Solved: Virus, on my taskbar?

JamesJD125 · 04-Apr-2008, 01:40 PM #1

I think i have a virus on my taskbar. it keeps dissappearing and basically refreshing the desktop. Also when i close Limewire it keeps on coming back. it also starts at start-up??

cybertech · 05-Apr-2008, 03:31 PM #2

You should remove Limewire and post a hijackthis log in the Malware removal forum.

JamesJD125 · 05-Apr-2008, 03:34 PM #3

I've Removed limewire. i've kinda sorted it out. what happens is when i log onto Windows about 4 mins later my taskbar and icons go so all i do is do task manager and type in Explorer and it brings it back.
i just need to find a way of making it stay there when i turn on my computer.

cybertech · 05-Apr-2008, 05:33 PM #4

Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

JamesJD125 · 05-Apr-2008, 06:19 PM #5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:51 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\CCleaner\ccleaner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iesearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5783 bytes

cybertech · 05-Apr-2008, 06:57 PM #6

You have obviously disabled things with msconfig.

Run HijackThis and click Open the Misc Tools section
Click Open Uninstall Manager, Save list and save the log to your Desktop.
A list of programs will open in Notepad. Post the contents of the log here in your next reply.

JamesJD125 · 05-Apr-2008, 07:14 PM #7

yea when i click Save List it closes HijackThis? what should i do? (useless little me)

cybertech · 06-Apr-2008, 01:22 PM #8

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close any open browsers.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file

If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.

JamesJD125 · 06-Apr-2008, 01:43 PM #9

it's an attachment

cybertech · 06-Apr-2008, 03:18 PM **#10**

Did you edit your hosts file?

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\rqRHbAPH.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> rqRHbAPH -> %SystemRoot%\system32\rqRHbAPH.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {100EB1FD-D03E-47FD-81F3-EE91287F9465} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {2E30D9FE-F1F2-4BF9-BF2A-910F0F04BF79} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {66A2BBFC-1836-4A60-8AD6-A5A0DBA5ABF4} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {B15B9C53-61AD-48C3-B52E-6D6A81B2AE48} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddcDtsSM.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {EBD257DD-26B0-4B52-BFAD-3F99A10A61FF} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {F5C4AB27-3DB0-445E-B3CF-1F5C5FCB44F3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {C5428486-50A0-4a02-9D20-520B59A9F9B2}:{C9CCBB35-D123-4a31-AFFC-9B2933132116} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [ShopperReports - Compare product prices]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{C5428486-50A0-4a02-9D20-520B59A9F9B2} [HKEY_LOCAL_MACHINE] -> [ShopperReports - Compare product prices]
YN -> CmdMapping\\{C5428486-50A0-4a02-9D20-520B59A9F9B3} [HKEY_LOCAL_MACHINE] -> [ShopperReports - Compare travel rates]
[Files/Folders - Created Within 30 days]
NY -> aqVreo18 -> %SystemRoot%\System32\aqVreo18
NY -> ce2 -> %SystemRoot%\System32\ce2
NY -> ddcDtsSM.dll -> %SystemRoot%\System32\ddcDtsSM.dll
NY -> HPqqrBeg.ini -> %SystemRoot%\System32\HPqqrBeg.ini
NY -> MSstDcdd.ini -> %SystemRoot%\System32\MSstDcdd.ini
NY -> MSstDcdd.ini2 -> %SystemRoot%\System32\MSstDcdd.ini2
NY -> NoYcdfii.ini -> %SystemRoot%\System32\NoYcdfii.ini
NY -> NoYcdfii.ini2 -> %SystemRoot%\System32\NoYcdfii.ini2
NY -> QpXayccf.ini -> %SystemRoot%\System32\QpXayccf.ini
NY -> QpXayccf.ini2 -> %SystemRoot%\System32\QpXayccf.ini2
NY -> rqRHbAPH.dll -> %SystemRoot%\System32\rqRHbAPH.dll
NY -> TEKSDJjl.ini -> %SystemRoot%\System32\TEKSDJjl.ini
NY -> tuvSmMFX.dll -> %SystemRoot%\System32\tuvSmMFX.dll
NY -> XFMmSvut.ini -> %SystemRoot%\System32\XFMmSvut.ini
NY -> XFMmSvut.ini2 -> %SystemRoot%\System32\XFMmSvut.ini2
NY -> YFfMlUtv.ini -> %SystemRoot%\System32\YFfMlUtv.ini
NY -> SmFtZXMgRG9ubmVsbHk -> %SystemRoot%\SmFtZXMgRG9ubmVsbHk
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp
NY -> nui -> %SystemRoot%\System32\nui
NY -> nui4 -> %SystemRoot%\System32\nui4
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

