Help..IE pop up ask to connect work offline

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
Hi My wifes computer is going crazy. I have read posts and tried a few things which found a few viruses. She uses AOL (says easy e-mail) but when she is on line she keeps getting pop up ads and boxes keep coming up to see if she wants to connect or work offline. I have tried some of the suggestions I read here but no such luck I took it upon myself to download hijack this, and have tried drweb and ad-aware se any help would be appreciated. here is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:08 PM, on 8/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Web Buying\v1.8.2\webbuying.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WebArmyKnife] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for WebArmyKnife.zip\WAK.exe q
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl84bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlzdGkgV2hpdHNpdHQ\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Joined
Aug 25, 2007
Messages
12
Hello lynnw196,

First off, I have some bad news for you. Your computer has been infected with a backdoor trojan. This is a type of malware that allows a hacker to remotely access and potentially compromise all aspects of your computer. This means that the hacker has access to any files, passwords, or other sensitive data that you have stored on this computer. I would recommend that you find another clean computer and change any passwords that have ever been entered on the compromised machine. In addition, you should take any steps that you would otherwise take in the case of attempted identity theft, as the hacker can take pretty much whatever they want when they have compromised your computer to this degree. For now, though, we are going to move on with the process of cleaning up your computer.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
Thanks for the insight and help working the password issue from my laptop. I did what you asked and here are the results I ended up with. thanks again for helping.

Unistall_list.txt:
ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
ArcSoft Picture Software
Blues Clues School
CleanUp!
Collegio Football 2007
Direct Show Ogg Vorbis Filter (remove only)
FaxTools
Flash Slideshow Maker Pro 4.32
HijackThis 1.99.1
HP Deskjet printer preloaded drivers
HP Digital Imaging Album Printing 1.0
HP Instant Support
HP Memories Disc
HP Multimedia Keyboard Software
HP Photo and Imaging 1.2 - Photosmart Cameras
HP Photosmart printers preloaded drivers
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
JumpStart Artist
Lernout & Hauspie TruVoice American English TTS Engine
Lexmark X1100 Series
Lexmark X125
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lottso! Deluxe
Macromedia Shockwave Player
Mahjongg Fortuna Promo
Microsoft .NET Framework (English) v1.0.3705
Microsoft Office Professional Edition 2003
Minigolf Lost Island
Mozilla Firefox (1.5.0.12)
MrCFB
MrNFL 2007
Muppet Babies - Animals in Nature
Muppet Babies - Sorting and Thinking
MUSICMATCH® Jukebox
Norton AntiVirus 2003
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
OIN
PC-Doctor for Windows
Polar Bowler from WildGames (remove only)
Polar Golfer from WildGames (remove only)
Process Server's Toolbox
PS2
PureEdge Viewer 6.5
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealArcade
RealOne Player
Realtek AC'97 Audio
RecordNow
S3Display
S3Gamma2
S3Info2
S3Overlay
Simple Backup for My Pictures
Simple Installer - Multilanguage Version
SkillJam SecurePlayer
Sonic Update Manager
Spirit (remove only)
The Poppit! Show
toolkit
Updates from HP
Viewpoint Media Player
WeatherBug
Web Buying
WebPosition 4
WildTangent Web Driver
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
WordPerfect Productivity Pack
WordPerfect Productivity Pack
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar

Vundofix:


VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:10:13 PM 8/28/2007

Listing files found while scanning....

C:\WINDOWS\System32\abadd.bak1
C:\WINDOWS\System32\abadd.bak2
C:\WINDOWS\System32\abadd.ini
C:\WINDOWS\System32\ddaba.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\abadd.bak1
C:\WINDOWS\System32\abadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\abadd.bak2
C:\WINDOWS\System32\abadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\abadd.ini
C:\WINDOWS\System32\abadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ddaba.dll
C:\WINDOWS\System32\ddaba.dll Has been deleted!

Performing Repairs to the registry.
Done!

New Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:36:20 PM, on 8/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Web Buying\v1.8.2\webbuying.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E358A91-AC5B-4F96-95A7-17D68DC90D98} - C:\WINDOWS\System32\ddaba.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5409798-47E6-412E-B1E6-0769BCE5B3E3} - C:\WINDOWS\system32\werwed.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\System32\urqonlk.dll
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\System32\mbtbpesn.dll
O2 - BHO: (no name) - {f160f1bf-92e1-4aa6-a3b7-722a52d8a3a8} - C:\WINDOWS\System32\ynoumna.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WebArmyKnife] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for WebArmyKnife.zip\WAK.exe q
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\System32\bjolcdbb.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl84bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B318BB8-75C4-4211-B4AB-AA54958904E6}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B318BB8-75C4-4211-B4AB-AA54958904E6}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: urqonlk - C:\WINDOWS\SYSTEM32\urqonlk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlzdGkgV2hpdHNpdHQ\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Joined
Aug 25, 2007
Messages
12
Hello lynnw196,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download OTMoveIt by Oldtimer and save it to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {1E358A91-AC5B-4F96-95A7-17D68DC90D98} - C:\WINDOWS\System32\ddaba.dll (file missing)
O2 - BHO: (no name) - {C5409798-47E6-412E-B1E6-0769BCE5B3E3} - C:\WINDOWS\system32\werwed.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\System32\urqonlk.dll
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\System32\mbtbpesn.dll
O2 - BHO: (no name) - {f160f1bf-92e1-4aa6-a3b7-722a52d8a3a8} - C:\WINDOWS\System32\ynoumna.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\System32\bjolcdbb.dll",sitypnow
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl84bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O20 - Winlogon Notify: urqonlk - C:\WINDOWS\SYSTEM32\urqonlk.dll


Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]
Save it to your desktop as fix133.reg and as Type "All files"
Double click on fix133.reg and allow when prompted to let it merge with the registry.

Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Run OTMoveIt:
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\svhost.exe
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Web Buying
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\werwed.dll
C:\WINDOWS\System32\urqonlk.dll
C:\WINDOWS\System32\mbtbpesn.dll
C:\WINDOWS\System32\ynoumna.dll
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Instant Buzz
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\System32\bjolcdbb.dll
C:\Program Files\WinPop
:\Program Files\MyWebSearch
C:\WINDOWS\TWlzdGkgV2hpdHNpdHQ
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)
Click the red Moveit! button.
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Reboot into Normal Mode.

