1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

continuous pop-ups and being prompted out of active window

Discussion in 'Virus & Other Malware Removal' started by Bastage, Oct 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    Logfile of HijackThis v1.99.1
    Scan saved at 11:55:12 AM, on 10/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\blaeapcn.exe
    C:\WINDOWS\system32\oodag.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\SpyNoMore\SNM.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Ryda\My Documents\Scanners\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mtgwxmnq.dll
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
    O4 - HKLM\..\Run: [1420bae1] rundll32.exe "C:\WINDOWS\system32\ohgnkwdj.dll",b
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
    O23 - Service: DomainService - - C:\WINDOWS\system32\blaeapcn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

    .........................................

    this is my log file... im pretty sure its
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mtgwxmnq.dll
    that is causing my problem but im lost as how to correct it... i have shtu down all running process's even explorer and checked the problem and sleected fix but it still remains

    any help to this would be greatly appreciated
     
  2. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Howdy Bastage,

    Welcome to TSG. Infection is here, and also the system has SpyNoMore, which has been listed here in the past. So perhaps is not considered a keeper as far as protective software goes. You can uninstall this through Add/Remove Programs at this time.


    Then Disable Spyware Doctor, as it may interfere with repairs.

    1. Open Spyware Doctor
    2. Click on the 'Settings' button on the left hand panel
    3. Then click on the 'Startup Settings' under 'Pick a Category'
    4. Uncheck the box on the right that says 'Run at Windows Startup'

    Be sure to temporarily disable all other protective software when doing these next steps.

    Download a new copy from here to your desktop, and click the downloaded file to run the repair.

    When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    -------------------------------

    Also Download SmitfraudFix (by S!Ri)

    Double-click SmitfraudFix.exe

    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.

    NOTE: Please do not run any other options from SmitfraudFix until we discuss the results.


    Then post back a new HijackThis log, along with the combofix.txt and rapport.txt logs please.
     
  3. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    cant seem to get combofix to do a full analysis... after the promt that a new window will appear to complete the disinfection i get a error in the second command window stating *sed is not a batch file etc etc. ...

    this is the rapport
    SmitFraudFix v2.242

    Scan done at 11:46:58.56, 2007-10-29
    Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\oodag.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    this is my current hijack
    Logfile of HijackThis v1.99.1
    Scan saved at 11:51, on 2007-10-29
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\oodag.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Ryda\My Documents\Scanners\scanner.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: (no name) - {7E0C533C-7E7F-4AE2-AE2C-36DEEF56A833} - C:\WINDOWS\system32\ssqpo.dll (file missing)
    O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\tuvusqo.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O4 - HKLM\..\Run: [1420bae1] rundll32.exe "C:\WINDOWS\system32\xgyfgbdd.dll",b
    O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
    O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: mtgwxmnq - mtgwxmnq.dll (file missing)
    O20 - Winlogon Notify: tuvusqo - C:\WINDOWS\SYSTEM32\tuvusqo.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

    any further help would be greatly appreciated
     
  4. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    here is the exact message from the 2nd command window
    'sed' is not recognized as an internal or external command, operabple program or batch file.
     
  5. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    ok apologies for the mix up but after runnin a few times i got it i think

