There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Can anyone help me get rid of abnow.com ...
Go to first new post About Blank Infection????
Go to first new post vista internet secuirty 2012
Go to first new post Hijack log could someone please take a l ...
Go to first new post Network, good; Internet, bad
Go to first new post security sheild
Go to first new post Hijack This log. SVCHOST problem
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Trojan horse problems
Go to first new post c:\Windows\System\32\drivers\avgtdix.sys
Go to first new post Ramnit virus, nearly cleared
Go to first new post Services.exe consumes very high % of CPU
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Somethings Amiss....
Go to first new post Windows Update Not Running
Tag Cloud
acer asus bios bsod computer crash desktop drive driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory missing monitor motherboard mouse network networking printer problem ram registry router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless work
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: WinAble?? popups and limewire gone crazy! (New)

Page 1 of 4 1 234
Reply  
Thread Tools
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
15-Nov-2007, 11:33 PM #1
Solved: WinAble?? popups and limewire gone crazy!
Hi all,
Ive been having a problem with popups and my computer has been running extremley slow.

Im am running avast as my AV and it keeps alerting me to a malware program called WinAble.

I have run smitfraudfix and combofix as well as ewido and it keep comming back.
I also ran hijack this and 'fixed' Winable only for it to re appear again.......
I uninstalled limewire as well as it kept opening and trying to download by itself, and it wont let me access the options section, but i alredy had it set to manual connect, so whatever was trying to download from it couldnt connect.

It hasnt re appeared since i last deleted it in HJT but everything is still running slow and sound is stuttered.

ive also noticed a pop up when i close internet explorer, im not sure of what i says, ill have to post this then close the page to see what it is.


Here is my 'Hijack This' log:

Logfile of HijackThis v1.99.1
Scan saved at 2:09:56 PM, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rebecca\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rebecca\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by118fd.bay118.hotmail.msn.co...x/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D04817F-6E1F-4C84-BE30-473F0A7698FD}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{52673C3A-A9ED-47AB-830A-407603036CFC}: Domain = nsw.bigpond.net.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Register for free to hide this ad!
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
16-Nov-2007, 12:08 AM #2
here is the combofix log:

ComboFix 07-11-08.1 - Rebecca 2007-11-16 13:09:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT 11:00]
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\b3
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\f1
C:\WINDOWS\system32\f1\bemwdll3.exe
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\k4
C:\WINDOWS\system32\k4\mper83122.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\UpMedia