In your next reply please include the following:
  • A new Hijackthis log.
  • The OTMoveIt log.
 

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
Sorry it took a bit, I had to crash and get up early. okay here is what I ended up with:

OTMOVEIT:
C:\WINDOWS\svhost.exe moved successfully.
C:\Program Files\Common Files\WinAntiSpyware 2007 moved successfully.
C:\Program Files\Web Buying moved successfully.
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe moved successfully.
C:\WINDOWS\system32\werwed.dll unregistered successfully.
C:\WINDOWS\system32\werwed.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\urqonlk.dll
C:\WINDOWS\System32\urqonlk.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\urqonlk.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\mbtbpesn.dll
C:\WINDOWS\System32\mbtbpesn.dll NOT unregistered.
C:\WINDOWS\System32\mbtbpesn.dll moved successfully.
C:\WINDOWS\System32\ynoumna.dll unregistered successfully.
C:\WINDOWS\System32\ynoumna.dll moved successfully.
C:\WINDOWS\ALCXMNTR.EXE moved successfully.
Folder move failed. C:\Program Files\Instant Buzz\.ibp scheduled to be moved on reboot.
C:\Program Files\Instant Buzz moved successfully.
File/Folder C:\WINDOWS\retadpu1000106.exe not found.
File/Folder C:\WINDOWS\System32\bjolcdbb.dll not found.
File/Folder C:\Program Files\WinPop not found.
File/Folder :\Program Files\MyWebSearch not found.
C:\WINDOWS\TWlzdGkgV2hpdHNpdHQ moved successfully.

Created on 08/29/2007 07:55:10

Logfile of HijackThis v1.99.1
Scan saved at 7:59:01 AM, on 8/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WebArmyKnife] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for WebArmyKnife.zip\WAK.exe q
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B318BB8-75C4-4211-B4AB-AA54958904E6}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B318BB8-75C4-4211-B4AB-AA54958904E6}: NameServer = 205.188.146.145
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlzdGkgV2hpdHNpdHQ\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again!
 
Joined
Aug 25, 2007
Messages
12
Hello lynnw196,

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
Hello Ripchain,

I ran both programs and here are the logs, they are kinda long.

ComboFix 07-08-30.3 - "Owner" 2007-08-30 6:57:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.69 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\c.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\winantispyware 2007
C:\DOCUME~1\Owner\err.log
C:\Program Files\Common Files\progy.html
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\myglobalsearch
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\Cache\0004DA20.bin
C:\Program Files\MyWebSearch\bar\Cache\0004E9D0.bin
C:\Program Files\MyWebSearch\bar\Cache\00053168.bin
C:\Program Files\MyWebSearch\bar\Cache\0005404C.bin
C:\Program Files\MyWebSearch\bar\Cache\00057631.bin
C:\Program Files\MyWebSearch\bar\Cache\000578B2.bin
C:\Program Files\MyWebSearch\bar\Cache\00057BCF.bin
C:\Program Files\MyWebSearch\bar\Cache\00057D94.bin
C:\Program Files\MyWebSearch\bar\Cache\0046E8B5
C:\Program Files\MyWebSearch\bar\Cache\0046FE7F
C:\Program Files\MyWebSearch\bar\Cache\0304B441.bin
C:\Program Files\MyWebSearch\bar\Cache\0304BBA4.bin
C:\Program Files\MyWebSearch\bar\Cache\0304BDD6.bin
C:\Program Files\MyWebSearch\bar\Cache\0307A483.bin
C:\Program Files\MyWebSearch\bar\Cache\0307A742.bin
C:\Program Files\MyWebSearch\bar\Cache\0307A9F2.bin
C:\Program Files\MyWebSearch\bar\Cache\0307AC72.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\network monitor
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\monterreyi_unknown.exe
C:\WINDOWS\monterreyj_unknown.exe
C:\WINDOWS\racle~1
C:\WINDOWS\racle~1\?racle\
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\azip32.dll
C:\WINDOWS\system32\driverj.dll
C:\WINDOWS\system32\drivero.dll
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dzgtactx.dll
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\monterreye_a4m.exe
C:\WINDOWS\system32\monterreyi_unknown.exe
C:\WINDOWS\system32\monterreyj_unknown.exe
C:\WINDOWS\system32\monterreyk_unknown.exe
C:\WINDOWS\system32\monterreyl_unknown.exe
C:\WINDOWS\system32\monterreyo_unknown.exe
C:\WINDOWS\system32\ngngpfcr.dll
C:\WINDOWS\system32\reginid_unknown.exe
C:\WINDOWS\system32\reginie_unknown.exe
C:\WINDOWS\system32\reginif_unknown.exe
C:\WINDOWS\system32\reginig_unknown.exe
C:\WINDOWS\system32\urqonlk.dll
C:\WINDOWS\system32\wslpdltr.dll
C:\WINDOWS\uninstall_nmon.vbs
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-30 06:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 02:34 393,224 --a------ C:\sysfuyh.exe
2007-08-29 23:24 393,224 --a------ C:\sysfycn.exe
2007-08-29 22:42 74,816 --a------ C:\WINDOWS\system32\ksjsuksa.dll
2007-08-29 15:22 393,224 --a------ C:\sysmrqm.exe
2007-08-29 08:53 393,224 --a------ C:\sysnbvz.exe
2007-08-29 08:52 393,224 --a------ C:\sysutzm.exe
2007-08-29 02:04 393,224 --a------ C:\sysucel.exe
2007-08-28 21:34 74,816 --a------ C:\WINDOWS\system32\pqaihuwp.dll
2007-08-28 21:27 297,568 --a------ C:\WINDOWS\system32\jkkli.dll
2007-08-28 20:20 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-28 20:10 <DIR> d-------- C:\VundoFix Backups
2007-08-27 15:08 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-08-27 11:32 95,744 --a------ C:\WINDOWS\system32\werwed.exe
2007-08-27 11:30 95,744 --a------ C:\WINDOWS\system32\werwed_unknown.exe
2007-08-27 10:19 <DIR> d-------- C:\WINDOWS\pss
2007-08-25 18:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-25 14:08 <DIR> d-------- C:\Program Files\JumpStart
2007-08-25 14:08 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2007-08-24 20:11 97,280 --a------ C:\WINDOWS\system32\werwec_unknown.exe
2007-08-24 10:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-24 10:17 <DIR> d-------- C:\WINDOWS\system32\temps1
2007-08-24 10:17 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-24 10:17 <DIR> d-------- C:\WINDOWS\system32\dllz1
2007-08-24 10:17 <DIR> d-------- C:\WINDOWS\system32\cofig32
2007-08-20 09:40 97,280 --a------ C:\WINDOWS\system32\werweb_unknown.exe
2007-08-16 13:33 <DIR> d-------- C:\Program Files\MrNFL
2007-08-16 13:32 53,248 --a------ C:\WINDOWS\system32\SSUBTMR6.DLL
2007-08-16 13:32 49,152 --a------ C:\WINDOWS\system32\TSMESBOX.DLL
2007-08-16 13:32 159,744 --a------ C:\WINDOWS\system32\CNEWMENU6.DLL
2007-08-16 13:32 <DIR> d-------- C:\Program Files\MrCFB
2007-08-03 23:09 <DIR> d-------- C:\Program Files\Flash Slideshow Maker Professional
2007-08-02 15:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pogo Games
2007-07-29 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MinigolfVUG_TacoBell4
2007-07-29 20:01 <DIR> d-------- C:\Program Files\Sierra Online
2007-07-29 20:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\minigolfVUG
2007-07-27 14:07 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-27 14:07 <DIR> dr-h----- C:\DOCUME~1\Owner\APPLIC~1\SecuROM
2007-07-27 14:05 <DIR> d-------- C:\Program Files\Pogo Games
2007-07-15 02:39 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Pogo Games
2007-07-15 02:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-15 02:38 <DIR> d-------- C:\Program Files\Oberon Media
2007-07-14 16:53 32,768 --a------ C:\WINDOWS\system32\Base64.dll
2007-07-14 16:53 <DIR> d-------- C:\Program Files\WebPosition 4