I will review the information when it comes back in.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

c:\windows\system32\ddcdtssm.dll
c:\windows\system32\hpqqrbeg.ini
c:\windows\system32\msstdcdd.ini
c:\windows\system32\msstdcdd.ini2
c:\windows\system32\noycdfii.ini
c:\windows\system32\noycdfii.ini2
c:\windows\system32\qpxayccf.ini
c:\windows\system32\qpxayccf.ini2
c:\windows\system32\rqrhbaph.dll
c:\windows\system32\rqrhbaph.dll 
c:\windows\system32\teksdjjl.ini
c:\windows\system32\tuvsmmfx.dll
c:\windows\system32\xfmmsvut.ini
c:\windows\system32\xfmmsvut.ini2
c:\windows\system32\yffmlutv.ini
c:\windows\smftzxmgrg9ubmvsbhk
c:\windows\system32\aqvreo18
c:\windows\system32\ce2
c:\windows\system32\nui
c:\windows\system32\nui4

Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

JamesJD125 · 06-Apr-2008, 05:30 PM **#11**

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\\{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRHbAPH.dll
C:\WINDOWS\system32\rqRHbAPH.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rqRHbAPH.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqRHbAPH\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRHbAPH.dll
C:\WINDOWS\system32\rqRHbAPH.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rqRHbAPH.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{100EB1FD-D03E-47FD-81F3-EE91287F9465}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{2E30D9FE-F1F2-4BF9-BF2A-910F0F04BF79}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E30D9FE-F1F2-4BF9-BF2A-910F0F04BF79}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{66A2BBFC-1836-4A60-8AD6-A5A0DBA5ABF4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66A2BBFC-1836-4A60-8AD6-A5A0DBA5ABF4}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{B15B9C53-61AD-48C3-B52E-6D6A81B2AE48}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B15B9C53-61AD-48C3-B52E-6D6A81B2AE48}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{EBD257DD-26B0-4B52-BFAD-3F99A10A61FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBD257DD-26B0-4B52-BFAD-3F99A10A61FF}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{F5C4AB27-3DB0-445E-B3CF-1F5C5FCB44F3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5C4AB27-3DB0-445E-B3CF-1F5C5FCB44F3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C5428486-50A0-4a02-9D20-520B59A9F9B2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5428486-50A0-4a02-9D20-520B59A9F9B2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9CCBB35-D123-4a31-AFFC-9B2933132116}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{C5428486-50A0-4a02-9D20-520B59A9F9B2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5428486-50A0-4a02-9D20-520B59A9F9B2}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{C5428486-50A0-4a02-9D20-520B59A9F9B3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5428486-50A0-4a02-9D20-520B59A9F9B3}\ not found.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\aqVreo18 folder moved successfully.
C:\WINDOWS\System32\ce2 folder moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ddcDtsSM.dll
C:\WINDOWS\System32\ddcDtsSM.dll NOT unregistered.
C:\WINDOWS\System32\ddcDtsSM.dll moved successfully.
C:\WINDOWS\System32\HPqqrBeg.ini moved successfully.
C:\WINDOWS\System32\MSstDcdd.ini moved successfully.
File C:\WINDOWS\System32\MSstDcdd.ini2 not found!
C:\WINDOWS\System32\NoYcdfii.ini moved successfully.
C:\WINDOWS\System32\NoYcdfii.ini2 moved successfully.
C:\WINDOWS\System32\QpXayccf.ini moved successfully.
C:\WINDOWS\System32\QpXayccf.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\rqRHbAPH.dll
C:\WINDOWS\System32\rqRHbAPH.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\rqRHbAPH.dll scheduled to be moved on reboot.
C:\WINDOWS\System32\TEKSDJjl.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tuvSmMFX.dll
C:\WINDOWS\System32\tuvSmMFX.dll NOT unregistered.
C:\WINDOWS\System32\tuvSmMFX.dll moved successfully.
C:\WINDOWS\System32\XFMmSvut.ini moved successfully.
C:\WINDOWS\System32\XFMmSvut.ini2 moved successfully.
C:\WINDOWS\System32\YFfMlUtv.ini moved successfully.
C:\WINDOWS\SmFtZXMgRG9ubmVsbHk folder moved successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\System32\nui folder moved successfully.
C:\WINDOWS\System32\nui4 folder moved successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF6DA2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF6DB1.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF8C68.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF8D03.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\ZGVVOT5Q\1748191375[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\ZGVVOT5Q\ADSAdClient31[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2a8.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.9.0 fix logfile created on 04062008_212811

