll NOT unregistered.
C:\WINDOWS\system32\yayxvWMg.dll moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05152008_214624
Post by: Chris24 on May 15, 2008, 09:44:39 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:37 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YUM\yum.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-3943393980-1111375530-1268058753-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Malathi')
O4 - HKUS\S-1-5-21-3943393980-1111375530-1268058753-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Malathi')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: www.pctools.com (http://\"http://www.pctools.com\")
O15 - Trusted Zone: http://yahoo.sbc.com (http://\"http://yahoo.sbc.com\")
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com (http://\"http://www.corp.smith.com\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab (http://\"http://dl.tvunetworks.com/TVUAx.cab\")
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab (http://\"http://photo.walgreens.com/WalgreensActivia.cab\")
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab (http://\"http://picasaweb.google.com/s/v/25.23/uploader2.cab\")
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab (http://\"http://www.eset.eu/OnlineScanner.cab\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157908995765 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157908995765\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_mywebe...bex/ieatgpc.cab (http://\"https://freetrial.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab\")
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab (http://\"https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab\")
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 9631 bytes
Please advise.
Thank you very much for helping me out.
Post by: guestolo on May 15, 2008, 10:28:03 PM
How's everything running now?
Did you manually add these entries to your Trusted Sites in IE?
O15 - Trusted Zone: www.pctools.com
O15 - Trusted Zone: http://yahoo.sbc.com (http://\"http://yahoo.sbc.com\")
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com
Post by: Chris24 on May 16, 2008, 10:32:30 PM
Thank you verymuch for your hep. It looks fine now.
As a small token of my appreciation, I have made a small payment to your paypal account.
Thank you once again.
Also, Can you pls advise me some software that I can install to not get into this mess again.
I have stopped logging in using my admin account unless its required.
Post by: guestolo on May 17, 2008, 05:56:18 PM
You can open Malwarebyte's Antimalware and remove all entries from the Quarantine section
Your choice to Uninstall Malwarebyte's Antimalware from Add and Remove Programs
or hold onto it, your option
Go to START>>RUN>>Copy and paste the next bold entry
ComboFix /u
Hit OK
This will uninstall ComboFix and it's components
OTMoveit2.exe
- Double-click OTMoveIt2.exe to run it.
- Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list - Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall - Select Yes to reboot Now
I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection
Take a look at miekiemoes site with other ideas on How to prevent Malware: (http://\"http://users.telenet.be/bluepatchy/miekiemoes/prevention.html\")
Stay safe
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on July 06, 2008, 08:02:08 PM
Take care