    ComboFix 07-10-29.1 - Ryda 2007-10-29 11:56:17.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1548 [GMT -5:00]
    Running from: C:\Documents and Settings\Ryda\My Documents\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\drivers\sfsync02.sys
    .
    ---- Previous Run -------
    .
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\Ryda\Application Data\WinAntiSpyware 2007
    C:\Documents and Settings\Ryda\Application Data\WinAntiSpyware 2007\Logs\update.log
    C:\Documents and Settings\Ryda\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Ryda\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Ryda\err.log
    C:\Documents and Settings\Ryda\Favorites\Online Security Guide.lnk
    C:\Documents and Settings\Ryda\My Documents\FNTS~1
    C:\Documents and Settings\Ryda\My Documents\MBOLS~1
    C:\Program Files\Common Files\{1420B~1
    C:\Program Files\Common Files\{3420B~1
    C:\Program Files\Common Files\{3420B~1\UnInstall.exe
    C:\Program Files\Common Files\icroso~1.net
    C:\Program Files\Common Files\winantispyware 2007
    C:\Program Files\Common Files\winantispyware 2007\err.log
    C:\Program Files\ISM
    C:\Program Files\ISM\BndDrive5.dll
    C:\Program Files\ISM\bndloader.exe
    C:\Program Files\ISM\ism.exe
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\ISM2
    C:\Program Files\ISM2\ISMPack6.exe
    C:\Program Files\Online Services\potef83122.dll
    C:\Program Files\outlook
    C:\Program Files\outlook\p.zip
    C:\Program Files\poolsv
    C:\Program Files\racle~1
    C:\Program Files\svhost
    C:\Program Files\winpop
    C:\RECYCLER\svchost.exe
    C:\temp\0b9
    C:\temp\0b9\tmpTF.log
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\fCOe
    C:\Temp\fCOe\tOasF.log
    C:\temp\iee
    C:\temp\iee\tmpZTF.log
    C:\temp\tn3
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\cs_cache.ini
    C:\WINDOWS\mcroso~1
    C:\WINDOWS\retadpu.exe.bin
    C:\WINDOWS\system32\aiotgbct.exe
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\system32\cbeeg.ini2
    C:\WINDOWS\system32\cbeeg.tmp
    C:\WINDOWS\system32\d3
    C:\WINDOWS\system32\ddbgfygx.ini
    C:\WINDOWS\system32\ddbgfygx.ini2
    C:\WINDOWS\system32\f22
    C:\WINDOWS\system32\f22\bc1224wv.exe
    C:\WINDOWS\system32\fnts~1
    C:\WINDOWS\system32\geebc.dll
    C:\WINDOWS\system32\jdwkngho.ini
    C:\WINDOWS\system32\jdwkngho.tmp
    C:\WINDOWS\system32\mtgwxmnq.dllbox
    C:\WINDOWS\system32\o09PrEz
    C:\WINDOWS\system32\ohgnkwdj.dll
    C:\WINDOWS\system32\opqss.bak1
    C:\WINDOWS\system32\opqss.ini
    C:\WINDOWS\system32\oTt02e
    C:\WINDOWS\system32\oTt02e\oTt02e1065.exe
    C:\WINDOWS\system32\oulxsrxv.dll
    C:\WINDOWS\system32\p8
    C:\WINDOWS\system32\p8\stallbb1.exe
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\pegwgksx.ini
    C:\WINDOWS\system32\s2
    C:\WINDOWS\system32\s2\EMDT83122.exe
    C:\WINDOWS\system32\ssqpo.dll
    C:\WINDOWS\system32\uyvvtnqe.exe
    C:\WINDOWS\system32\v1
    C:\WINDOWS\system32\v1\bcb49ene.exe
    C:\WINDOWS\system32\W1
    C:\WINDOWS\system32\W2
    C:\WINDOWS\system32\W3
    C:\WINDOWS\system32\W4
    C:\WINDOWS\system32\W5
    C:\WINDOWS\system32\whlcqxby.dll
    C:\WINDOWS\system32\win
    C:\WINDOWS\system32\wnsxs~1
    C:\WINDOWS\system32\xbmgudfh.exe
    C:\WINDOWS\system32\xgyfgbdd.dll
    C:\WINDOWS\system32\xskgwgep.dll
    C:\WINDOWS\system32\xycdd.bak1
    C:\WINDOWS\system32\xycdd.ini2
    C:\WINDOWS\system32\xycdd.tmp
    C:\WINDOWS\system32\ybxqclhw.ini
    C:\WINDOWS\system32\yyadd.bak1
    C:\WINDOWS\system32\yyadd.ini
    C:\WINDOWS\wr.txt

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_NPF
    -------\LEGACY_PRW76SKS
    -------\LEGACY_SFSYNC02
    -------\DomainService
    -------\sfsync02


    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_NPF
    -------\LEGACY_PRW76SKS
    -------\LEGACY_SFSYNC02
    -------\DomainService
    -------\sfsync02


    ((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
    .

