Need assist finalizing malware cleanup

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Quilcine

Thread Starter
Joined
Apr 3, 2008
Messages
1
Hello kind helpers of the malware afflicted. Thank you for reading my post and providing assistance.

This shouldn't take too long as I have done most of the clean-up myself but need assistance with a final review to catch what I've missed.

My girlfriends laptop had become severely afflicted, to the point it would not stay running, and it was auto rebooting every minute or so.

Browsers would no longer stay open; Even Mozilla Fire Fox finally stopped working.

At boot, we'd receive a pop-up stating " Error loading C:\Windows\system32\osqznsmOkZ.dll."

When opening a browser, we'd also see a cmd prompt box with C:\...\Locals-1\Temp\22.exe along the top.

This would be followed by a window pop-up stating "NTVDMCPU Has encountered an illegal instruction". Then 22.exe would be mentioned again.

In safe mode, I have run Adaware SE Personal, CWShredder, Ewido AVG scan, A couple Smitfraud cleaners, Spybot Search and destroy, and ComboFix. I had to run them in Safe Mode because they wouldn't run in normal Windows. I've run them each several times and in different orders.

This has restored stability, but I still occasionally see "osqznsmOkZ.dll" and "22.exe" errors pop-up.

I will reinstall McAfee and enable my firewall when the cleanup is done.

Please review my ComboFix and HJT logs and advise on what I should clean up next.

Also, If we can clean this up, I can assure you, I will donate to your organisation.

Thanks in advance

Jim

HJT Log

Logfile of HijackThis v1.98.2
Scan saved at 1:01:05 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Margaret McNutt\Desktop\CleanUp\hijak this\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135963028\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [PPort9reminder] "C:\Program Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" -r "C:\Program Files\ScanSoft\PaperPort\WebEreg\ereg.ini"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [bvllyuvo] C:\Program Files\Hkruemqx\bvllyuvo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Palm Registration.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{281DB1B5-1487-4E57-A65E-937A61AA2C87}: NameServer = 4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{40F703AA-D707-4D5F-90B5-43C3D68ACAB2}: NameServer = 4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{51A53BAD-6DD3-49D3-B015-F301730F93FE}: NameServer = 4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D370A47-30E6-4958-83AA-FB09E378C7FD}: NameServer = 4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D81AAE4F-0C54-4FBE-B182-26A593FB2684}: NameServer = 4.2.2.1
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: TZvHyIBqxYtFR - {4A873377-E02D-99DD-4809-259E6ED99C8D} - (no file)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