.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 13:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 08:14 3,438 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-16 08:13 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-16 08:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-16 08:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-16 08:13 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-16 08:13 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-16 04:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\urqrrsq.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\jkkkljj.dll
2007-11-16 04:35 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-16 04:35 120 --a------ C:\n.bat
2007-11-16 04:35 0 --a------ C:\z.dat
2007-11-16 04:35 0 --a------ C:\x.dat
2007-11-16 04:34 <DIR> d-------- C:\WINDOWS\system32\rMa18yy
2007-11-16 04:34 <DIR> d-------- C:\Temp\abW9
2007-11-16 04:34 <DIR> d-------- C:\Temp
2007-11-16 04:34 225,293 --a------ C:\Temp\e002A477.exe
2007-11-16 04:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-16 04:18 <DIR> d-------- C:\Program Files\DivX
2007-11-15 21:36 <DIR> d-------- C:\Incomplete
2007-11-15 18:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-15 18:39 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-15 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Emotum
2007-11-15 14:20 <DIR> d-------- C:\Program Files\DIFX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 02:23 36,864 ----a-w C:\svchost.exe
2007-11-16 02:23 36,864 ----a-w C:\Documents and Settings\Rebecca\services.exe
2007-11-15 09:47 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\Skype
2007-11-15 07:52 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\NCH Swift Sound
2007-11-15 07:45 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-15 07:43 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\SlipStream
2007-11-15 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-01 01:15 839,696 ----a-w C:\WINDOWS\Fonts\Crack.exe
2007-10-01 01:15 839,695 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-23 16:35 751,167 ----a-w C:\Documents and Settings\various installers\sc11a.exe
2007-03-14 02:34 11,572,208 ----a-w C:\Documents and Settings\various installers\QuickTimeFullInstaller.exe
2007-03-07 14:26 1,374,059 ----a-w C:\Documents and Settings\various installers\installer_Ringtone_DJ.exe
2007-03-05 13:00 1,744,128 ----a-w C:\Documents and Settings\various installers\foxitreader_setup.exe
2007-02-24 05:33 1,440,410 ----a-w C:\Documents and Settings\various installers\dodo-speed-accelerator-v1.0.exe
2006-10-02 02:29 1,837 -c--a-w C:\Program Files\DirectX.ini
2006-05-30 13:49 1,124,419 ----a-w C:\Documents and Settings\various installers\wrar34b4.zip
2006-02-11 07:42 36,488,456 ----a-w C:\Documents and Settings\various installers\iTunesSetup.exe
2004-12-22 09:29 1,163,307 ----a-w C:\Documents and Settings\various installers\wrar34b4.exe
2001-05-10 00:04 162,304 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8201F3FC-F152-4F2F-90BB-B39FBA4358DA}]
C:\Program Files\Windows NT\hopeC:\WINDOWS\system32\k4\mper83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-16 04:35 36352 --a------ C:\WINDOWS\system32\urqrrsq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 06:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 10:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 20:09 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 01:43]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-06-23 12:13]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-07-07 14:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 21:06]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 20:40 C:\WINDOWS\sm56hlpr.exe]
"SlipStream"="C:\Program Files\Dodo Speed Accelerator\slipcore.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-15 11:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-10-01 12:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe" [2005-02-26 11:28]
"System Mechanic Startup Guard"="C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 00:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\urqrrsq.dll [2007-11-16 04:35 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrrsq]
urqrrsq.dll 2007-11-16 04:35 36352 C:\WINDOWS\system32\urqrrsq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhe.dll


.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 02:22:40 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 13:20:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\jkkklmn.dll 36352 bytes executable
**************************************************************************
.
Completion time: 2007-11-16 13:27:07 - machine was rebooted
.
--- E O F ---
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
16-Nov-2007, 04:08 AM #3
anyone?
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
16-Nov-2007, 09:20 AM #4
something really bad is going on!
i have been reading thru some of the other threads while waiting for a reply, and figured i should do a panda scan aswell.

the results of this has worried me alot, it said there was 6 hacker tools and 5 spyware as well as about 2500 virus.

the thing is i left the scan running for about 3 1/2 -4 hrs and it hadnt reached half way, i was watching the file names that were comming up as 'virus' and i havent downloaded any of these, most of them seemed to be adult movies, and movies from 06/07

i stopped the scan half way (after around 4 hrs) to check the folder it said these were in C/windows/fonts
when i checked it, there was nothing along these lines in it

i saved the report of the scan but as i said, it was stopped halfway as i thought it seemed to be taking along time!

please can someone help me, as im getting really worried my computer has been taken over and will crash..
Last edited by =bEC$=; 16-Nov-2007 at 05:31 PM..
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
16-Nov-2007, 09:35 AM #5
ok, i just pasted the whole thing into word, its 183 pages long, i think its too big to put in here
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,220 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
16-Nov-2007, 10:13 AM #6
Hi,

I received your PM but I have to go out in a few minutes so I won't be able to review your thread until later on this afternoon.

In the meantime, you can upload your Panda scan as an attachment please. Below the reply box, click on "manage attachments" then "browse" to locate the file on your computer - click on "open" and then "upload" it.
__________________
Microsoft MVP - Consumer Security
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
16-Nov-2007, 10:25 AM #7
thankyou so much i really appreciate it, as i said, the scan seemed to be taking much too long, and i ended up stopping it.
its getting really late here *1.30 am, so i can run the scan overnight incase it has to be run again
ive had to compress it so it would fit, sorry but its 1.5mb otherwise
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
16-Nov-2007, 05:15 PM #8
well something has gone crazy here, i left the scan to run overnight, and now its installed the yellow triange with the '!' in it.
admittedly, i turned off my AV (avast) as it was blocking the functions of the scan, when i woke up, i had 43 pop up windows, that triangle in my tray and 'live saftey center' and 'online security guide' on my desktop, as well as that toolbar 7.1 installed in explorer.

i right clicked on the tool bar and closed it, but its still available in the options.

i will edit my other scan results posts as its now the full scan as well as a new HJT and combo fix logs

i have compressed the scan results again:
again, thankyou so much for helping!