    2007-10-29 11:47 842 --a------ C:\WINDOWS\system32\tmp.reg
    2007-10-29 11:46 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-10-29 11:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-10-29 11:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-10-29 11:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-10-29 11:46 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-10-29 11:21 589 --a------ C:\WINDOWS\system32\wpvworbo.dll
    2007-10-29 11:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-29 02:09 34,816 --a------ C:\WINDOWS\system32\vtuttut.dll
    2007-10-28 18:24 13,824 --a------ C:\WINDOWS\plite731.exe
    2007-10-28 18:23 294,668 --a------ C:\WINDOWS\frexup2.exe
    2007-10-27 12:10 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-10-27 11:45 1,152 --a------ C:\WINDOWS\system32\windrv.sys
    2007-10-27 11:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2007-10-26 19:25 34,816 --------- C:\WINDOWS\system32\tuvusqo.dll
    2007-10-26 19:25 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
    2007-10-19 20:43 <DIR> d-------- C:\Program Files\SpeedFan
    2007-10-19 17:20 <DIR> d-------- C:\Program Files\sunplus
    2007-10-19 17:14 <DIR> d-------- C:\Program Files\Multimedia Transcoding Tool
    2007-10-19 17:13 <DIR> d-------- C:\Program Files\QuickTime Alternative
    2007-10-19 17:11 <DIR> d-------- C:\Program Files\Ringz Studio
    2007-10-16 01:20 <DIR> d-------- C:\Program Files\support.com
    2007-10-16 01:20 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
    2007-10-07 13:26 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
    2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\Ryda\My Games
    2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Microsoft
    2007-09-30 23:43 <DIR> d-------- C:\WINDOWS\system32\3Planesoft
    2007-09-30 23:43 <DIR> d-------- C:\Program Files\3Planesoft Screensaver Manager
    2007-09-30 23:43 6,708,736 --a------ C:\WINDOWS\system32\Ice Clock 3D Screensaver.exe
    2007-09-30 23:43 883,712 --a------ C:\WINDOWS\system32\Ice_Clock_3D_Screensaver.scr
    2007-09-30 23:43 385,024 --a------ C:\WINDOWS\system32\3Planesoft_Screensaver_Manager.scr
    2007-09-30 23:37 3,698,688 --a------ C:\WINDOWS\system32\Sun 3D Screensaver.scr
    2007-09-30 23:35 7,077,888 --a------ C:\WINDOWS\system32\Star Wars 3D Screensaver.scr
    2007-09-30 23:33 7,078,912 --a------ C:\WINDOWS\system32\Space Tunnels 3D Screensaver.scr
    2007-09-30 23:31 14,667,776 --a------ C:\WINDOWS\system32\Solar System 3D Screensaver.scr
    2007-09-30 23:30 7,942,144 --a------ C:\WINDOWS\system32\Planet Earth 3D Screensaver.scr
    2007-09-30 23:03 12,439,552 --a------ C:\WINDOWS\system32\Night City 3D Screensaver.scr
    2007-09-30 23:01 10,301,440 --a------ C:\WINDOWS\system32\Winter 3D Screensaver.scr
    2007-09-30 22:58 20,545,536 --a------ C:\WINDOWS\system32\3D Wild Dolphin Screensaver.scr
    2007-09-30 22:57 10,366,976 --a------ C:\WINDOWS\system32\3D Waterfall Screensaver.scr
    2007-09-30 22:54 722,944 --a------ C:\WINDOWS\system32\Sea Storm 3D Screensaver.scr
    2007-09-30 22:51 8,724,480 --a------ C:\WINDOWS\system32\Sea Voyage 3D Screensaver.scr
    2007-09-30 22:45 10,403,840 --a------ C:\WINDOWS\system32\Mountain Lake 3D Screensaver.scr
    2007-09-30 22:43 <DIR> d-------- C:\Documents and Settings\Ryda\Application Data\TERMINAL Studio
    2007-09-30 22:43 16,277,504 --a------ C:\WINDOWS\system32\Marine Life 3D Screensaver.scr
    2007-09-30 22:43 92,216 --a------ C:\WINDOWS\system32\bass.dll
    2007-09-30 22:41 5,222,400 --a------ C:\WINDOWS\system32\Lighthouse 3D Screensaver.scr
    2007-09-30 22:39 8,773,632 --a------ C:\WINDOWS\system32\Japanese Garden 3D Screensaver.scr
    2007-09-30 22:36 9,261,056 --a------ C:\WINDOWS\system32\Green Valley 3D Screensaver.scr
    2007-09-30 22:30 4,751,360 --a------ C:\WINDOWS\system32\Forest Life 3D Screensaver.scr
    2007-09-30 22:29 8,622,080 --a------ C:\WINDOWS\system32\Flower Clock 3D Screensaver.scr
    2007-09-30 22:26 8,663,040 --a------ C:\WINDOWS\system32\Fish Aquarium 3D Screensaver.scr
    2007-09-30 22:21 7,331,840 --a------ C:\WINDOWS\system32\3D Bungalow Aquarium Screensaver.scr
    2007-09-30 22:19 21,061,632 --a------ C:\WINDOWS\system32\Golden Autumn 3D Screensaver.scr
    2007-09-30 22:15 <DIR> d-------- C:\Program Files\screensavers
    2007-09-30 22:15 <DIR> d-------- C:\Program Files\Astro Gemini Software
    2007-09-30 22:15 15,486,976 --a------ C:\WINDOWS\system32\Atlantis 3D Screensaver.scr
    2007-09-30 22:15 528,384 --a------ C:\WINDOWS\system32\Astro Gemini Screensaver Manager.scr
    2007-09-30 16:02 6,986 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
    2007-09-30 16:01 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
    2007-09-30 15:53 <DIR> d-------- C:\Program Files\EA SPORTS