cybertech · 06-Apr-2008, 05:45 PM **#12**

Please visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

JamesJD125 · 06-Apr-2008, 06:15 PM **#13**

ComboFix 08-04-06.1 - Compaq_Owner 2008-04-06 22:02:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1027 [GMT 1:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - system32: deleted 532 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport
C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Compaq_Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Compaq_Owner\lsass.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\HPqqrBeg.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\PVFOoUvw.ini
C:\WINDOWS\system32\PVFOoUvw.ini2
C:\WINDOWS\system32\rqRHbAPH.dll
C:\WINDOWS\system32\wvUoOFVP.dll
C:\WINDOWS\system32\YFfMlUtv.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR
-------\Service_NwSapAgent

((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 21:36 . 2008-04-06 21:36 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-04-06 21:36 . 2008-04-06 21:36 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-04-06 21:32 . 2008-04-06 21:32 <DIR> d----c--- C:\_OTMoveIt
2008-04-06 16:08 . 2008-04-06 16:20 1,286 --a--c--- C:\WINDOWS\system32\tmp.reg
2008-04-06 14:22 . 2008-04-06 14:22 <DIR> d----c--- C:\Program Files\CleanMyPC
2008-04-05 22:17 . 2008-04-05 22:17 <DIR> d----c--- C:\Program Files\Trend Micro
2008-04-05 20:10 . 2008-04-05 20:11 <DIR> d----c--- C:\Program Files\iTunes
2008-04-05 20:10 . 2008-04-05 20:10 <DIR> d----c--- C:\Program Files\iPod
2008-04-05 20:08 . 2008-04-05 20:08 <DIR> d----c--- C:\Program Files\Bonjour
2008-04-05 20:05 . 2008-04-05 20:07 <DIR> d----c--- C:\Program Files\QuickTime
2008-04-05 16:52 . 2008-04-05 17:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Mapi Meta Book Bits
2008-04-05 16:51 . 2008-04-05 17:06 <DIR> d----c--- C:\Program Files\BitDownload
2008-04-05 16:42 . 2008-04-06 21:23 <DIR> d----c--- C:\Program Files\Incomplete
2008-04-05 16:42 . 2008-04-06 19:19 <DIR> d----c--- C:\Program Files\Downloaded Music
2008-04-05 16:41 . 2008-04-05 16:41 <DIR> d----c--- C:\Documents and Settings\Compaq_Owner\Incomplete
2008-04-05 16:40 . 2008-04-06 21:23 <DIR> d----c--- C:\Documents and Settings\Compaq_Owner\Application Data\FrostWire
2008-04-05 16:39 . 2007-09-24 23:31 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl
2008-04-05 16:38 . 2008-04-05 16:39 <DIR> d----c--- C:\Program Files\Java
2008-04-05 16:38 . 2008-04-05 16:38 <DIR> d----c--- C:\Program Files\Common Files\Java
2008-04-05 16:36 . 2008-04-05 16:40 <DIR> d----c--- C:\Program Files\FrostWire
2008-04-05 15:51 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-04-05 15:51 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-04-05 15:51 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-04-05 15:51 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-04-05 15:51 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-04-05 15:51 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-04-05 15:51 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-04-05 15:51 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-04-05 15:51 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-04-05 15:49 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-04-05 15:48 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-04-05 15:47 . 2004-08-04 05:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-04-05 15:46 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-04-05 15:45 . 2004-08-04 05:00 143,422 --a--c--- C:\WINDOWS\system32\dllcache\softkey.dll