Logfile of HijackThis v1.99.1
Scan saved at 9:27:13 AM, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\tlpvhwac.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Rebecca\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ozexhdhr.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [e0de6d50] rundll32.exe "C:\WINDOWS\system32\fxjmqnny.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rebecca\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by118fd.bay118.hotmail.msn.co...x/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D04817F-6E1F-4C84-BE30-473F0A7698FD}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{52673C3A-A9ED-47AB-830A-407603036CFC}: Domain = nsw.bigpond.net.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c001D010.dat
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\tlpvhwac.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


ComboFix 07-11-08.1 - Rebecca 2007-11-17 9:52:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT 11:00]
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Rebecca\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Rebecca\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Rebecca\Favorites\Online Security Guide.lnk
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\__c001D010.dat
C:\WINDOWS\system32\bibhvsbe.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\ozexhdhr.dllbox
C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\system32\yyadd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-17 02:39 85,056 --a------ C:\WINDOWS\system32\fxjmqnny.dll
2007-11-17 02:34 145,984 --a------ C:\WINDOWS\system32\ozexhdhr.dll
2007-11-17 02:34 81,984 --a------ C:\WINDOWS\system32\xuggobno.dll
2007-11-17 02:33 145,984 --a------ C:\WINDOWS\system32\rgpjsqdd.dll
2007-11-17 02:30 71,232 --a------ C:\WINDOWS\system32\tlpvhwac.exe
2007-11-16 20:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-16 13:24 36,352 --a------ C:\WINDOWS\system32\jkkklmn.dll
2007-11-16 13:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 08:14 3,438 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-16 08:13 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-16 08:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-16 08:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-16 08:13 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-16 08:13 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-16 04:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\urqrrsq.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\jkkkljj.dll
2007-11-16 04:35 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-16 04:35 120 --a------ C:\n.bat
2007-11-16 04:34 <DIR> d-------- C:\WINDOWS\system32\rMa18yy
2007-11-16 04:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 18:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-15 18:39 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-15 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Emotum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 17:19 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-16 16:02 --------- d-----w C:\Program Files\Windows Defender
2007-11-16 16:02 --------- d-----w C:\Program Files\QuickTime
2007-11-16 16:02 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-11-16 16:02 --------- d-----w C:\Program Files\MSN Messenger
2007-11-16 15:59 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-11-16 15:57 --------- d-----w C:\Program Files\iTunes
2007-11-16 15:56 --------- d-----w C:\Program Files\Google
2007-11-16 15:55 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-11-15 09:47 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\Skype
2007-11-15 07:52 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\NCH Swift Sound
2007-11-15 07:45 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-15 07:43 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\SlipStream
2007-11-15 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2006-10-02 02:29 1,837 -c--a-w C:\Program Files\DirectX.ini
2006-05-30 13:49 1,124,419 ----a-w C:\Documents and Settings\various installers\wrar34b4.zip
2001-05-10 00:04 162,304 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8201F3FC-F152-4F2F-90BB-B39FBA4358DA}]
C:\Program Files\Windows NT\hopeC:\WINDOWS\system32\k4\mper83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-17 02:34 145984 --a------ C:\WINDOWS\system32\ozexhdhr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ed80bf2d-8722-4675-95d2-97a133496113}]
2007-11-17 02:34 81984 --a------ C:\WINDOWS\system32\xuggobno.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ozexhdhr.dll [2007-11-17 02:34 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ozexhdhr.dll [2007-11-17 02:34 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 06:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 10:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 20:09 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 01:43]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-06-23 12:13]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-07-07 14:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 21:06]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 20:40 C:\WINDOWS\sm56hlpr.exe]
"SlipStream"="C:\Program Files\Dodo Speed Accelerator\slipcore.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-15 11:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"e0de6d50"="C:\WINDOWS\system32\fxjmqnny.dll" [2007-11-17 02:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe" [2005-02-26 11:28]
"System Mechanic Startup Guard"="C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 00:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ozexhdhr]
ozexhdhr.dll 2007-11-17 02:34 145984 C:\WINDOWS\system32\ozexhdhr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayy.dll