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-29 17:06 81,186,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2007-10-29 17:06 129,920 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-10-29 17:06 1,373,728 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-10-29 17:06 1,079,444 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2007-10-29 03:26 --------- d-----w C:\Documents and Settings\Ryda\Application Data\uTorrent
    2007-10-28 23:56 --------- d-----w C:\Program Files\Spyware Doctor
    2007-10-27 11:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2007-10-21 21:49 --------- d-----w C:\Program Files\PhoTags Express
    2007-10-19 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-19 22:13 --------- d-----w C:\Program Files\Media Player Classic
    2007-10-19 22:13 --------- d-----w C:\Documents and Settings\Ryda\Application Data\Apple Computer
    2007-10-19 22:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-10-19 22:11 --------- d-----w C:\Program Files\Common Files\Real
    2007-10-15 23:44 --------- d-----w C:\Program Files\WoW
    2007-09-30 22:57 --------- d-----w C:\Program Files\Viewpoint
    2007-09-30 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-09-30 21:02 --------- d-----w C:\Program Files\Electronic Arts
    2007-09-26 00:54 --------- d-----w C:\Program Files\MSN Messenger
    2007-09-21 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
    2003-08-16 18:56:00 579,584 --sha-r C:\WINDOWS\system32\cd.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
    2007-10-26 19:25 34816 --------- C:\WINDOWS\system32\tuvusqo.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
    "StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 02:17]
    "SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
    "plite731"="C:\WINDOWS\plite731.exe" [2007-10-29 02:09]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
    "ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" []

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-14 15:38:43]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2007-04-08 18:03 77824]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 11:58 77824]
    "{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\tuvusqo.dll [2007-10-26 19:25 34816]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-02-27 11:24 159744 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-29 03:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mtgwxmnq]
    mtgwxmnq.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusqo]
    tuvusqo.dll 2007-10-26 19:25 34816 C:\WINDOWS\system32\tuvusqo.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"= ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
    C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
    c:\dell\bldbubg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    "C:\Program Files\Dell Support\DSAgnt.exe" /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    C:\Program Files\Common Files\AOL\1134124099\ee\AOLSoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P and now I post my Hijack log]
    C:\WINDOWS\system32\warez.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
    C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]
    C:\Program Files\MediaGateway\MediaGateway.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntdp]
    C:\WINDOWS\system32\ntdp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secure Folder Hider Pro]
    C:\Program Files\RS Secure Folder Hider Pro Full\sfhpf.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\skmsg]
    C:\WINDOWS\system32\skmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    C:\Program Files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    C:\DOCUME~1\Ryda\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTray]
    C:\Program Files\paytime.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
    C:\winstall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wisk]
    C:\WINDOWS\system32\wisk.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
    "EA Core"=C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SAClient"="C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe" /admincheck
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

    R1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
    R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
    S1 SABDIFSV;SABDIFSV;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
    S3 CA500AI;Chameleon XP Digital Camera;C:\WINDOWS\system32\Drivers\LG_BULK.sys
    S3 CA500AV;Chameleon XP Video Camera;C:\WINDOWS\system32\DRIVERS\CA500AV.SYS
    S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys
    S4 EvenSystems;EvenSystems;c:\Recycler\svchost.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    AutoRun\command - F:\Autorun\UbiAutorun.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-10-26 22:26:05 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    .
    **************************************************************************

    catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-29 12:09:45
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-29 12:13:25 - machine was rebooted
    .
    --- E O F ---
     
  6. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Good you got that ComboFix going, and the logs are showing both a good bit removed and the seriousness of the infection remaining. There is a unique startup that here is being obscured by that Kaspersky setting - do you still have Kaspersky Internet Security 6.0 installed here? If so, we will need to get a way to surgically remove what right now is a hidden registry entry.
     
  7. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    yes i have kaspersky still installed but only is active when i prompt it... i have been runnin it alot so the analysis may have been produced after a reboot with kaspersky... im still gettin the occaisonal pop up and for some reason now my toolbar totalyl defaults everytime i reboot now
     
  8. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    The system still is fairly infected. the question on Kaspersky is more an issue of how to swap out a registry key where infection appears to be "hiding next to" Kaspersky. If the change causes any issues we'll make a registry backup you can click/merge if needed to undo changes there. You have many startups disabled by different means there, especially msconfig. One item disabled is known to not only suggest attempts to download pirate software but is known to be installed when folks download illegal software (odd sense of humor by the bad guys). Suggests some of these problems are self-inflicted.

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P and now I post my Hijack log]
    C:\WINDOWS\system32\warez.exe



    Make very sure all protective software is disabled while doing these steps - very high chance it will interfere with repairs there.