COMBOFIX Log

ComboFix 08-04-01.2 - Margaret McNutt 2008-04-03 0:51:10.7 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Margaret McNutt\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-02 21:32 . 2008-04-02 21:32 <DIR> d-------- C:\Documents and Settings\Margaret McNutt\Application Data\Grisoft
2008-04-02 21:32 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-02 15:38 . 2008-04-02 15:38 <DIR> d-------- C:\WINDOWS\system32\bfubackups
2008-04-01 18:34 . 2008-04-01 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 16:01 . 2008-04-01 16:00 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-01 16:01 . 2008-04-01 16:01 2,559 --a------ C:\WINDOWS\unins000.dat
2008-03-30 18:07 . 2008-03-30 19:18 7,484 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-30 18:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-30 18:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-30 18:06 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-30 18:06 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-30 18:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-30 18:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-24 13:13 . 2008-03-24 13:13 2 --a------ C:\E.tmp
2008-03-23 23:03 . 2008-03-23 23:03 2 --a------ C:\B.tmp
2008-03-22 15:50 . 2008-03-22 15:50 10,001 --a------ C:\WINDOWS\lxqu.exe
2008-03-12 21:56 . 2008-03-12 21:56 978 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-11 22:47 . 2008-03-20 22:17 0 --a------ C:\WINDOWS\system32\lich.dat
2008-03-11 22:45 . 2008-03-11 22:46 31,272 --a------ C:\F.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 22:36 --------- d-----w C:\Program Files\ewido anti-malware
2008-04-01 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-01 07:49 --------- d-----w C:\Program Files\McAfee
2008-04-01 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-01 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-01 01:43 --------- d-----w C:\Program Files\Info Select
2008-03-13 01:55 --------- d-----w C:\Program Files\Xyjiycqd
2008-03-13 01:55 --------- d-----w C:\Program Files\urgloxsn
2008-03-12 02:44 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-03-12 02:44 14,336 ----a-w C:\WINDOWS\system32\dllcache\svchost.exe
2008-03-10 03:04 --------- d-----w C:\Program Files\Sony Handheld
2008-03-03 02:30 --------- d-----w C:\Program Files\Google
2008-03-02 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 18:34 --------- d-----w C:\Program Files\Quicken
2008-03-02 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-03-02 06:03 --------- d-----w C:\Program Files\InfeStop
2008-03-02 06:03 --------- d-----w C:\Program Files\EasySpywareCleaner
2008-03-02 06:02 --------- d-----w C:\Program Files\Spy-Rid
2008-03-02 05:33 126 ----a-w C:\Documents and Settings\Margaret McNutt\c200.bat
2008-03-02 05:31 112,640 ----a-w C:\Documents and Settings\Margaret McNutt\tmp.exe
2008-03-02 05:31 --------- d-----w C:\Documents and Settings\Margaret McNutt\Application Data\InfeStop.com
2008-03-02 04:54 --------- d-----w C:\Program Files\McAfee virus protection
2008-03-02 03:57 --------- d-----w C:\Documents and Settings\Margaret McNutt\Application Data\spy-rid.com
2008-03-01 00:35 --------- d-----w C:\Documents and Settings\Margaret McNutt\Application Data\EasySpywareCleaner.com
2008-02-29 01:26 --------- d-----w C:\Program Files\Hkruemqx
2008-02-29 01:25 --------- d-----w C:\Documents and Settings\Margaret McNutt\Application Data\WinIFixer.com
2008-02-29 01:21 17,872 ----a-w C:\WINDOWS\sakbz.exe
2008-02-25 00:05 18,886 ----a-w C:\Program Files\Common Files\urequqilu.bat
2008-02-25 00:05 17,821 ----a-w C:\Program Files\Common Files\jegelo.vbs
2008-02-25 00:05 17,551 ----a-w C:\WINDOWS\system32\nysin.pif
2008-02-25 00:05 15,402 ----a-w C:\WINDOWS\maliniwadi.bin
2008-02-25 00:05 14,972 ----a-w C:\Program Files\Common Files\aqokijys._dl
2008-02-25 00:05 14,360 ----a-w C:\WINDOWS\hiku.scr
2008-02-25 00:05 11,913 ----a-w C:\Program Files\Common Files\egykavyje.sys
2008-02-25 00:05 11,890 ----a-w C:\WINDOWS\system32\ojawubiq.bin
2008-02-25 00:05 11,061 ----a-w C:\WINDOWS\miqobapal.exe
2008-02-25 00:05 10,247 ----a-w C:\Documents and Settings\All Users\Application Data\uquha.scr
2008-02-22 16:39 --------- d-----w C:\Program Files\CKBrowser
2008-02-17 17:58 1,333,680 ----a-w C:\Program Files\bjourn31p.zip
2008-02-17 17:57 1,435,577 ----a-w C:\Program Files\SplashNotesInstaller.exe
2008-02-17 17:55 --------- d-----w C:\Program Files\SplashData
2008-02-17 17:23 --------- d-----w C:\Documents and Settings\Margaret McNutt\Application Data\Arcsoft
2008-02-11 05:25 61,185 ----a-w C:\WINDOWS\trashicon.exe
2008-02-06 02:16 --------- d-----w C:\Program Files\Kidspiration 3
2008-02-06 02:16 --------- d-----w C:\Documents and Settings\Margaret McNutt\Application Data\Inspiration Software
2008-02-06 02:12 --------- d-----w C:\Program Files\Kidspiration 3 Trial
2008-02-06 02:01 164,411,392 ----a-w C:\Program Files\Kidspiration3_win.exe
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-21 23:39 3,359 ----a-w C:\Program Files\uninstal.log
2005-08-28 17:09 4,675,472 ----a-w C:\Program Files\AveryWizardforWord2003-English.exe
2005-05-12 04:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2004-09-07 23:26 2,421,920 ----a-w C:\Program Files\winzip90.exe
2004-08-04 23:36 22,823,424 ----a-w C:\Program Files\Inspiration.exe
2004-07-15 02:19 3,520,880 -c--a-w C:\Program Files\AmplifyToolbar.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40 159744]
"ATIModeChange"="Ati2mdxx.exe" [2003-10-07 23:41 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 14:50 184412]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-11 22:10 335872]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 04:23 90112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 22:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 21:23 868352]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 00:03 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 23:55 483328]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 17:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 20:28 155648]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"HostManager"="C:\Program Files\Common Files\AOL\1135963028\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-30 13:19 98304]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-05-07 19:15 26112]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 22:00 864256]
"PPort9reminder"="C:\Program Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" [2003-07-07 10:29 729088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"AGRSMMSG"="AGRSMMSG.exe" [2003-09-30 14:31 88363 C:\WINDOWS\AGRSMMSG.exe]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-09-26 10:04 237568]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-05-02 19:00 55368]
"braviax"="braviax.exe" []
"WinIFixer"="C:\Program Files\WinIFixer\WinIFixer.exe" [ ]
"bvllyuvo"="C:\Program Files\Hkruemqx\bvllyuvo.exe" [2008-02-28 21:26 48128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-28 11:38:43 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-09-12 12:42:00 503869]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2007-08-27 22:34:09 28672]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Sony Handheld\Hotsync.exe [2004-06-09 14:27:34 471040]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fSHjKVHYCU"= rundll32.exe "C:\WINDOWS\system32\osqznsmOkZ.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nqi00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"C:\\Program Files\\Info Select\\is.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135963028\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135963028\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Documents and Settings\\Margaret McNutt\\tmp.exe"=