S3 SGUARD;SGUARD;\??\C:\WINDOWS\system32\drivers\SGuard.sys
S3 SunkFilt62;Alcor Micro Corp - 6362;\??\C:\WINDOWS\System32\Drivers\sunkfilt62.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 ZSMC303;VIMICRO USB PC Camera (ZC0301PLH);C:\WINDOWS\system32\Drivers\usbVM303.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 23:03:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 10:02:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-17 10:07:02 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-16 13:27
.
--- E O F ---
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Last edited by =bEC$=; 16-Nov-2007 at 07:13 PM..
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,220 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
16-Nov-2007, 08:52 PM #9
What are all those cracks listed there? Did you download all of those?
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
16-Nov-2007, 09:54 PM #10
no, thats what im worried about
and there was heaps of them!!!
my husband tried to download prison break from limewire after i told him not to, it was an .exe file and it was only small, then he opened it.
im thinking this might be where they all came from, it wasnt long after that things started going strange.

thats the reasoin why i stopped the panda scan in the first place, i was wondering why it found all these 'cracks' which i am assuming is anothe name for a virus, also, what is a patch? there were lots of those as well
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
17-Nov-2007, 07:42 AM #11
after searching more on this virus (alot of people here seem to have it) and getting more concerned, i ran a program called 'vundofix'
the popups have stopped, and the toolbar has gone, however im still really concerned that my pc has been hacked because of all of those virus files panda found

please help me shed some light on this, this stress is becomming too much for a pregnant woman to handle, i feel like i have been robbed of my computer and im worried if/how long they have had access to my computer

i updated and ran hijack this and combofix again, here are the logs:

ComboFix 07-11-08.1 - Rebecca 2007-11-17 17:13:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.152 [GMT 11:00]
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\system32\ozexhdhr.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 14:52 <DIR> d-------- C:\VundoFix Backups
2007-11-17 14:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 02:39 85,056 --a------ C:\WINDOWS\system32\fxjmqnny.dll
2007-11-17 02:34 81,984 --a------ C:\WINDOWS\system32\xuggobno.dll
2007-11-17 02:30 71,232 --a------ C:\WINDOWS\system32\tlpvhwac.exe
2007-11-16 20:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-16 13:24 36,352 --a------ C:\WINDOWS\system32\jkkklmn.dll
2007-11-16 13:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 08:14 3,438 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-16 08:13 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-16 08:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-16 08:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-16 08:13 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-16 08:13 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-16 04:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\urqrrsq.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\jkkkljj.dll
2007-11-16 04:35 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-16 04:35 120 --a------ C:\n.bat
2007-11-16 04:34 <DIR> d-------- C:\WINDOWS\system32\rMa18yy
2007-11-16 04:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 18:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-15 18:39 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-15 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Emotum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 17:19 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-16 16:02 --------- d-----w C:\Program Files\Windows Defender
2007-11-16 16:02 --------- d-----w C:\Program Files\QuickTime
2007-11-16 16:02 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-11-16 16:02 --------- d-----w C:\Program Files\MSN Messenger
2007-11-16 15:59 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-11-16 15:57 --------- d-----w C:\Program Files\iTunes
2007-11-16 15:56 --------- d-----w C:\Program Files\Google
2007-11-16 15:55 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-11-15 09:47 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\Skype
2007-11-15 07:52 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\NCH Swift Sound
2007-11-15 07:45 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-15 07:43 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\SlipStream
2007-11-15 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2006-10-02 02:29 1,837 -c--a-w C:\Program Files\DirectX.ini
2006-05-30 13:49 1,124,419 ----a-w C:\Documents and Settings\various installers\wrar34b4.zip
2001-05-10 00:04 162,304 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2007-11-17_10.05.30.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-17 06:17:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_278.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8201F3FC-F152-4F2F-90BB-B39FBA4358DA}]
C:\Program Files\Windows NT\hopeC:\WINDOWS\system32\k4\mper83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ed80bf2d-8722-4675-95d2-97a133496113}]
2007-11-17 02:34 81984 --a------ C:\WINDOWS\system32\xuggobno.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 06:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 10:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 20:09 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 01:43]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-06-23 12:13]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-07-07 14:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 21:06]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 20:40 C:\WINDOWS\sm56hlpr.exe]
"SlipStream"="C:\Program Files\Dodo Speed Accelerator\slipcore.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-15 11:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"e0de6d50"="C:\WINDOWS\system32\fxjmqnny.dll" [2007-11-17 02:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe" [2005-02-26 11:28]
"System Mechanic Startup Guard"="C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 00:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