    As you are about to make registry changes, you will need to backup the registry to have if needed. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup (not to a temp folder). Close the Registry Editor. Backup is just a sound precaution when making any registry changes.


    Code:
    Regedit4
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"
    Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it aifixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

    -----------------------------

    Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

    Code:
    KILLALL::
    Driver::
    EvenSystems
    File::
    C:\Program Files\paytime.exe
    C:\winstall.exe
    C:\WINDOWS\system32\wisk.exe
    C:\WINDOWS\system32\ntdp.exe
    C:\WINDOWS\system32\warez.exe
    C:\WINDOWS\system32\wpvworbo.dll
    C:\WINDOWS\system32\vtuttut.dll
    C:\WINDOWS\plite731.exe
    C:\WINDOWS\plite731_uninstaller_.bat
    C:\WINDOWS\system32\windrv.sys
    Folder::
    c:\Recycler
    C:\Program Files\Ringz Studio
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "plite731"=-
    "StormCodec_Helper"=-
    "SNM"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISMPack6"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
    "{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mtgwxmnq]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusqo] 
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\skmsg]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wisk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntdp]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P and now I post my Hijack log]
    Save this as "CFScript"

    (include the "quotation marks" with the name)


    [​IMG]

    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.


    Post back a new HijackThis log and the ComboFix.txt log please.
     
  9. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    sorry for the delay, appreciate ur time and assistance with help... had some RL matters to attend to... here is my combofix & hijack logs

    ComboFix 07-10-29.1 - Ryda 2007-11-03 16:12:30.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1532 [GMT -5:00]
    Running from: C:\Documents and Settings\Ryda\My Documents\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Ryda\Desktop\CFScript.txt
    * Created a new restore point

