Author Topic: awtqo & smitfraud c (Read 2218 times)

guestolo · « **Reply #20 on:** January 02, 2008, 10:05:15 AM »

I'm just on my way to work, we'll fix Internet Explorer later
Can you do the following

Again, delete your version of Combofix and redownload it again to desktop
Double click on it to run it
and follow the prompts
Post it's new log

Then reenable Avast protections, I suggest you also run a full scan with it

I'll check back later

kmichelle1984 · « **Reply #21 on:** January 02, 2008, 11:11:56 AM »

ComboFix 08-01-02.1 - Owner 2008-01-03 10:02:28.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.436 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\7PR49H8X\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\HP\KBD\KBD.EXE
C:\n.bat
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\{38F6A~1
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Temp
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\cEeer12\skAt.log
C:\temp\tn3
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\awtqo.dll.bad
C:\VundoFix Backups\awtqo.exe.bad
C:\VundoFix Backups\hkcmd.exe.bad
C:\VundoFix Backups\hphmon05.exe.bad
C:\VundoFix Backups\hpsysdrv.exe.bad
C:\VundoFix Backups\igfxtray.exe.bad
C:\VundoFix Backups\ljjjkll.dll.bad
C:\VundoFix Backups\msconfig.exe.bad
C:\VundoFix Backups\oqtwa.ini.bad
C:\VundoFix Backups\oqtwa.ini2.bad
C:\VundoFix Backups\ps2.exe.bad
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\ardCo18
C:\WINDOWS\system32\ardCo18\ardCo182328.exe
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.exe
C:\WINDOWS\system32\cc9
C:\WINDOWS\system32\components
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\System32\flcss.exe
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\ljjjkll.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plyodmp.dll
C:\WINDOWS\system32\pp1
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\z1
C:\winlogon.exe
C:\x.dat
C:\z.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\core

((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-02 22:14 . 2008-01-02 22:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-02 22:14 . 2008-01-02 22:14 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-02 22:14 . 2008-01-02 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-02 19:39 . 2008-01-01 01:17 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-02 17:41 . 2008-01-02 17:41 <DIR> d-------- C:\Program Files\AOL Search
2008-01-01 15:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 16:59 . 2007-12-30 16:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-29 18:45 . 2007-12-29 18:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-12-29 18:43 . 2008-01-02 17:42 <DIR> d-------- C:\Program Files\AIM6
2007-12-28 23:44 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-28 23:44 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-28 23:44 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-28 23:22 . 2007-12-28 23:22 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-28 18:49 . 2008-01-01 12:16 182 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2007-12-28 17:00 . 2007-12-28 17:00 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-28 16:48 . 2007-12-28 18:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-28 08:19 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-27 23:37 . 2007-12-27 23:37 <DIR> d-------- C:\WINDOWS\provisioning
2007-12-27 23:37 . 2007-12-27 23:37 <DIR> d-------- C:\WINDOWS\peernet
2007-12-27 23:30 . 2007-12-27 23:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-27 23:14 . 2007-12-27 23:14 <DIR> d-------- C:\WINDOWS\EHome
2007-12-25 13:50 . 2007-12-25 13:50 <DIR> d-------- C:\Program Files\Mattel
2007-12-25 13:50 . 2007-12-25 13:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Mattel
2007-12-04 11:23 . 2007-12-04 23:16 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-04 11:23 . 2007-12-04 23:16 88 -r-hs---- C:\WINDOWS\system32\B12A0F95F1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 03:59 --------- d-----w C:\Program Files\Yahoo!
2008-01-03 03:59 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-03 03:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-03 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-03 03:55 --------- d-----w C:\Program Files\Java
2008-01-02 21:59 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-02 21:59 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-01-02 21:59 --------- d-----w C:\Program Files\iTunes
2008-01-02 21:57 --------- d-----w C:\Program Files\QuickTime
2008-01-01 18:15 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 07:17 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
2007-12-30 23:54 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-30 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-28 23:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-28 23:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-28 01:49 5,923,843 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-25 19:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-30 01:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-11-17 02:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-17 02:25 --------- d-----w C:\Program Files\iPod
2007-11-17 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-17 02:23 --------- d-----w C:\Program Files\Apple Software Update
2007-11-17 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-14 20:32 --------- d-----w C:\Program Files\FrostWire
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-12-20 17:15 103,327 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_19_11_24_30_small.dmp.zip
2006-10-30 16:26 98,508 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_28_11_48_20_small.dmp.zip
2006-10-19 03:39 132,534 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_18_12_41_12_small.dmp.zip
.