S3 SGUARD;SGUARD;\??\C:\WINDOWS\system32\drivers\SGuard.sys
S3 SunkFilt62;Alcor Micro Corp - 6362;\??\C:\WINDOWS\System32\Drivers\sunkfilt62.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 ZSMC303;VIMICRO USB PC Camera (ZC0301PLH);C:\WINDOWS\system32\Drivers\usbVM303.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 06:20:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 17:17:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-17 17:22:22 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 10:07
C:\ComboFix3.txt ... 2007-11-16 13:27
.
--- E O F ---





HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:54 PM, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8201F3FC-F152-4F2F-90BB-B39FBA4358DA} - C:\Program Files\Windows NT\hopeC:\WINDOWS\system32\k4\mper83122.exe.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Dodo Speed Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {31169433-1a79-2d59-5764-2278d2fb08de} - {ed80bf2d-8722-4675-95d2-97a133496113} - C:\WINDOWS\system32\xuggobno.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [e0de6d50] rundll32.exe "C:\WINDOWS\system32\fxjmqnny.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rebecca\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by118fd.bay118.hotmail.msn.co...x/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D04817F-6E1F-4C84-BE30-473F0A7698FD}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{52673C3A-A9ED-47AB-830A-407603036CFC}: Domain = nsw.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 9439 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,220 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
17-Nov-2007, 01:34 PM #12
Please don't do things on your own but await instructions as it can hinder the process.

Please disable Windows Defender's real-time protection as it will interfere with the fix. you can re-enable it when we're finished the cleanup.
  • Open Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on Real-time protection (recommended)"
  • Click "Save"


Open Notepad and copy and paste the text in the quote box below into it:

Quote:
File::
C:\WINDOWS\system32\fxjmqnny.dll
C:\WINDOWS\system32\xuggobno.dll
C:\WINDOWS\system32\tlpvhwac.exe
C:\WINDOWS\system32\jkkklmn.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\urqrrsq.dll
C:\WINDOWS\system32\jkkkljj.dll
C:\WINDOWS\mrofinu1000106.exe
C:\n.bat
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\xuggobno.dll
C:\WINDOWS\system32\fxjmqnny.dll

Folder::
C:\WINDOWS\system32\rMa18yy

DirLook::
C:\Documents and Settings\All Users\Application Data\Emotum
C:\WINDOWS\system32\k4

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8201F3FC-F152-4F2F-90BB-B39FBA4358DA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ed80bf2d-8722-4675-95d2-97a133496113}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e0de6d50"=-
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
__________________
Microsoft MVP - Consumer Security
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
17-Nov-2007, 06:46 PM #13
sorry, i wont use anymore 'self help'

here are the logs you asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:59 AM, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Dodo Speed Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rebecca\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by118fd.bay118.hotmail.msn.co...x/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D04817F-6E1F-4C84-BE30-473F0A7698FD}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{52673C3A-A9ED-47AB-830A-407603036CFC}: Domain = nsw.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8999 bytes