2008-04-05 15:44 . 2004-08-03 22:41 404,990 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2008-04-05 15:43 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-04-05 15:42 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-04-05 15:41 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-04-05 15:40 . 2004-08-04 05:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-04-05 15:39 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-04-05 15:38 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-04-05 15:37 . 2004-08-04 05:00 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-04-05 15:36 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-05 15:35 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-04-05 15:34 . 2004-08-04 05:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-04-05 15:33 . 2004-08-04 05:00 811,064 --a--c--- C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-04-05 15:32 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-05 15:31 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-04-05 15:30 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-04-05 15:29 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-04-05 15:28 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-04-05 15:27 . 2001-08-17 22:36 256,512 --a--c--- C:\WINDOWS\system32\dllcache\devcon32.dll
2008-04-05 15:26 . 2004-08-04 05:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-04-05 15:25 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-04-05 15:24 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-04-05 15:23 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-04-05 11:22 . 2008-04-05 11:22 <DIR> d----c--- C:\Program Files\AVG
2008-04-05 11:22 . 2008-04-05 11:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-04 21:51 . 2008-04-04 21:51 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-04-04 15:07 . 2008-04-04 15:07 147,456 --a--c--- C:\WINDOWS\system32\vbzip10.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a--c--- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a--c--- C:\WINDOWS\system32\QuickTime.qts
2008-03-24 01:08 . 2008-03-24 01:08 <DIR> d----c--- C:\Kontiki
2008-03-23 15:01 . 2008-03-23 15:29 <DIR> d----c--- C:\Program Files\EA GAMES
2008-03-23 15:01 . 2004-08-18 09:34 442,368 -ra--c--- C:\WINDOWS\system32\vp6vfw.dll
2008-03-22 12:55 . 2008-03-22 12:55 7 --a--c--- C:\WINDOWS\system32\ANIWZCSUSERNAME{971A6D86-CD27-4807-9AF4-31F1FE219E29}
2008-03-21 23:10 . 2008-03-21 23:11 <DIR> d----c--- C:\Program Files\GoPets Ltd
2008-03-18 17:03 . 2008-03-18 17:03 <DIR> d----c--- C:\Documents and Settings\Compaq_Owner\Application Data\HPQ
2008-03-15 17:52 . 2008-03-15 17:52 <DIR> d----c--- C:\Program Files\Common Files\Adobe
2008-03-07 23:45 . 2008-03-07 23:45 <DIR> d----c--- C:\Documents and Settings\Compaq_Owner\Application Data\Jasc
2008-03-07 17:44 . 2008-03-07 17:44 <DIR> d----c--- C:\Program Files\Jasc Software Inc
2008-03-07 17:44 . 2008-03-07 17:44 <DIR> d----c--- C:\Documents and Settings\Compaq_Owner\Application Data\Jasc Software Inc
2008-03-07 17:42 . 2008-03-09 14:23 <DIR> d----c--- C:\Program Files\Common Files\SWF Studio
2008-03-06 20:24 . 2008-04-05 17:12 <DIR> d----c--- C:\Program Files\Paint.NET
2008-03-06 20:22 . 2004-08-04 05:00 539,136 --a--c--- C:\WINDOWS\system32\dllcache\dialer.exe
2008-03-06 20:22 . 2004-08-04 05:00 538,624 --a--c--- C:\WINDOWS\system32\spider.exe
2008-03-06 20:22 . 2004-08-04 05:00 538,624 --a--c--- C:\WINDOWS\system32\dllcache\spider.exe
2008-03-06 20:22 . 2004-11-17 18:41 347,136 --a--c--- C:\WINDOWS\system32\hypertrm.dll
2008-03-06 20:22 . 2004-08-04 05:00 343,040 --a--c--- C:\WINDOWS\system32\mspaint.exe
2008-03-06 20:22 . 2004-08-04 05:00 343,040 --a--c--- C:\WINDOWS\system32\dllcache\mspaint.exe
2008-03-06 20:22 . 2004-08-04 05:00 123,392 --a--c--- C:\WINDOWS\system32\mplay32.exe
2008-03-06 20:22 . 2004-08-04 05:00 123,392 --a--c--- C:\WINDOWS\system32\dllcache\mplay32.exe
2008-03-06 20:22 . 2004-08-04 05:00 102,912 --a--c--- C:\WINDOWS\system32\dllcache\clipbrd.exe
2008-03-06 20:22 . 2004-08-04 05:00 102,912 --a--c--- C:\WINDOWS\system32\clipbrd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 21:05 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-06 14:08 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 21:39 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 19:27 --------- dc----w C:\Program Files\LimeWire
2008-04-01 17:27 --------- dc----w C:\Documents and Settings\Compaq_Owner\Application Data\Participatory Culture Foundation