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 07:15 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-27 17:55 --------- d-------- C:\Program Files\s5784t71
2007-08-27 09:26 246 --a------ C:\Program Files\Common Files\lawu
2007-08-25 18:12 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-08-20 19:43 --------- d-------- C:\Program Files\The Learning Company
2007-08-07 14:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-07-29 20:07 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-16 00:22 --------- d-------- C:\Program Files\Equestriad 2001
2007-07-01 20:54 --------- d-------- C:\Program Files\Crystalize
2007-06-29 09:27 --------- d-------- C:\Program Files\Compedia
2007-05-16 10:12 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E358A91-AC5B-4F96-95A7-17D68DC90D98}]
C:\WINDOWS\System32\ddaba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36838F0A-2A0A-4735-950B-638ABF681BD6}]
2007-08-28 21:28 297568 --a------ C:\WINDOWS\System32\jkkli.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 09:59]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 09:27]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 10:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-10 01:36]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 04:29]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 04:29]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-07-11 15:31]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-11-02 10:03]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 16:17]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"WebArmyKnife"="C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for WebArmyKnife.zip\WAK.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-28 20:24]
"SystemRestoreStatus"="C:\WINDOWS\System32\ksjsuksa.dll" [2007-08-29 22:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 07:00]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2003-01-22 20:10]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-30 19:18]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 00:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-08-20 14:35:07]

C:\WINDOWS\system32\config\SYSTEM~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
AXEL.DAV [2003-04-09 17:10:07]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\progy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkli]
C:\WINDOWS\System32\jkkli.dll 2007-08-28 21:28 297568 C:\WINDOWS\system32\jkkli.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Collegio Football FastStart"="C:\Program Files\Collegio Football\2007\cgofbfs.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS
S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 07:12:48
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 7:23:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 07:23

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 7:25:09 AM, on 8/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\HP\KBD\KBD.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WebArmyKnife] C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for WebArmyKnife.zip\WAK.exe q
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\System32\ksjsuksa.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Joined
Aug 25, 2007
Messages
12
Hello lynnw196,

A. Please RUN HijackThis
  1. Click the SCAN button to produce a log.

  2. Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\System32\ksjsuksa.dll",sitypnow

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\sysfuyh.exe
C:\sysfycn.exe
C:\WINDOWS\system32\ksjsuksa.dll
C:\sysmrqm.exe
C:\sysnbvz.exe
C:\sysutzm.exe
C:\sysucel.exe
C:\WINDOWS\system32\pqaihuwp.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\werwed.exe
C:\WINDOWS\system32\werwed_unknown.exe
C:\Program Files\Common Files\progy.html

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\temps1
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\dllz1
C:\WINDOWS\system32\cofig32

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
Hey RipChain,
Here are the latest logs, look forward to your reply, Thanks.

ComboFix 07-08-30.3 - "Owner" 2007-08-31 8:43:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.67 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\sysfuyh.exe
C:\sysfycn.exe
C:\WINDOWS\system32\ksjsuksa.dll
C:\sysmrqm.exe
C:\sysnbvz.exe
C:\sysutzm.exe
C:\sysucel.exe
C:\WINDOWS\system32\pqaihuwp.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\werwed.exe
C:\WINDOWS\system32\werwed_unknown.exe
C:\Program Files\Common Files\progy.html


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\sysfuyh.exe
C:\sysfycn.exe
C:\sysmrqm.exe
C:\sysnbvz.exe
C:\sysucel.exe
C:\sysutzm.exe
C:\VundoFix Backups
C:\VundoFix Backups\abadd.bak1.bad
C:\VundoFix Backups\abadd.bak2.bad
C:\VundoFix Backups\abadd.ini.bad
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\ddaba.dll.bad
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cofig32
C:\WINDOWS\system32\dllz1
C:\WINDOWS\system32\dllz1\vvcdll4.exe
C:\WINDOWS\system32\dsmppvbb.dll
C:\WINDOWS\system32\gaxvxjbp.dll
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\IBD4\rru22011.exe
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\ksjsuksa.dll
C:\WINDOWS\system32\pqaihuwp.dll
C:\WINDOWS\system32\temps1
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\werwed.exe
C:\WINDOWS\system32\werwed_unknown.exe