ComboFix 07-11-08.1 - Rebecca 2007-11-18 9:19:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.147 [GMT 11:00]
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rebecca\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\rMa18yy
C:\WINDOWS\system32\rMa18yy\rMa18yy2328.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 14:52 <DIR> d-------- C:\VundoFix Backups
2007-11-17 14:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 02:39 85,056 --a------ C:\WINDOWS\system32\fxjmqnny.dll
2007-11-17 02:34 81,984 --a------ C:\WINDOWS\system32\xuggobno.dll
2007-11-17 02:30 71,232 --a------ C:\WINDOWS\system32\tlpvhwac.exe
2007-11-16 20:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-16 13:24 36,352 --a------ C:\WINDOWS\system32\jkkklmn.dll
2007-11-16 13:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 08:14 3,438 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-16 08:13 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-16 08:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-16 08:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-16 08:13 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-16 08:13 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-16 04:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\urqrrsq.dll
2007-11-16 04:35 36,352 --a------ C:\WINDOWS\system32\jkkkljj.dll
2007-11-16 04:35 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-16 04:35 120 --a------ C:\n.bat
2007-11-16 04:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 18:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-15 18:39 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-15 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Emotum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 17:19 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-16 16:02 --------- d-----w C:\Program Files\Windows Defender
2007-11-16 16:02 --------- d-----w C:\Program Files\QuickTime
2007-11-16 16:02 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-11-16 16:02 --------- d-----w C:\Program Files\MSN Messenger
2007-11-16 15:59 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-11-16 15:57 --------- d-----w C:\Program Files\iTunes
2007-11-16 15:56 --------- d-----w C:\Program Files\Google
2007-11-16 15:55 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-11-15 09:47 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\Skype
2007-11-15 07:52 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\NCH Swift Sound
2007-11-15 07:45 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-15 07:43 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\SlipStream
2007-11-15 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-10-02 02:29 1,837 -c--a-w C:\Program Files\DirectX.ini
2006-05-30 13:49 1,124,419 ----a-w C:\Documents and Settings\various installers\wrar34b4.zip
2001-05-10 00:04 162,304 -c--a-w C:\Program Files\UNWISE.EXE
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\Emotum ----

2007-11-15 14:30 4164 --a------ C:\Documents and Settings\All Users\Application Data\Emotum\Activation\BP_BASIK81.ini

---- Directory of C:\WINDOWS\system32\k4 ----

C:\WINDOWS\system32\k4\


((((((((((((((((((((((((((((( snapshot@2007-11-17_10.05.30.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-17 22:08:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 06:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 10:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 20:09 C:\WINDOWS\SOUNDMAN.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 01:43]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-06-23 12:13]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-07-07 14:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 21:06]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 20:40 C:\WINDOWS\sm56hlpr.exe]
"SlipStream"="C:\Program Files\Dodo Speed Accelerator\slipcore.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-15 11:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe" [2005-02-26 11:28]
"System Mechanic Startup Guard"="C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 00:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

S3 SGUARD;SGUARD;\??\C:\WINDOWS\system32\drivers\SGuard.sys
S3 SunkFilt62;Alcor Micro Corp - 6362;\??\C:\WINDOWS\System32\Drivers\sunkfilt62.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 ZSMC303;VIMICRO USB PC Camera (ZC0301PLH);C:\WINDOWS\system32\Drivers\usbVM303.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 22:11:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 09:21:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-18 9:23:03
C:\ComboFix2.txt ... 2007-11-17 17:22
C:\ComboFix3.txt ... 2007-11-17 10:07
.
--- E O F ---
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,220 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
17-Nov-2007, 09:04 PM #14
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Processes group click ALL
  • In the Win32 Services group click ALL
  • In the Driver Services group click ALL
  • In the Registry group click ALL
  • In the Files Created Within group click 90 days Make sure Non-Microsoft only is UNCHECKED
  • In the Files Modified Within group select 90 days Make sure Non-Microsoft only is UNCHECKED
  • In the File String Search group click SELECT ALL
  • in the Additional Scans sections please press select ALL
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.
__________________
Microsoft MVP - Consumer Security
=bEC$='s Avatar
Member with 82 posts.
  
Join Date: Jul 2006
17-Nov-2007, 11:24 PM #15
winpFind3 log
here is the log as requested, again i had to compress it as it was too big to attach otherwise.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 4 1 234

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 02:38 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.