2008-03-02 19:46 --------- dc----w C:\Documents and Settings\Compaq_Owner\Application Data\Orbit
2008-03-02 13:26 --------- dc----w C:\Program Files\DVDVideoSoft
2008-03-02 13:26 --------- dc----w C:\Program Files\Common Files\DVDVideoSoft
2008-03-01 18:03 --------- dc----w C:\Program Files\Windows Live
2008-02-29 20:44 --------- dc----w C:\Documents and Settings\Compaq_Owner\Application Data\Windows Live Writer
2008-02-29 20:43 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-29 20:12 --------- dc----w C:\Program Files\MSN Messenger
2008-02-29 20:10 --------- dc----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-28 18:07 --------- dc----w C:\Documents and Settings\Compaq_Owner\Application Data\dvdcss
2008-02-25 20:40 --------- dc--a-w C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer
2008-02-25 20:14 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-07 15:56 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-02-07 15:56 --------- dc----w C:\Program Files\ANI
2008-02-01 11:11 586,240 -c--a-w C:\WINDOWS\WLXPGSS.SCR
2007-12-19 21:34 40,960 -csha-w C:\WINDOWS\system32\70554hack.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-24 20:56:39 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHbAPH]
rqRHbAPH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= lvcodec2.dll
"MSVideo8"= VfWWDM32.dll
"msacm.lhacm"= lhacm.acm
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll
"VIDC.FPS1"= frapsvid.dll
"MSVideo"= vfwwdm32.dll
"vidc.VP60"= C:\WINDOWS\system32\vp6vfw.dll
"vidc.VP61"= C:\WINDOWS\system32\vp6vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-03-15 22:06]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 13:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 13:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 13:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 13:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 13:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 13:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 13:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 19:01:43 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-06 20:52:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 22:07:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-04-06 22:10:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-06 21:10:34
Pre-Run: 54,305,710,080 bytes free
Post-Run: 54,320,721,920 bytes free
.
2008-04-06 10:28:34 --- E O F ---

JamesJD125 · 06-Apr-2008, 06:16 PM **#14**

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:00 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: rqRHbAPH - rqRHbAPH.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5028 bytes

cybertech · 06-Apr-2008, 06:50 PM **#15**

Run HJT again and put a check in the following:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - Winlogon Notify: rqRHbAPH - rqRHbAPH.dll (file missing)

Close all applications and browser windows before you click "fix checked".

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive and all other fixed drives..
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
Click Close to exit the program.

Please perform a scan with Kaspersky Webscan Online Virus Scanner

Read the Requirements and Privacy statement, then select "Accept".
A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next".
Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
Click "OK".
Under "Select a target to scan", click on "My Computer".
When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!

After you have posted those logs and run Kaspersky I want you to get an anti-virus installed. Load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free.

Once that is installed post a new hijackthis log.

Tag Cloud
access acer asus batch bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop lcd malware memory modem monitor motherboard network printer problem ram registry router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!