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-31 08:23 74,816 --a------ C:\WINDOWS\system32\gsfpvyrp.dll
2007-08-30 06:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-27 15:08 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-08-27 10:19 <DIR> d-------- C:\WINDOWS\pss
2007-08-25 18:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-25 14:08 <DIR> d-------- C:\Program Files\JumpStart
2007-08-25 14:08 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2007-08-24 20:11 97,280 --a------ C:\WINDOWS\system32\werwec_unknown.exe
2007-08-24 10:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-20 09:40 97,280 --a------ C:\WINDOWS\system32\werweb_unknown.exe
2007-08-16 13:33 <DIR> d-------- C:\Program Files\MrNFL
2007-08-16 13:32 53,248 --a------ C:\WINDOWS\system32\SSUBTMR6.DLL
2007-08-16 13:32 49,152 --a------ C:\WINDOWS\system32\TSMESBOX.DLL
2007-08-16 13:32 159,744 --a------ C:\WINDOWS\system32\CNEWMENU6.DLL
2007-08-16 13:32 <DIR> d-------- C:\Program Files\MrCFB
2007-08-03 23:09 <DIR> d-------- C:\Program Files\Flash Slideshow Maker Professional
2007-08-02 15:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pogo Games
2007-07-29 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MinigolfVUG_TacoBell4
2007-07-29 20:01 <DIR> d-------- C:\Program Files\Sierra Online
2007-07-29 20:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\minigolfVUG
2007-07-27 14:07 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-27 14:07 <DIR> dr-h----- C:\DOCUME~1\Owner\APPLIC~1\SecuROM
2007-07-27 14:05 <DIR> d-------- C:\Program Files\Pogo Games
2007-07-15 02:39 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Pogo Games
2007-07-15 02:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-15 02:38 <DIR> d-------- C:\Program Files\Oberon Media
2007-07-14 16:53 32,768 --a------ C:\WINDOWS\system32\Base64.dll
2007-07-14 16:53 <DIR> d-------- C:\Program Files\WebPosition 4


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 08:54 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-27 17:55 --------- d-------- C:\Program Files\s5784t71
2007-08-27 09:26 246 --a------ C:\Program Files\Common Files\lawu
2007-08-25 18:12 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-08-20 19:43 --------- d-------- C:\Program Files\The Learning Company
2007-08-07 14:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-07-29 20:07 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-16 00:22 --------- d-------- C:\Program Files\Equestriad 2001
2007-07-01 20:54 --------- d-------- C:\Program Files\Crystalize
2007-06-29 09:27 --------- d-------- C:\Program Files\Compedia
2007-05-16 10:12 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((( snapshot_2007-08-30_ 72221.48 )))))))))))))))))))))))))))))))))))))))))

-c--a-r 18,944 1996-08-26 07:12:00 C:\WINDOWS\system32\HNDLR32.DLL
-c--a-w 120,320 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qc.dll
-c--a-w 338,432 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qcx.dll
----a-w 755,200 2002-11-14 17:58:02 C:\WINDOWS\system32\ir50_32.dll
-c--a-w 200,192 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qc.dll
-c--a-w 183,808 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qcx.dll
-c--a-w 81,920 1998-09-02 18:43:56 C:\WINDOWS\system32\LZSCMPRS.DLL
----a-w 995,383 2002-08-29 12:00:00 C:\WINDOWS\system32\mfc42.dll
-c--a-w 929,844 2003-02-21 10:48:04 C:\WINDOWS\system32\MFC42D.DLL
-c--a-w 798,773 2003-02-21 10:48:04 C:\WINDOWS\system32\MFCO42D.DLL
----a-w 50,688 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcirt.dll
----a-w 499,712 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcp71.dll
----a-w 348,160 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcr71.dll
----a-w 323,072 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcrt.dll
-c--a-w 385,100 2003-02-21 10:48:04 C:\WINDOWS\system32\MSVCRTD.DLL
----a-w 569,344 2002-08-29 12:00:00 C:\WINDOWS\system32\oleaut32.dll
----a-w 262,144 2007-08-31 13:41:42 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
-c--a-w 16,384 2007-08-31 01:33:31 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-08-31 01:33:31 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-08-31 01:33:31 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 88,800 2003-09-01 13:34:32 C:\WINDOWS\system32\drivers\incdfs.sys
-c--a-w 28,528 2003-09-01 13:36:06 C:\WINDOWS\system32\drivers\incdpass.sys
-c--a-w 5,328 2003-09-01 13:35:06 C:\WINDOWS\system32\drivers\incdrec.sys
-c--a-w 25,520 2003-08-21 14:56:36 C:\WINDOWS\system32\drivers\incdrm.sys

-c----r 18,944 1996-08-26 07:12:00 C:\WINDOWS\system32\HNDLR32.DLL
-c----w 120,320 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qc.dll
-c----w 338,432 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qcx.dll
------w 755,200 2002-11-14 17:58:02 C:\WINDOWS\system32\ir50_32.dll
-c----w 200,192 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qc.dll
-c----w 183,808 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qcx.dll
-c----w 81,920 1998-09-02 18:43:56 C:\WINDOWS\system32\LZSCMPRS.DLL
------w 995,383 2002-08-29 12:00:00 C:\WINDOWS\system32\mfc42.dll
-c----w 929,844 2003-02-21 10:48:04 C:\WINDOWS\system32\MFC42D.DLL
-c----w 798,773 2003-02-21 10:48:04 C:\WINDOWS\system32\MFCO42D.DLL
------w 50,688 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcirt.dll
------w 499,712 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcp71.dll
------w 348,160 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcr71.dll
------w 323,072 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcrt.dll
-c----w 385,100 2003-02-21 10:48:04 C:\WINDOWS\system32\MSVCRTD.DLL
------w 569,344 2002-08-29 12:00:00 C:\WINDOWS\system32\oleaut32.dll
----a-w 262,144 2007-08-30 11:55:54 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
-c--a-w 16,384 2007-08-29 11:48:06 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-08-29 11:48:06 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 32,768 2007-08-29 11:48:06 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c----w 88,800 2003-09-01 13:34:32 C:\WINDOWS\system32\drivers\incdfs.sys
-c----w 28,528 2003-09-01 13:36:06 C:\WINDOWS\system32\drivers\incdpass.sys
-c----w 5,328 2003-09-01 13:35:06 C:\WINDOWS\system32\drivers\incdrec.sys
-c----w 25,520 2003-08-21 14:56:36 C:\WINDOWS\system32\drivers\incdrm.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E358A91-AC5B-4F96-95A7-17D68DC90D98}]
C:\WINDOWS\System32\ddaba.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 09:59]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 09:27]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 10:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-10 01:36]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 04:29]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 04:29]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-07-11 15:31]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-11-02 10:03]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 16:17]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-28 20:24]
"SystemRestoreStatus"="C:\WINDOWS\System32\gsfpvyrp.dll" [2007-08-31 08:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 07:00]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2003-01-22 20:10]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-30 19:18]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 00:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-08-20 14:35:07]