S1 kcp;kcp;C:\WINDOWS\system32\drivers\kcp.sys []
S2 wmpisvrs32k;wmpisvrs32k;C:\Program Files\Common Files\System\wmpisvrs32.exe [2008-03-11 22:46]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 16:55]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 wmpisvrs32;wmpisvrs32;C:\Program Files\Common Files\System\wmpisvrs32.dll []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 00:56:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?5?5?7??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-03 0:57:47
ComboFix-quarantined-files.txt 2008-04-03 04:57:29
ComboFix2.txt 2008-04-02 22:53:50
ComboFix3.txt 2008-04-02 18:04:32
ComboFix4.txt 2008-04-02 07:30:06
Pre-Run: 19,987,881,984 bytes free
Post-Run: 19,973,304,320 bytes free
.
2008-04-02 07:10:40 --- E O F ---

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

I have also included a start up log generated by HJT

StartupList report, 4/3/2008, 12:58:57 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Margaret McNutt\Desktop\CleanUp\hijak this\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16608)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Margaret McNutt\Desktop\CleanUp\hijak this\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Margaret McNutt\Start Menu\Programs\Startup]
Palm Registration.lnk = ?

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = ?
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
BTTray.lnk = ?
DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint2K\Apoint.exe
ATIModeChange = Ati2mdxx.exe
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
CamMonitor = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
HPHUPD05 = C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
StatusClient = C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
TomcatStartup = C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
HP Software Update = C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
HostManager = C:\Program Files\Common Files\AOL\1135963028\ee\AOLSoftware.exe
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
PaperPort PTD = C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
IndexSearch = C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
SetDefPrt = C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
ControlCenter2.0 = C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
PPort9reminder = "C:\Program Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" -r "C:\Program Files\ScanSoft\PaperPort\WebEreg\ereg.ini"
Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
AGRSMMSG = AGRSMMSG.exe
eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
SansaDispatch = C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
braviax = braviax.exe
WinIFixer = C:\Program Files\WinIFixer\WinIFixer.exe
bvllyuvo = C:\Program Files\Hkruemqx\bvllyuvo.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\test0123 => C:\Qoobox\Quarantine\C\test0123.vir||x

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
TZvHyIBqxYtFR: *Registry key not found*

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

fSHjKVHYCU = rundll32.exe "C:\WINDOWS\system32\osqznsmOkZ.dll",DllCleanServer

--------------------------------------------------

End of report, 6,951 bytes
Report generated in 0.062 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Thanks for taking the time to assist me
Jim
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi, Welcome to TSG!!


Please update your version of HJT.
Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.

You have no anti-virus software!!

Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.

Now load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top