((((((((((((((((((((((((((((( snapshot@2008-01-02_16.06.00.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-30 00:43:58 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
+ 2008-01-02 23:40:32 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-01-03 04:07:25 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2007-12-18 13:27 111968 --a------ C:\Program Files\AOL Search\AOLSearch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2008-01-01 15:14 32768]
"Yahoo! Pager"="1" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-01 15:15 1318912]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2008-01-01 15:15 1261384]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 13:04 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-01-01 15:14 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-01 15:14 221184]
"VTTimer"="VTTimer.exe" []
"LTMSG"="LTMSG.exe" [2003-07-14 19:52 40960 C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2008-01-01 15:14 135168]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-01 15:14 968696]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-01 15:14 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-01 15:14 40048]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-10 12:08 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BarbieGirlsTray]
2007-12-30 02:10 24576 --a------ C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-21 05:23 49152 --a------ c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
2003-07-14 13:30 98304 --a------ C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-30 02:10 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2007-12-30 23:01 380928 --a------ C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 03:50 155648 --------- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 03:50 155648 --------- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2008-01-01 15:01 57344 --a------ C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2001-12-20 10:00]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 13:56]
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-02-08 04:16]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 14:49:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 10:06:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 10:07:47
ComboFix-quarantined-files.txt 2008-01-03 16:07:30
.
2007-12-30 19:00:27 --- E O F ---

guestolo · « **Reply #22 on:** January 02, 2008, 11:50:53 AM »

If Avast hasn't rid you of a few file
We should get rid of them
A couple of them are probably what caused most of your problems
Possible crack files infected for software

==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]

Double click on fix.reg
Allow to add/merge to the registry at the prompt

Download [color=\"blue\"]ATF Cleaner[/color]

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
[color=\"green\"]NOTE : If you would like to keep your saved passwords, please click No at the prompt.[/color]

If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Click the Empty Selected button.
[color=\"green\"]NOTE : If you would like to keep your saved passwords, please click No at the prompt.[/color]

Click Exit on the Main menu to close the program.

Download [color=\"blue\"]OTMoveIt[/color] by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================

C:\WINDOWS\system32\vbzip10.dll
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\Documents and Settings\Owner\Shared\photoshop cs3\setup.exe
C:\Documents and Settings\Owner\Shared\Adobe Photoshop CS3 10.0 Extended Keygen\f.exe
C:\Documents and Settings\Owner\Shared\Adobe Photoshop CS3 10.0 Extended Keygen\Crack.exe
C:\Documents and Settings\All Users\Application Data\Viewpoint

======================================================
Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
Click the red "[color=\"red\"]MoveIt![/color]" button.
Close OTMoveIt.

[color=\"red\"]Note[/color]: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

NOTE: If you are not asked to reboot, can you reboot manually anyways

Back in Windows
Post one last fresh hijackthis log

Also, let me know what problems your having with Internet Explorer
Is it that it just can't connect to the Internet, or it won't startup at all?

kmichelle1984 · « **Reply #23 on:** January 02, 2008, 04:14:58 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:19 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://download2.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161232436812
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6985 bytes

I just clicked on the Internet Explorer icon and it worked now.

guestolo · « **Reply #24 on:** January 02, 2008, 04:18:50 PM »

I'm sorry, I totally forgot about asking for the log from OTMoveit
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Post that log please

kmichelle1984 · « **Reply #25 on:** January 02, 2008, 04:29:53 PM »