C:\WINDOWS\system32\config\SYSTEM~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
AXEL.DAV [2003-04-09 17:10:07]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\progy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkli]
C:\WINDOWS\System32\jkkli.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Collegio Football FastStart"="C:\Program Files\Collegio Football\2007\cgofbfs.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS
S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-31 08:52:26
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-31 9:00:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-31 08:59
C:\ComboFix2.txt ... 2007-08-30 07:23

--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 9:04:10 AM, on 8/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\_OTMoveIt\MovedFiles\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E358A91-AC5B-4F96-95A7-17D68DC90D98} - C:\WINDOWS\System32\ddaba.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\System32\gsfpvyrp.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\_OTMoveIt\MovedFiles\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkli - C:\WINDOWS\System32\jkkli.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Joined
Aug 25, 2007
Messages
12
Hello lynnw196,

A. Please RUN HijackThis
  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O2 - BHO: (no name) - {1E358A91-AC5B-4F96-95A7-17D68DC90D98} - C:\WINDOWS\System32\ddaba.dll (file missing)
    O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\System32\gsfpvyrp.dll",sitypnow
    O20 - Winlogon Notify: jkkli - C:\WINDOWS\System32\jkkli.dll (file missing)

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\gsfpvyrp.dll
C:\WINDOWS\system32\werweb_unknown.exe
C:\Program Files\Common Files\progy.html
C:\WINDOWS\System32\jkkli.dll

Folder::
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\s5784t71
C:\Program Files\Common Files\lawu

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
Hello RipChain,
Did as you instructed here are the two logs for your review, Thanks.

ComboFix 07-08-30.3 - "Owner" 2007-09-01 7:00:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.83 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\gsfpvyrp.dll
C:\WINDOWS\system32\werweb_unknown.exe
C:\Program Files\Common Files\progy.html
C:\WINDOWS\System32\jkkli.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\log.txt
C:\Program Files\Common Files\lawu\
C:\Program Files\s5784t71
C:\Program Files\s5784t71\18854181.bin
C:\Program Files\s5784t71\20289804.bin
C:\Program Files\s5784t71\33540450.dat
C:\Program Files\s5784t71\40884500.dat
C:\Program Files\s5784t71\42069802.txt
C:\Program Files\s5784t71\46126487.bin
C:\Program Files\s5784t71\47698270.dat
C:\Program Files\s5784t71\50593848.bin
C:\Program Files\s5784t71\86001272.txt
C:\Program Files\s5784t71\88887566.bin
C:\Program Files\s5784t71\88945105.txt
C:\Program Files\s5784t71\90412338.dat
C:\Program Files\s5784t71\99466930.txt
C:\Program Files\s5784t71\exmlvqle.DLL
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gsfpvyrp.dll
C:\WINDOWS\system32\werweb_unknown.exe


((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))


2007-08-31 13:20 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-31 13:20 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-31 13:20 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-31 13:20 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-30 06:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-27 15:08 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-08-27 10:19 <DIR> d-------- C:\WINDOWS\pss
2007-08-25 18:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-25 14:08 <DIR> d-------- C:\Program Files\JumpStart
2007-08-25 14:08 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2007-08-24 20:11 97,280 --a------ C:\WINDOWS\system32\werwec_unknown.exe
2007-08-16 13:33 <DIR> d-------- C:\Program Files\MrNFL
2007-08-16 13:32 53,248 --a------ C:\WINDOWS\system32\SSUBTMR6.DLL
2007-08-16 13:32 49,152 --a------ C:\WINDOWS\system32\TSMESBOX.DLL
2007-08-16 13:32 159,744 --a------ C:\WINDOWS\system32\CNEWMENU6.DLL
2007-08-16 13:32 <DIR> d-------- C:\Program Files\MrCFB
2007-08-03 23:09 <DIR> d-------- C:\Program Files\Flash Slideshow Maker Professional
2007-08-02 15:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pogo Games


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 07:09 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-27 19:21 --------- d-------- C:\Program Files\WebPosition 4
2007-08-27 09:26 246 --a------ C:\Program Files\Common Files\lawu
2007-08-25 18:12 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-08-20 19:43 --------- d-------- C:\Program Files\The Learning Company
2007-08-07 14:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-08-04 09:26 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-03 10:55 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Pogo Games
2007-08-02 15:21 --------- d-------- C:\Program Files\Pogo Games
2007-07-29 20:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MinigolfVUG_TacoBell4
2007-07-29 20:07 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 20:01 --------- d-------- C:\Program Files\Sierra Online
2007-07-29 20:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\minigolfVUG
2007-07-27 14:07 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-27 14:07 --------- dr-h----- C:\DOCUME~1\Owner\APPLIC~1\SecuROM
2007-07-16 00:52 --------- d-------- C:\Program Files\Oberon Media
2007-07-16 00:22 --------- d-------- C:\Program Files\Equestriad 2001
2007-07-01 20:54 --------- d-------- C:\Program Files\Crystalize
2007-05-16 10:12 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((( snapshot_2007-08-30_ 72221.48 )))))))))))))))))))))))))))))))))))))))))

-c--a-r 18,944 1996-08-26 07:12:00 C:\WINDOWS\system32\HNDLR32.DLL
-c--a-w 120,320 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qc.dll
-c--a-w 338,432 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qcx.dll
----a-w 755,200 2002-11-14 17:58:02 C:\WINDOWS\system32\ir50_32.dll
-c--a-w 200,192 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qc.dll
-c--a-w 183,808 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qcx.dll
-c--a-w 81,920 1998-09-02 18:43:56 C:\WINDOWS\system32\LZSCMPRS.DLL
----a-w 995,383 2002-08-29 12:00:00 C:\WINDOWS\system32\mfc42.dll
-c--a-w 929,844 2003-02-21 10:48:04 C:\WINDOWS\system32\MFC42D.DLL
-c--a-w 798,773 2003-02-21 10:48:04 C:\WINDOWS\system32\MFCO42D.DLL
----a-w 50,688 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcirt.dll
----a-w 499,712 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcp71.dll
----a-w 348,160 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcr71.dll
----a-w 323,072 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcrt.dll
-c--a-w 385,100 2003-02-21 10:48:04 C:\WINDOWS\system32\MSVCRTD.DLL
----a-w 569,344 2002-08-29 12:00:00 C:\WINDOWS\system32\oleaut32.dll
----a-w 262,144 2007-09-01 11:59:51 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
-c--a-w 16,384 2007-08-31 01:33:31 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-08-31 01:33:31 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 88,800 2003-09-01 13:34:32 C:\WINDOWS\system32\drivers\incdfs.sys
-c--a-w 28,528 2003-09-01 13:36:06 C:\WINDOWS\system32\drivers\incdpass.sys
-c--a-w 5,328 2003-09-01 13:35:06 C:\WINDOWS\system32\drivers\incdrec.sys
-c--a-w 25,520 2003-08-21 14:56:36 C:\WINDOWS\system32\drivers\incdrm.sys
----a-w 40,960 2007-09-01 12:07:27 C:\WINDOWS\TEMP\rtdrvmon.exe

-c----r 18,944 1996-08-26 07:12:00 C:\WINDOWS\system32\HNDLR32.DLL
-c----w 120,320 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qc.dll
-c----w 338,432 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qcx.dll
------w 755,200 2002-11-14 17:58:02 C:\WINDOWS\system32\ir50_32.dll
-c----w 200,192 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qc.dll
-c----w 183,808 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qcx.dll
-c----w 81,920 1998-09-02 18:43:56 C:\WINDOWS\system32\LZSCMPRS.DLL
------w 995,383 2002-08-29 12:00:00 C:\WINDOWS\system32\mfc42.dll
-c----w 929,844 2003-02-21 10:48:04 C:\WINDOWS\system32\MFC42D.DLL
-c----w 798,773 2003-02-21 10:48:04 C:\WINDOWS\system32\MFCO42D.DLL
------w 50,688 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcirt.dll
------w 499,712 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcp71.dll
------w 348,160 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcr71.dll
------w 323,072 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcrt.dll
-c----w 385,100 2003-02-21 10:48:04 C:\WINDOWS\system32\MSVCRTD.DLL
------w 569,344 2002-08-29 12:00:00 C:\WINDOWS\system32\oleaut32.dll
----a-w 262,144 2007-08-30 11:55:54 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
-c--a-w 16,384 2007-08-29 11:48:06 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-08-29 11:48:06 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c----w 88,800 2003-09-01 13:34:32 C:\WINDOWS\system32\drivers\incdfs.sys
-c----w 28,528 2003-09-01 13:36:06 C:\WINDOWS\system32\drivers\incdpass.sys
-c----w 5,328 2003-09-01 13:35:06 C:\WINDOWS\system32\drivers\incdrec.sys
-c----w 25,520 2003-08-21 14:56:36 C:\WINDOWS\system32\drivers\incdrm.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 09:59]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 09:27]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 10:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-10 01:36]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 04:29]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 04:29]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-07-11 15:31]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-11-02 10:03]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 16:17]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-28 20:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 07:00]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2003-01-22 20:10]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-30 19:18]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 00:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-08-20 14:35:07]

C:\WINDOWS\system32\config\SYSTEM~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
AXEL.DAV [2003-04-09 17:10:07]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\progy.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Collegio Football FastStart"="C:\Program Files\Collegio Football\2007\cgofbfs.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS
S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 07:07:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-09-01 7:14:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-01 07:14
C:\ComboFix2.txt ... 2007-08-31 09:00
C:\ComboFix3.txt ... 2007-08-30 07:23

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 7:17:55 AM, on 9/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\_OTMoveIt\MovedFiles\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\_OTMoveIt\MovedFiles\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Joined
Aug 25, 2007
Messages
12
Hello lynnw196,

Sorry for the delay in replying, been extremely busy as of late.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\werwec_unknown.exe

Folder::
C:\Program Files\Common Files\lawu
C:\_OTMoveIt

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
hey ripchain,
thanks for getting back to me, here is the log:

ComboFix 07-08-30.3 - "Owner" 2007-09-05 18:07:15.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.70 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\werwec_unknown.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\_OTMoveIt
C:\_OTMoveIt\MovedFiles\08292007_075510.log
C:\_OTMoveIt\MovedFiles\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\_OTMoveIt\MovedFiles\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\_OTMoveIt\MovedFiles\Program Files\Instant Buzz\.ibp
C:\_OTMoveIt\MovedFiles\Program Files\Instant Buzz\bugreport.txt
C:\_OTMoveIt\MovedFiles\Program Files\Instant Buzz\lynnw196.ibp
C:\_OTMoveIt\MovedFiles\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\_OTMoveIt\MovedFiles\Program Files\Web Buying\v1.8.2\wbuninst.exe
C:\_OTMoveIt\MovedFiles\Program Files\Web Buying\v1.8.2\webbuying.exe
C:\_OTMoveIt\MovedFiles\WINDOWS\ALCXMNTR.EXE
C:\_OTMoveIt\MovedFiles\WINDOWS\svhost.exe
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\mbtbpesn.dll
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\werwed.dll
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ynoumna.dll
C:\_OTMoveIt\MovedFiles\WINDOWS\TWlzdGkgV2hpdHNpdHQ\nq5Wx340pZ1DxJhDxJk.vbs
C:\Program Files\Common Files\lawu\
C:\WINDOWS\system32\werwec_unknown.exe


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-08-31 13:20 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-31 13:20 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-31 13:20 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-31 13:20 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-30 06:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-27 15:08 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-08-27 10:19 <DIR> d-------- C:\WINDOWS\pss
2007-08-25 18:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-25 14:08 <DIR> d-------- C:\Program Files\JumpStart
2007-08-25 14:08 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2007-08-16 13:33 <DIR> d-------- C:\Program Files\MrNFL
2007-08-16 13:32 53,248 --a------ C:\WINDOWS\system32\SSUBTMR6.DLL
2007-08-16 13:32 49,152 --a------ C:\WINDOWS\system32\TSMESBOX.DLL
2007-08-16 13:32 159,744 --a------ C:\WINDOWS\system32\CNEWMENU6.DLL
2007-08-16 13:32 <DIR> d-------- C:\Program Files\MrCFB


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-05 18:15 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-27 19:21 --------- d-------- C:\Program Files\WebPosition 4
2007-08-27 09:26 246 --a------ C:\Program Files\Common Files\lawu
2007-08-25 18:12 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-08-20 19:43 --------- d-------- C:\Program Files\The Learning Company
2007-08-07 14:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-08-04 09:26 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-03 23:14 --------- d-------- C:\Program Files\Flash Slideshow Maker Professional
2007-08-03 10:55 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Pogo Games
2007-08-02 15:22 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pogo Games
2007-08-02 15:21 --------- d-------- C:\Program Files\Pogo Games
2007-07-29 20:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MinigolfVUG_TacoBell4
2007-07-29 20:07 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 20:01 --------- d-------- C:\Program Files\Sierra Online
2007-07-29 20:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\minigolfVUG
2007-07-27 14:07 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-27 14:07 --------- dr-h----- C:\DOCUME~1\Owner\APPLIC~1\SecuROM
2007-07-16 00:52 --------- d-------- C:\Program Files\Oberon Media
2007-07-16 00:22 --------- d-------- C:\Program Files\Equestriad 2001
2007-05-16 10:12 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((( snapshot_2007-08-30_ 72221.48 )))))))))))))))))))))))))))))))))))))))))

-c--a-r 18,944 1996-08-26 07:12:00 C:\WINDOWS\system32\HNDLR32.DLL
-c--a-w 120,320 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qc.dll
-c--a-w 338,432 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qcx.dll
----a-w 755,200 2002-11-14 17:58:02 C:\WINDOWS\system32\ir50_32.dll
-c--a-w 200,192 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qc.dll
-c--a-w 183,808 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qcx.dll
-c--a-w 81,920 1998-09-02 18:43:56 C:\WINDOWS\system32\LZSCMPRS.DLL
----a-w 995,383 2002-08-29 12:00:00 C:\WINDOWS\system32\mfc42.dll
-c--a-w 929,844 2003-02-21 10:48:04 C:\WINDOWS\system32\MFC42D.DLL
-c--a-w 798,773 2003-02-21 10:48:04 C:\WINDOWS\system32\MFCO42D.DLL
----a-w 50,688 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcirt.dll
----a-w 499,712 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcp71.dll
----a-w 348,160 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcr71.dll
----a-w 323,072 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcrt.dll
-c--a-w 385,100 2003-02-21 10:48:04 C:\WINDOWS\system32\MSVCRTD.DLL
----a-w 569,344 2002-08-29 12:00:00 C:\WINDOWS\system32\oleaut32.dll
----a-w 262,144 2007-09-05 23:06:30 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
-c--a-w 16,384 2007-08-31 01:33:31 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-08-31 01:33:31 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 88,800 2003-09-01 13:34:32 C:\WINDOWS\system32\drivers\incdfs.sys
-c--a-w 28,528 2003-09-01 13:36:06 C:\WINDOWS\system32\drivers\incdpass.sys
-c--a-w 5,328 2003-09-01 13:35:06 C:\WINDOWS\system32\drivers\incdrec.sys
-c--a-w 25,520 2003-08-21 14:56:36 C:\WINDOWS\system32\drivers\incdrm.sys
----a-w 40,960 2007-09-05 23:15:16 C:\WINDOWS\temp\rtdrvmon.exe

-c----r 18,944 1996-08-26 07:12:00 C:\WINDOWS\system32\HNDLR32.DLL
-c----w 120,320 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qc.dll
-c----w 338,432 2002-11-14 17:58:02 C:\WINDOWS\system32\ir41_qcx.dll
------w 755,200 2002-11-14 17:58:02 C:\WINDOWS\system32\ir50_32.dll
-c----w 200,192 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qc.dll
-c----w 183,808 2002-11-14 17:58:04 C:\WINDOWS\system32\ir50_qcx.dll
-c----w 81,920 1998-09-02 18:43:56 C:\WINDOWS\system32\LZSCMPRS.DLL
------w 995,383 2002-08-29 12:00:00 C:\WINDOWS\system32\mfc42.dll
-c----w 929,844 2003-02-21 10:48:04 C:\WINDOWS\system32\MFC42D.DLL
-c----w 798,773 2003-02-21 10:48:04 C:\WINDOWS\system32\MFCO42D.DLL
------w 50,688 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcirt.dll
------w 499,712 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcp71.dll
------w 348,160 2003-08-13 01:17:04 C:\WINDOWS\system32\msvcr71.dll
------w 323,072 2002-08-29 12:00:00 C:\WINDOWS\system32\msvcrt.dll
-c----w 385,100 2003-02-21 10:48:04 C:\WINDOWS\system32\MSVCRTD.DLL
------w 569,344 2002-08-29 12:00:00 C:\WINDOWS\system32\oleaut32.dll
----a-w 262,144 2007-08-30 11:55:54 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
-c--a-w 16,384 2007-08-29 11:48:06 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-08-29 11:48:06 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c----w 88,800 2003-09-01 13:34:32 C:\WINDOWS\system32\drivers\incdfs.sys
-c----w 28,528 2003-09-01 13:36:06 C:\WINDOWS\system32\drivers\incdpass.sys
-c----w 5,328 2003-09-01 13:35:06 C:\WINDOWS\system32\drivers\incdrec.sys
-c----w 25,520 2003-08-21 14:56:36 C:\WINDOWS\system32\drivers\incdrm.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 09:59]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 09:27]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 10:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-10 01:36]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 04:29]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 04:29]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-07-11 15:31]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-11-02 10:03]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 16:17]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-28 20:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 07:00]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2003-01-22 20:10]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-30 19:18]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 00:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-08-20 14:35:07]

C:\WINDOWS\system32\config\SYSTEM~1\STARTM~1\Programs\Startup\
AutoTBar.exe [2002-08-21 18:48:26]
AXEL.DAV [2003-04-09 17:10:07]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\progy.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Collegio Football FastStart"="C:\Program Files\Collegio Football\2007\cgofbfs.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS
S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 18:15:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 18:23:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 18:23
C:\ComboFix2.txt ... 2007-09-01 07:14
C:\ComboFix3.txt ... 2007-08-31 09:00

--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 6:24:45 PM, on 9/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\QooBox\Quarantine\C\_OTMoveIt\MovedFiles\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe.vir
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Joined
Aug 25, 2007
Messages
12
Hello lynnw196,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
 

lynnw196

Thread Starter
Joined
Aug 28, 2007
Messages
10
Hello Ripchain,
Sorry it took a few days, I was out of town. Here are the results from DrWeb:
Ran Hijack this for you just in case.
Thanks again.

sysfuyh.exe.vir;C:\QooBox\Quarantine\C;Trojan.MulDrop.7970;Deleted.;
sysfycn.exe.vir;C:\QooBox\Quarantine\C;Trojan.MulDrop.7970;Deleted.;
sysmrqm.exe.vir;C:\QooBox\Quarantine\C;Trojan.MulDrop.7970;Deleted.;
sysnbvz.exe.vir;C:\QooBox\Quarantine\C;Trojan.MulDrop.7970;Deleted.;
sysucel.exe.vir;C:\QooBox\Quarantine\C;Trojan.MulDrop.7970;Deleted.;
sysutzm.exe.vir;C:\QooBox\Quarantine\C;Trojan.MulDrop.7970;Deleted.;
ddaba.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod.209;Deleted.;
dsmppvbb.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
gaxvxjbp.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
gsfpvyrp.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ksjsuksa.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ngngpfcr.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
pqaihuwp.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
werwec_unknown.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.8486;Deleted.;
werwed.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.8486;Deleted.;
werwed_unknown.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.8486;Deleted.;
wslpdltr.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
mbtbpesn.dll.vir;C:\QooBox\Quarantine\C\_OTMoveIt\MovedFiles\WINDOWS\system32;Trojan.Virtumod;Deleted.;
werwed.dll.vir;C:\QooBox\Quarantine\C\_OTMoveIt\MovedFiles\WINDOWS\system32;Trojan.Kolweb;Deleted.;
A0077087.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Kolweb;Deleted.;
A0077088.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.MulDrop.8486;Deleted.;
A0079210.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.MulDrop.8486;Deleted.;
A0081695.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.MulDrop.8200;Deleted.;
A0081696.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081697.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081698.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081699.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.DownLoader.30543;Deleted.;
A0081700.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.StartPage.19993;Deleted.;
A0081701.EXE;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.DSSAgent;;
A0081702.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081703.scr;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.Msearch;;
A0081704.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081705.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081706.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081707.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081708.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Durvil;Deleted.;
A0081709.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Virtumod;Deleted.;
A0081710.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.MulDrop.7649;Deleted.;
A0081711.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.MulDrop.7649;Deleted.;
A0081712.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Kolweb;Deleted.;
A0081713.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.ClearSearch;;
A0081714.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.MySearch;;
A0081715.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;BackDoor.Generic.943;Incurable.Moved.;
A0081716.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.nCase;;
A0081717.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.nCase;;
A0081718.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.nCase;;
A0081719.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.Begin2Search;;
A0081720.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.DownLoader.26881;Deleted.;
A0081721.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.DownLoader.24715;Deleted.;
A0081722.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.DownLoader.5013;Deleted.;
A0081723.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;
A0081724.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;
A0081725.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;
A0081726.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;
A0081733.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Kolweb;Deleted.;
A0081734.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.Kolweb;Deleted.;
A0081735.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Trojan.MulDrop.8486;Deleted.;
A0081787.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP399;Trojan.Virtumod.209;Deleted.;
A0081846.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP400;Trojan.Virtumod;Deleted.;
A0081931.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP402;Trojan.Virtumod;Deleted.;
A0081932.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP402;Trojan.Virtumod;Deleted.;
A0081956.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP402;Trojan.Virtumod.206;Deleted.;
A0082128.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.Virtumod;Deleted.;
A0082129.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.Virtumod;Deleted.;
A0082133.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.7970;Deleted.;
A0082134.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.7970;Deleted.;
A0082135.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.Virtumod;Deleted.;
A0082136.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.7970;Deleted.;
A0082137.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.7970;Deleted.;
A0082138.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.7970;Deleted.;
A0082139.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.7970;Deleted.;
A0082140.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.Virtumod;Deleted.;
A0082142.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.8486;Deleted.;
A0082143.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.MulDrop.8486;Deleted.;
A0082156.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP404;Trojan.Virtumod;Deleted.;
A0083215.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP405;Trojan.Virtumod;Deleted.;
A0083478.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP410;Trojan.Virtumod;Deleted.;
A0083479.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP410;Trojan.Kolweb;Deleted.;
A0083482.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP410;Trojan.MulDrop.8486;Deleted.;
A0081701.EXE;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.DSSAgent;;
A0081703.scr;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.Msearch;;
A0081713.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.ClearSearch;;
A0081714.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.MySearch;;
A0081716.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.nCase;;
A0081717.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.nCase;;
A0081718.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.nCase;;
A0081719.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Adware.Begin2Search;;
A0081723.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;
A0081724.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;
A0081725.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;
A0081726.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP398;Probably BACKDOOR.Trojan;;


Logfile of HijackThis v1.99.1
Scan saved at 8:24:08 AM, on 9/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\QooBox\Quarantine\C\_OTMoveIt\MovedFiles\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe.vir
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Documents and Settings\Owner\My Documents\Applications\Bodog Poker\BPGame.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B318BB8-75C4-4211-B4AB-AA54958904E6}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B318BB8-75C4-4211-B4AB-AA54958904E6}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top