    FILE::
    C:\Program Files\paytime.exe
    C:\WINDOWS\plite731.exe
    C:\WINDOWS\plite731_uninstaller_.bat
    C:\WINDOWS\system32\ntdp.exe
    C:\WINDOWS\system32\vtuttut.dll
    C:\WINDOWS\system32\warez.exe
    C:\WINDOWS\system32\windrv.sys
    C:\WINDOWS\system32\wisk.exe
    C:\WINDOWS\system32\wpvworbo.dll
    C:\winstall.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\Ryda\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Ryda\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Ryda\Favorites\Online Security Guide.lnk
    C:\Program Files\Ringz Studio
    C:\Program Files\Ringz Studio\Storm Codec\AviC.exe
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\aac_ps.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\atidvdv.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\CFLAC.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\CoreAVC.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\DmoDec.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\DVDNavExt.exe
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\dxr.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\empgdmx.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\FCZip.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_kerneldeint.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_liba52.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_libdts.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_realaac.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_samplerate.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\ff_tremor.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\h264dec.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\languages\ffdshow.1033.en
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\languages\ffdshow.2052.sc
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\libavcodec.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\libmplayer.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\MACDec.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\MASource.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\mkunicode.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\mkx.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\mkzlib.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\mlcom.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\mp4.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\nvviddec.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\ogm.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\RLMPCDec.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\RMSplt.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\splitter.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\tomsmocomp_ff.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\TRLDRP6.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\TTASplt.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\TTL2Dec.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\VgmAudio.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\vgmbgr.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\VgmSplt.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\vgmv2k2.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\Vid1Dec.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\VSFilter.dll
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\xebdec.ax
    C:\Program Files\Ringz Studio\Storm Codec\Codecs\xebnav.ax
    C:\Program Files\Ringz Studio\Storm Codec\ebaylink.ico
    C:\Program Files\Ringz Studio\Storm Codec\GSpot.exe
    C:\Program Files\Ringz Studio\Storm Codec\GSpot25.dat
    C:\Program Files\Ringz Studio\Storm Codec\keys.dat
    C:\Program Files\Ringz Studio\Storm Codec\mplayerc.exe
    C:\Program Files\Ringz Studio\Storm Codec\Plugins\nppl3260.dll
    C:\Program Files\Ringz Studio\Storm Codec\Plugins\nppl3260.xpt
    C:\Program Files\Ringz Studio\Storm Codec\Plugins\npqtplugin.dll
    C:\Program Files\Ringz Studio\Storm Codec\Plugins\nprpjplug.dll
    C:\Program Files\Ringz Studio\Storm Codec\Plugins\nsIQTScriptablePlugin.xpt
    C:\Program Files\Ringz Studio\Storm Codec\Plugins\nsJSRealPlayerPlugin.xpt
    C:\Program Files\Ringz Studio\Storm Codec\Plugins\QuickTimePlugin.class
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CFCharacterSetBitmaps.bitmap
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.Resources\CoreVideo.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.Resources\en.lproj\CoreVideoLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\CoreVideo.Resources\zh_CN.lproj\CoreVideoLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QTCheck.ocx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QTPlugi0.ocx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.cpl
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.qts
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.Resources\QuickTime.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime.Resources\zh_CN.lproj\QuickTimeLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.Resources\QuickTime3GPP.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTime3GPP.Resources\zh_CN.lproj\QuickTime3GPPLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.Resources\QuickTimeAudioSupport.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeAudioSupport.Resources\zh_CN.lproj\QuickTimeAudioSupportLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.Resources\en.lproj\QuickTimeEssentialsLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeEssentials.Resources\zh_CN.lproj\QuickTimeEssentialsLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.Resources\en.lproj\QuickTimeH264Localized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.Resources\QuickTimeH264.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeH264.Resources\zh_CN.lproj\QuickTimeH264Localized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.Resources\en.lproj\QuickTimeInternetExtrasLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.Resources\QuickTimeInternetExtras.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeInternetExtras.Resources\zh_CN.lproj\QuickTimeInternetExtrasLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.Resources\en.lproj\QuickTimeMPEG4Localized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.Resources\QuickTimeMPEG4.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeMPEG4.Resources\zh_CN.lproj\QuickTimeMPEG4Localized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.Resources\QuickTimeStreaming.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreaming.Resources\zh_CN.lproj\QuickTimeStreamingLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.Resources\en.lproj\QuickTimeStreamingExtrasLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.Resources\QuickTimeStreamingExtras.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeStreamingExtras.Resources\zh_CN.lproj\QuickTimeStreamingExtrasLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.Resources\en.lproj\QuickTimeVRLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.Resources\QuickTimeVR.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeVR.Resources\zh_CN.lproj\QuickTimeVRLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.qtx
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.Resources\en.lproj\QuickTimeWebHelperLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.Resources\QuickTimeWebHelper.qtr
    C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QuickTimeWebHelper.Resources\zh_CN.lproj\QuickTimeWebHelperLocalized.qtr
    C:\Program Files\Ringz Studio\Storm Codec\stormicl.dll
    C:\Program Files\Ringz Studio\Storm Codec\stormicl.txt
    C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe
    C:\Program Files\Ringz Studio\Storm Codec\uninst6.04.08.exe
    c:\Recycler
    c:\Recycler\S-1-5-18\desktop.ini
    c:\Recycler\S-1-5-18\INFO2
    c:\Recycler\S-1-5-21-735536637-386832627-3918677628-1006\desktop.ini
    c:\Recycler\S-1-5-21-735536637-386832627-3918677628-1006\INFO2
    c:\Recycler\S-1-5-21-735536637-386832627-3918677628-501\desktop.ini
    c:\Recycler\S-1-5-21-735536637-386832627-3918677628-501\INFO2
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\plite731.exe
    C:\WINDOWS\plite731_uninstaller_.bat
    C:\WINDOWS\system32\blyhanhs.ini
    C:\WINDOWS\system32\blyhanhs.ini2
    C:\WINDOWS\system32\hjjlm.bak1
    C:\WINDOWS\system32\hjjlm.ini
    C:\WINDOWS\system32\hjjlm.ini2
    C:\WINDOWS\system32\hjjlm.tmp
    C:\WINDOWS\system32\iratuxpm.ini
    C:\WINDOWS\system32\mljjh.dll
    C:\WINDOWS\system32\mpkvsahj.ini
    C:\WINDOWS\system32\mpkvsahj.ini2
    C:\WINDOWS\system32\mpxutari.dll
    C:\WINDOWS\system32\ounyjmph.exe
    C:\WINDOWS\system32\qbmyreme.exe
    C:\WINDOWS\system32\rickadnx.exe
    C:\WINDOWS\system32\rxdvdctn.exe
    C:\WINDOWS\system32\trkuqvei.dllbox
    C:\WINDOWS\system32\windrv.sys
    C:\WINDOWS\system32\wlbosshc.dll
    C:\WINDOWS\system32\wpvworbo.dll
    C:\WINDOWS\system32\yrwbilfo.ini
    C:\WINDOWS\system32\yrwbilfo.ini2
    C:\WINDOWS\system32\yrwbilfo.tmp

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_EVENSYSTEMS
    -------\DomainService
    -------\EvenSystems


    ((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
    .