DllUnregisterServer procedure not found in C:\WINDOWS\system32\vbzip10.dll C:\WINDOWS\system32\vbzip10.dll NOT unregistered. C:\WINDOWS\system32\vbzip10.dll moved successfully. DllUnregisterServer procedure not found in C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll NOT unregistered. C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll moved successfully. File/Folder C:\Documents and Settings\Owner\Shared\photoshop cs3\setup.exe not found. C:\Documents and Settings\Owner\Shared\Adobe Photoshop CS3 10.0 Extended Keygen\f.exe moved successfully. File/Folder C:\Documents and Settings\Owner\Shared\Adobe Photoshop CS3 10.0 Extended Keygen\Crack.exe not found. C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win moved successfully. C:\Documents and Settings\All Users\Application Data\Viewpoint moved successfully. Created on 01/03/2008 14:59:12 

Is it ok to download Java?

guestolo · « **Reply #26 on:** January 02, 2008, 04:53:50 PM »

Thanks for all the logs

If everything is running better, I suggest that you do the following
Older System Restore points are infected
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name, any name,
eg... Michelle
and click Create
Windows will prompt when it was created successfully

When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

Go ahead and delete the RenV.exe and it's logs from desktop

Go to START>>RUN>>Copy then paste the next command below in bold
Then hit OK

combofix /u

This will uninstall combofix and it's components

Take note of these entries in your Hijackthis log
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Your choice, but optionally, you can run a Scan Only with Hijackthis and fix checked the above 4 entries
It could help with System startup time and save resources
Take note of their related functionalities
Reader_sl.exe

Quote

Speeds up the time it takes to load the Adobe_Reader application. Your choice, but not required for Adobe Reader to function properly

dumprep 0 -u

Quote

Used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out

Adobe Gamma Loader.exe

Quote

Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it. In my case I can verify this as Photoshop loads fine

OSA9.EXE

Quote

Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required - Note: if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.

======================================
OTMoveit.exe

Please double-click OTMoveIt.exe to run it.
Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list
Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall
Select Yes to reboot Now

NOTE: This procedure will also delete OTMoveit.exe from desktop and other tools we used for cleaning

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Also, after every update with Spybot 1.4
Ensure to use the Immunize feature
Simply click Immunize>>OK>>Immunize again at the top green cross
You should do that now

You may choose to hold onto ATF-Cleaner to help cleaning temp files, etc
Your choice, it you decide to remove it just manually delete it

Hope that helps

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
After you do the above, just let me know if everything is alright and I'll lock this topic
Oh, and could you go to
START>>RUN>>type in msconfig
Hit OK
Does the System Configuration Utiility open properly?

kmichelle1984 · « **Reply #27 on:** January 02, 2008, 05:24:25 PM »

Completed all the steps - computer is running great. The msconfig system configuration opened up fine.
THANK YOU SO MUCH!!!!!!!!

guestolo · « **Reply #28 on:** January 02, 2008, 05:33:24 PM »

[quote name=\'kmichelle1984\' post=\'417483\' date=\'Jan 2 2008, 03:24 PM\']Completed all the steps - computer is running great. The msconfig system configuration opened up fine.
THANK YOU SO MUCH!!!!!!!![/quote]

Your welcome, ~~I'll lock this topic as your problems are resolved~~
Take Care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #29 on:** January 02, 2008, 05:36:52 PM »

I don't know where my mind is
I forgot to have you update Java
You can get the installer from here,
I like to use the OFFLINE installer, your choice
But allow it connection thru firewall when installing

http://www.java.com/en/download/manual.jsp

kmichelle1984 · « **Reply #30 on:** January 02, 2008, 05:56:37 PM »

I've got it updated -
thanks again!

guestolo · « **Reply #31 on:** January 02, 2008, 06:01:36 PM »

Good work, this time I will lock this topic

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: awtqo & smitfraud c (Read 2218 times)

guestolo

awtqo & smitfraud c

kmichelle1984

awtqo & smitfraud c

guestolo

awtqo & smitfraud c

kmichelle1984

awtqo & smitfraud c

guestolo

awtqo & smitfraud c

kmichelle1984

awtqo & smitfraud c

guestolo

awtqo & smitfraud c

kmichelle1984

awtqo & smitfraud c

guestolo

awtqo & smitfraud c

guestolo

awtqo & smitfraud c

kmichelle1984

awtqo & smitfraud c

guestolo

awtqo & smitfraud c