Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

HELP MEEE PLEASE! *Newbie*

4K views 30 replies 4 participants last post by  MFDnNC 
#1 ·
I don't know what I'm doing or what to do, but my computer is really wigging out and I'm nervous! Please advise...Thanks!:(

Logfile of HijackThis v1.99.1
Scan saved at 8:39:51 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\retadpu72.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5IV85AN\Windows-KB890830-V1.29[1].exe
c:\525b9eeee47eb0bf43e05c\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: 0 - {EE74FD41-BC01-4477-698C-C09D07638591} - C:\Program Files\WindowsUpdate\lavuma.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: dllhost.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us//html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159802951680
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159802941305
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
See less See more
#3 ·
With a HijackThis log file being posted the only people who can read and diagnose these are the certified techs with either the blue or gold shields. These are special files and require these people only. I am afraid that this is the only way so please have a little bit of patience.
 
#6 ·
1. Download this file :

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
2.
3. http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
4.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
===============
Download Superantispyware (SAS)

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.
 
#7 ·
UPDATE:

My HJT log was as follows below. My computer was freezing up and wouldn't connect to the internet and when it did, I'd me redirected to some strange site.

I attempted to do a system restore several times and Windows told me that all the dates were unavailable. So I tried to do a system recovery. My desktop is ultra slow and freezes up IF it decides to load. I cannot access the internet either. Can anyone offer any advice?

Thank you so much!

(This log is before I did the system restore)
Logfile of HijackThis v1.99.1
Scan saved at 8:39:51 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\retadpu72.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5IV85AN\Windows-KB890830-V1.29[1].exe
c:\525b9eeee47eb0bf43e05c\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: 0 - {EE74FD41-BC01-4477-698C-C09D07638591} - C:\Program Files\WindowsUpdate\lavuma.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: dllhost.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb...LStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1159802951680
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1159802941305
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
#10 ·
#13 ·
Lets see what we can do manually to free it up

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll

O2 - BHO: 0 - {EE74FD41-BC01-4477-698C-C09D07638591} - C:\Program Files\WindowsUpdate\lavuma.dll (file missing)

O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

O4 - Global Startup: dllhost.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Delete these files

C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\retadpu72.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 
#14 ·
MFDnNC said:
Lets see what we can do manually to free it up

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll

O2 - BHO: 0 - {EE74FD41-BC01-4477-698C-C09D07638591} - C:\Program Files\WindowsUpdate\lavuma.dll (file missing)

O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

O4 - Global Startup: dllhost.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Delete these files

C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\retadpu72.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
I did a system recovery, so HJT is gone (if I remember corrctly, but my Sims games were still there, so hopefully I lucked out and it's actually still there!). If not, on the off chance I am able to access the internet, I will do so, re-download HJT and follow your instructions. I'm so grateful for your help. Thank you! I'll be back to update.
 
#16 ·
OK!

Of the items you told me to fix, I only found "04-Global Startup: dllhost.exe", which I deleted. They were probably gone because I had done a system recovery.

Then I restarted my computer in safe mode as instructed. I did not see all of the files you mentioned, but I deleted related ones:

There were some icons:
>cfg32
>cfg32a
>retadpu

And I deleted these as well:
>retadpu1000106.exe.tmp
>retadpu1000137.exe.tmp

I also saw "Slrundll", it was a generic icon. I didn't delete this because I was unsure about it...

When I went START>RUN>%temp%, windows said it couldn't find it. But I went to the Temp folder and deleted everything as you instructed.

I emptyed the recycle bin, rebooted and ran HJT. The log is below:

Logfile of HijackThis v1.99.1
Scan saved at 6:27:38 PM, on 6/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
 
#19 ·
OK, a few things that may be useful first:

Norton Anti-virus popped up with the following viruses:

>W32.Fontra
>Bloodhound.exploit.109
These were found in C\documents and settings\owner...etc. Norton said access was denied, when I tried to enter this folder, I got the same message.

There are also a couple .exe programs in C:\Program files which I was denied access to as well.

The logs:

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 21:31, on 2007-06-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucr.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
 
#20 ·
Contd...

SUPERA

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/04/2007 at 09:21 PM

Application Version : 3.8.1002

Core Rules Database Version : 3249
Trace Rules Database Version: 1260

Scan type : Complete Scan
Total Scan Time : 02:24:09

Memory items scanned : 346
Memory threats detected : 0
Registry items scanned : 3995
Registry threats detected : 0
File items scanned : 112660
File threats detected : 147

Adware.Tracking Cookie
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@edge.ru4[1].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@ads.adbrite[2].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@adbrite[1].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner.TAVSCOMP\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Default User\Cookies\owner@4.adbrite[1].txt
C:\Documents and Settings\Default User\Cookies\owner@ad.bannerconnect[2].txt
C:\Documents and Settings\Default User\Cookies\owner@ad.iconadserver[2].txt
C:\Documents and Settings\Default User\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Default User\Cookies\owner@adbrite[1].txt
C:\Documents and Settings\Default User\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Default User\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Default User\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Default User\Cookies\owner@ads.adbrite[2].txt
C:\Documents and Settings\Default User\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Default User\Cookies\owner@adserver.easyad[2].txt
C:\Documents and Settings\Default User\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Default User\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Default User\Cookies\owner@burstnet[1].txt
C:\Documents and Settings\Default User\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Default User\Cookies\owner@clicksor[1].txt
C:\Documents and Settings\Default User\Cookies\owner@cpvfeed[2].txt
C:\Documents and Settings\Default User\Cookies\owner@data3.perf.overture[2].txt
C:\Documents and Settings\Default User\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Default User\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Default User\Cookies\owner@ehg-hollywood.hitbox[2].txt
C:\Documents and Settings\Default User\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Default User\Cookies\owner@fortunecity[1].txt
C:\Documents and Settings\Default User\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Default User\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Default User\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Default User\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Default User\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Default User\Cookies\owner@reduxads.valuead[2].txt
C:\Documents and Settings\Default User\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Default User\Cookies\owner@sixapart.adbureau[1].txt
C:\Documents and Settings\Default User\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Default User\Cookies\owner@stats1.reliablestats[2].txt
C:\Documents and Settings\Default User\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Default User\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Default User\Cookies\owner@tremor.adbureau[2].txt
C:\Documents and Settings\Default User\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Default User\Cookies\owner@winantispyware[2].txt
C:\Documents and Settings\Default User\Cookies\owner@www.burstbeacon[1].txt
C:\Documents and Settings\Default User\Cookies\owner@www.burstnet[1].txt
C:\Documents and Settings\Default User\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@2o7[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@ad.yieldmanager[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@adinterax[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@adopt.euroclick[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@adrevolver[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@adrevolver[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@ads.pointroll[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@advertising[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@atdmt[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@atwola[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@bluestreak[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@bs.serving-sys[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@c5.zedo[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@casalemedia[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@cdn.euroclick[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@citi.bridgetrack[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@doubleclick[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@fastclick[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@mediaplex[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@mediaservices.myspace[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@msnportal.112.2o7[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@perf.overture[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@questionmarket[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@realmedia[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@revsci[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@server.cpmstar[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@serving-sys[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@trafficmp[2].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@tribalfusion[1].txt
C:\Documents and Settings\Ilia and Barry\Cookies\ilia and barry@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@4.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.bannerconnect[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.iconadserver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.easyad[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clicksor[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt
C:\Documents and Settings\Owner\Cookies\owner@data3.perf.overture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-hollywood.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sixapart.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@winantispyware[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Tim Alan.YOUR-SZ6X6SEFXO\Cookies\tim alan@msnportal.112.2o7[1].txt

TargetSaver, Inc. Process
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMP\TSINSTALL_4_0_4_0_B4.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\TSINSTALL_4_0_4_0_B4.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TSUNINST.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP7\A0005926.EXE

Trojan.Downloader-Gen/Inst2
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\FBPNFDGC\VV[1].EXE
C:\WINDOWS\SYSTEM32\T6\DLWR.EXE

Unclassified.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\WQOW\WQOWA.EXE

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\WQOW\WQOWD\CLASS-BARREL
C:\PROGRAM FILES\COMMON FILES\WQOW\WQOWD\VOCABULARY

Unclassified.Unknown Origin/System
C:\PROGRAM FILES\COMMON FILES\WQOW\WQOWD\WQOWC.DLL

Adware.TargetSavers
C:\PROGRAM FILES\COMMON FILES\WQOW\WQOWP.EXE

Adware.webHancer
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20070528-170248-632.DLL

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1122OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1275OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1275OINUNINSTALLER.EXE.VIR

Adware.SearchClickAds
C:\QOOBOX\QUARANTINE\C\WINDOWS\STUB_MMA2.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP6\A0005828.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP6\A0005829.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP7\A0005923.EXE

Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\T3\DLLTK67.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP7\A0005925.EXE

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B103.EXE
C:\WINDOWS\B104.EXE

Trojan.Unknown Origin
C:\WINDOWS\B129.EXE

ComboFix

"Owner" - 2007-06-04 18:50:20 Service Pack 1 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Owner.TAVSCOMP\Desktop\"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\UnInstall.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\dlltk67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

2007-06-04 18:48 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-04 18:47 d-------- C:\Program Files\SUPERAntiSpyware
2007-06-04 18:47 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-04 18:47 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\SUPERAntiSpyware.com
2007-06-04 17:39 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-06-03 19:54 290,816 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-03 13:48 dr-hs---- C:\cmdcons
2007-06-03 13:32 d-------- C:\WINDOWS\setup.pss
2007-06-03 13:10 72 --a------ C:\DOCUME~1\OWNER~1.TAV\test.dat
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\InterTrust
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\interMute
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\Hewlett-Packard
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\Help
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\CyberLink
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\ATI
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\AOL
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\acccore
2007-06-03 13:10 d-------- C:\DOCUME~1\OWNER~1.TAV\.limewire
2007-06-03 13:09 1,048,576 --ah----- C:\DOCUME~1\OWNER~1.TAV\NTUSER.DAT
2007-06-03 13:09 d---s---- C:\DOCUME~1\OWNER~1.TAV\UserData
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\WINDOWS
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\Incomplete
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\You've Got Pictures Screensaver
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\U3
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\Symantec
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\Sonic
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\SampleView
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\Real
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\MSNInstaller
2007-06-03 13:09 d-------- C:\DOCUME~1\OWNER~1.TAV\APPLIC~1\MSN6
2007-06-03 12:55 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-06-03 12:55 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-06-03 12:55 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2007-06-03 12:12 72 --a------ C:\DOCUME~1\DEFAUL~1\test.dat
2007-06-03 12:12 d---s---- C:\DOCUME~1\DEFAUL~1\UserData
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\Incomplete
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\U3
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\MSNInstaller
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\MSN6
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Hewlett-Packard
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Help
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\CyberLink
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\ATI
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\AOL
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\acccore
2007-06-03 12:12 d-------- C:\DOCUME~1\DEFAUL~1\.limewire
2007-06-03 11:45 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-03 11:45 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-03 11:45 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-06-03 11:45 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-03 11:45 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-03 11:44 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-06-03 11:44 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-06-03 10:28 d-------- C:\DOCUME~1\TIMALA~1.YOU\WINDOWS
2007-06-03 10:28 d-------- C:\DOCUME~1\TIMALA~1.YOU\APPLIC~1\Symantec
2007-06-03 10:28 d-------- C:\DOCUME~1\TIMALA~1.YOU\APPLIC~1\SampleView
2007-06-03 10:28 d-------- C:\DOCUME~1\TIMALA~1.YOU\APPLIC~1\InterTrust
2007-06-03 10:28 d-------- C:\DOCUME~1\TIMALA~1.YOU\APPLIC~1\ATI
2007-06-03 08:41 78,360 --a------ C:\Program Files\uy.exe
2007-06-03 08:34 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-06-03 08:34 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-03 08:33 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-03 08:33 d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-03 08:20 d-------- C:\WINDOWS\Internet Logs
2007-06-02 19:53 d-------- C:\Program Files\Windows Defender
2007-06-02 11:59 1,048,576 --ah----- C:\DOCUME~1\TIMALA~1.YOU\NTUSER.DAT
2007-06-02 11:59 d-------- C:\DOCUME~1\TIMALA~1.YOU\APPLIC~1\Sonic
2007-06-02 11:59 d-------- C:\DOCUME~1\TIMALA~1.YOU\APPLIC~1\Real
2007-06-02 11:59 d-------- C:\DOCUME~1\TIMALA~1.YOU\APPLIC~1\interMute
2007-05-28 16:29 d-------- C:\WINDOWS\wqow
2007-05-28 16:29 d-------- C:\Program Files\Common Files\wqow
2007-05-26 16:08 167 --a------ C:\WINDOWS\system32\9193.bat
2007-05-26 16:07 109,343 --a------ C:\WINDOWS\system32\app.exe
2007-05-26 16:07 10,326 --a------ C:\WINDOWS\system32\install.exe
2007-05-26 16:07 d-------- C:\WINDOWS\system32\TQ0
2007-05-26 16:07 d-------- C:\WINDOWS\system32\T8
2007-05-26 16:07 d-------- C:\WINDOWS\system32\T6QaSQ
2007-05-26 16:07 d-------- C:\WINDOWS\system32\T6
2007-05-26 16:06 32,768 --a------ C:\WINDOWS\system32\setup9x.exe
2007-05-24 16:05 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-05-21 19:32 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-05-21 19:31 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-05-20 19:03 d-------- C:\Program Files\Incomplete
2007-05-06 11:09 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\acccore
2007-05-05 07:42 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\ATI
2007-05-05 07:41 1,048,576 --ah----- C:\DOCUME~1\ILIAAN~1\NTUSER.DAT
2007-05-05 07:41 d-------- C:\DOCUME~1\ILIAAN~1\WINDOWS
2007-05-05 07:41 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\Symantec
2007-05-05 07:41 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\Sonic
2007-05-05 07:41 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\SampleView
2007-05-05 07:41 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\Real
2007-05-05 07:41 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\InterTrust
2007-05-05 07:41 d-------- C:\DOCUME~1\ILIAAN~1\APPLIC~1\interMute
2007-05-04 22:03 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-04 22:03 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-04 22:03 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-04 22:03 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-05-04 22:03 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-05-04 22:02 d-------- C:\Program Files\DivX

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 01:25:50 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-05 00:59:05 -------- d-----w C:\Program Files\AWS
2007-06-05 00:55:21 -------- d-----w C:\Program Files\Easy Internet signup
2007-06-05 00:49:18 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-05 00:31:20 417,792 ----a-w C:\Program Files\Video.exe
2007-06-05 00:31:20 417,792 ----a-w C:\Program Files\Track_03.exe
2007-06-03 20:19:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-03 17:58:39 -------- d-----w C:\Program Files\Windows NT
2007-06-03 17:58:34 -------- d-----w C:\Program Files\Movie Maker
2007-06-03 17:58:33 -------- d-----w C:\Program Files\Messenger
2007-06-03 17:28:39 -------- d-----w C:\Program Files\LimeWire
2007-05-28 21:05:34 -------- d-----w C:\Program Files\AlarmWiz
2007-05-09 03:29:58 -------- d-----w C:\Program Files\EA GAMES
2007-05-02 18:04:23 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-02 18:04:19 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-05-02 18:04:06 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-05-02 18:04:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-05-02 18:02:06 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-05-02 18:02:06 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-05-02 18:02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-05-02 18:02:02 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-05-02 18:02:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-05-02 18:02:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-05-02 18:02:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-05-02 18:02:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-05-02 18:01:56 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-02 18:01:56 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-02 18:01:56 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-02 18:01:56 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-02 02:33:57 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-05-02 02:33:56 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-03-29 20:22:38 417,792 ----a-w C:\Program Files\Setup.exe
2007-03-11 17:37:25 278,528 ----a-w C:\WINDOWS\system32\livesnth.dll
2007-03-05 20:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 19:02]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}=C:\Program Files\Microsoft Money\System\mnyside.dll [2002-07-17 18:00]
{BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 07:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 08:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-10 03:50]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 02:29]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 02:29]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 C:\WINDOWS\ALCXMNTR.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 22:08]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL

Contents of the 'Scheduled Tasks' folder
2006-09-22 02:39:10 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1158852529.job
2007-06-03 17:34:17 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-05 00:46:54 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-05 00:46:55 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 18:52:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-04 18:53:32
C:\ComboFix-quarantined-files.txt ... 2007-06-04 18:53

--- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\UnInstall.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\dlltk67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\UnInstall.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\dlltk67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))
 
#21 ·
Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
==================

C\documents and settings\owner...etc tells me nothing

==================

Run ActiveScan online virus scan

http://www.pandasoftware.com/products/activescan.htm

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Post a new HiJackThis log along with the results from ActiveScan
 
#23 ·
Okay, I'm running the scan. I've attempted to several times, but I don't like to leave the internet connected when I leave now and it takes forever! This time I'll wait it out. Sometimes my computer will restart on it's own...that interrupts the scan as well. I'm crossing my fingers this time...
 
#24 ·
It's extremely LONG! I hope you don't mind that I've attached the files instead

I tried to find those files I mentioned. I was denied access to C:\Documents and Settings\Owner, and there are some viruses in there. The ActiveScan said there were like 800 Viruses! It Disinfected many of them, but there are still some I think...
 

Attachments

#25 ·
It appears that your Norton is not active - remove it in add remoe programs and then

Get the free AVG AntiVirus 7.5 install it, check for updates and run a full scan

AVG 7.5 - http://free.grisoft.com/freeweb.php/doc/2/

A lot of the infection was in Limewire – delete this folder - C:\Program Files\LimeWire

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {C8CD0946-EEED-427D-9343-3FBD192A048A} - C:\WINDOWS\system32\driverj.dll

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\driverj.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 
#26 ·
I will certainly do all this this evening, but in addition, would you please advise how I can regain access to my C:\Documents and Settings\Owner folder?

Also, you told me to copy and paste files into kill box and spoke as if there would be multiple lines. I only saw C:\WINDOWS\system32\driverj.dll. Is that correct?
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top