    2007-11-03 16:11 81,472 --a------ C:\WINDOWS\system32\rnpqyfjb.dll
    2007-11-03 16:08 87,616 --a------ C:\WINDOWS\system32\shnahylb.dll
    2007-11-03 12:37 87,616 --a------ C:\WINDOWS\system32\gxakyqqh.dll
    2007-11-03 12:28 87,616 --a------ C:\WINDOWS\system32\jhasvkpm.dll
    2007-11-03 00:30 87,616 --a------ C:\WINDOWS\system32\oflibwry.dll
    2007-11-03 00:24 87,616 --a------ C:\WINDOWS\system32\clktdbir.dll
    2007-11-03 00:19 <DIR> d-------- C:\Documents and Settings\Ryda\Application Data\DAEMON Tools Pro
    2007-11-03 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
    2007-11-03 00:17 340,032 --a------ C:\WINDOWS\system32\slwgsoxj.dll
    2007-11-02 23:55 87,616 --------- C:\WINDOWS\system32\rlxqysnh.dll
    2007-11-02 23:44 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
    2007-11-02 23:43 340,032 --a------ C:\WINDOWS\system32\knmuvssc.dll
    2007-11-02 04:30 589 --a------ C:\WINDOWS\system32\uimsgoup.dll
    2007-10-31 21:10 340,032 --a------ C:\WINDOWS\system32\nksyutmp.dll
    2007-10-31 17:37 340,032 --a------ C:\WINDOWS\system32\wvbphgus.dll
    2007-10-29 15:54 589 --a------ C:\WINDOWS\system32\xtfuajif.dll
    2007-10-29 11:47 842 --a------ C:\WINDOWS\system32\tmp.reg
    2007-10-29 11:46 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-10-29 11:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-10-29 11:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-10-29 11:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-10-29 11:46 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-10-29 11:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-28 18:23 294,668 --a------ C:\WINDOWS\frexup2.exe
    2007-10-27 12:10 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-10-27 11:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2007-10-19 20:43 <DIR> d-------- C:\Program Files\SpeedFan
    2007-10-19 17:20 <DIR> d-------- C:\Program Files\sunplus
    2007-10-19 17:14 <DIR> d-------- C:\Program Files\Multimedia Transcoding Tool
    2007-10-19 17:13 <DIR> d-------- C:\Program Files\QuickTime Alternative
    2007-10-16 01:20 <DIR> d-------- C:\Program Files\support.com
    2007-10-16 01:20 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
    2007-10-07 13:26 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
    2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\Ryda\My Games
    2007-10-07 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Microsoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-03 21:22 83,593,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2007-11-03 21:21 1,407,520 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-11-03 21:19 134,048 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-11-03 21:19 1,120,580 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2007-11-03 20:58 --------- d-----w C:\Documents and Settings\Ryda\Application Data\uTorrent
    2007-11-03 04:34 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2007-11-03 04:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-03 04:31 --------- d-----w C:\Program Files\TrojanHunter 4.7
    2007-10-28 23:56 --------- d-----w C:\Program Files\Spyware Doctor
    2007-10-27 11:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2007-10-21 21:49 --------- d-----w C:\Program Files\PhoTags Express
    2007-10-19 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-19 22:13 --------- d-----w C:\Program Files\Media Player Classic
    2007-10-19 22:13 --------- d-----w C:\Documents and Settings\Ryda\Application Data\Apple Computer
    2007-10-19 22:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-10-19 22:11 --------- d-----w C:\Program Files\Common Files\Real
    2007-10-15 23:44 --------- d-----w C:\Program Files\WoW
    2007-10-01 05:08 --------- d-----w C:\Program Files\screensavers
    2007-10-01 04:43 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
    2007-10-01 04:03 --------- d-----w C:\Program Files\Astro Gemini Software
    2007-10-01 03:43 --------- d-----w C:\Documents and Settings\Ryda\Application Data\TERMINAL Studio
    2007-09-30 22:57 --------- d-----w C:\Program Files\Viewpoint
    2007-09-30 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-09-30 21:02 --------- d-----w C:\Program Files\Electronic Arts
    2007-09-30 20:53 --------- d-----w C:\Program Files\EA SPORTS
    2007-09-26 00:54 --------- d-----w C:\Program Files\MSN Messenger
    2007-09-21 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
    2003-08-16 18:56:00 579,584 --sha-r C:\WINDOWS\system32\cd.exe
    .

    ((((((((((((((((((((((((((((( [email protected]_12.11.36.73 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-12-12 05:15:08 34,308 ----a-w C:\WINDOWS\system32\BASSMOD.dll
    + 2007-11-03 05:18:58 9,728 ----a-w C:\WINDOWS\system32\BASSMOD.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9dc02a5d-c7db-44cf-8576-b1f70900adee}]
    2007-11-03 16:11 81472 --a------ C:\WINDOWS\system32\rnpqyfjb.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
    "1420bae1"="C:\WINDOWS\system32\shnahylb.dll" [2007-11-03 16:08]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
    "DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 08:08]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-14 15:38:43]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2007-04-08 18:03 77824]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 11:58 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-02-27 11:24 159744 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-29 03:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\trkuqvei]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"= ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljjh.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
    C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
    c:\dell\bldbubg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    "C:\Program Files\Dell Support\DSAgnt.exe" /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    C:\Program Files\Common Files\AOL\1134124099\ee\AOLSoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
    C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]
    C:\Program Files\MediaGateway\MediaGateway.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secure Folder Hider Pro]
    C:\Program Files\RS Secure Folder Hider Pro Full\sfhpf.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    C:\Program Files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    C:\DOCUME~1\Ryda\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTray]
    C:\Program Files\paytime.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
    "EA Core"=C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SAClient"="C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe" /admincheck
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

    R1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
    R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
    S1 SABDIFSV;SABDIFSV;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
    S3 CA500AI;Chameleon XP Digital Camera;C:\WINDOWS\system32\Drivers\LG_BULK.sys
    S3 CA500AV;Chameleon XP Video Camera;C:\WINDOWS\system32\DRIVERS\CA500AV.SYS
    S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    AutoRun\command - F:\Autorun\UbiAutorun.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-02 22:17:29 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
    .
    **************************************************************************

    catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-03 16:21:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-03 16:23:44 - machine was rebooted
    C:\ComboFix2.txt ... 2007-10-31 18:13
    C:\ComboFix3.txt ... 2007-10-29 12:13
    .
    --- E O F ---
     
  10. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    wouldnt let me post both logs in 1 reply...

    Logfile of HijackThis v1.99.1
    Scan saved at 4:26:46 PM, on 11/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\oodag.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Ryda\My Documents\Scanners\scanner.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: {eeda0090-7f1b-6758-fc44-bd7cd5a20cd9} - {9dc02a5d-c7db-44cf-8576-b1f70900adee} - C:\WINDOWS\system32\rnpqyfjb.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [1420bae1] rundll32.exe "C:\WINDOWS\system32\shnahylb.dll",b
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: ,"C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
    O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: trkuqvei - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
     
  11. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    More hidden infection activity now showing, but still quite a bit to go. Looks like we are working against an installed software there, and plenty of the recent infection activity centers around that DAEMON Tools Pro software. This sells for 35 Eu ($50 USD). Daemon's free version is known for bringing the WhenU adware/search hijacker install but not more than that. Is this a paid for version?
     
  12. Bastage

    Bastage Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    8
    its the Pro Advanced version... dont think it is the demo r free version
     
  13. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    It has a startup key value, so be sure to open it and disable it, and if the option is there disable the startup for it as well. Also make sure to disable SpywareDoctor and SuperAntiSpyware for any steps we do here now.

    Had been informed of that Anti-Blaxx software, showing here, in the past, and it's use to bypass legit security settings to make unauthorized game/CD copies. I did a quick check on that - uses a unique tool called SubInACL to literally change the ACE's (Access Control Entries - your registry security system) on any key it wants, and appears to create a temp user as well to perform it's deeds, with the astute warning:

    2. The use of Anti-Blaxx on own danger.

    Now there is something I am sure to trust and install. This system also has many startups disabled through msconfig, and it appears perhaps SpyBot as well. To do a complete cleaning here at some point these will need to be re-enabled at least once, but not just yet.


    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
      00
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"
    Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it twofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry. You already created a registry backup to use if ever needed.

    ----------------------------------

    Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

    Code:
    KILLALL
    File::
    C:\WINDOWS\system32\rnpqyfjb.dll
    C:\WINDOWS\system32\shnahylb.dll
    C:\WINDOWS\system32\gxakyqqh.dll
    C:\WINDOWS\system32\jhasvkpm.dll
    C:\WINDOWS\system32\oflibwry.dll
    C:\WINDOWS\system32\clktdbir.dll
    C:\WINDOWS\system32\slwgsoxj.dll
    C:\WINDOWS\system32\rlxqysnh.dll
    C:\WINDOWS\system32\knmuvssc.dll
    C:\WINDOWS\system32\uimsgoup.dll
    C:\WINDOWS\system32\nksyutmp.dll
    C:\WINDOWS\system32\wvbphgus.dll
    C:\WINDOWS\system32\xtfuajif.dll
    C:\WINDOWS\system32\mljjh.dll
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9dc02a5d-c7db-44cf-8576-b1f70900adee}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "1420bae1"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\trkuqvei] 
    Save this as "CFScript"

    (include the "quotation marks" with the name)


    [​IMG]

    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    ---------------------------------

    Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

    To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

    To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".


    Then post back a new HijackThis log, the ComboFix.txt log along with the Kaspersky log please.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/644267

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice