Solved: Computer only runs in safe mode.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

obutiny

Thread Starter
Joined
Jul 8, 2007
Messages
6
I can only run my computer in safe mode. Everytime that I try to start it other than in safe mode it just reboots repeatedly. I know that I have ntos.exe. I had pop-ups that were bogging things down so I renamed iexplore (added a "d" at the end). Can someone please help me. Here is my hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:07 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Tiny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.obu.edu/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E70CE7C0726B954E1C2832210339226033AAC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\xrqdbmvj.dll",forkonce
O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\system32\KB_963491.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\Tiny\LOCALS~1\Temp\17168\gm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Saj] "C:\Program Files\?icrosoft\r?gedit.exe"
O4 - HKCU\..\Run: [Wjj] "C:\Program Files\s?stem\w?crtupd.exe"
O4 - HKCU\..\Run: [Kql] C:\WINDOWS\??crosoft.NET\?ervices.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\system32\wcxw.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UE9T\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hdhapcep.exe (file missing)
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\cisslfz.exe (file missing)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 

obutiny

Thread Starter
Joined
Jul 8, 2007
Messages
6
Sorry that it took me a little while. Thank you so much for your help. My computer starts in normal mode, again. Here are the reports:


SDFix: Version 1.91

Run by Tiny on Fri 07/13/2007 at 03:04 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core
ntio256
runtime
Windows Overlay Components
windev-62be-3bb8

ImagePath:
system32\drivers\core.sys
\??\C:\WINDOWS\system32\ntio256.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
C:\WINDOWS\cisslfz.exe
\??\C:\WINDOWS\system32\windev-62be-3bb8.sys

core - Deleted
ntio256 - Deleted
Windows Overlay Components - Deleted
windev-62be-3bb8 - Deleted

Killing PID 512 'smss.exe'
Killing PID 584 'winlogon.exe'
Killing PID 584 'winlogon.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\windev-62be-3bb8.sys - Deleted
C:\WINDOWS\SYSTEM32\KB1293~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\KB3404~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\KB4268~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\KB2812~1.EXE - Deleted
C:\WINDOWS\system32\gmc.exe.exe - Deleted
C:\WINDOWS\retadpu11.exe.tmp - Deleted
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\DOCUME~1\Tiny\LOCALS~1\Temp\msidel.bat - Deleted
C:\DOCUME~1\Tiny\LOCALS~1\Temp\svchots.exe - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b136.exe - Deleted
C:\WINDOWS\retadpu2000219.exe - Deleted
C:\WINDOWS\system32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\system32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\ntio256.sys - Deleted
C:\WINDOWS\system32\protector.exe - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\wr.txt - Deleted


Folder C:\Program Files\InetGet2 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\All Users\Application Data\SecTaskMan\cisslfzA.exe.q_2CFE556_q
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\WINDOWS\system32\hjkkj.tmp
C:\WINDOWS\UE9T\oH6n.vbs

Finished


Here is the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 3:22:14 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Tiny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.obu.edu/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\rgguhuyq.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Saj] "C:\Program Files\?icrosoft\r?gedit.exe"
O4 - HKCU\..\Run: [Wjj] "C:\Program Files\s?stem\w?crtupd.exe"
O4 - HKCU\..\Run: [Kql] C:\WINDOWS\??crosoft.NET\?ervices.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\system32\wcxw.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UE9T\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hdhapcep.exe (file missing)
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 

obutiny

Thread Starter
Joined
Jul 8, 2007
Messages
6
Thank you, again. I have to go to work shortly so I won't be able to do anything until about 8pm tonight.


"Tiny" - 2007-07-13 15:33:41 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\iuvhwqtf.dll
C:\WINDOWS\system32\khfedde.dll
C:\WINDOWS\system32\npfjcywh.dll
C:\WINDOWS\system32\rgguhuyq.dll
C:\WINDOWS\system32\xrqdbmvj.dll
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak2
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\WINDOWS\system32\hjkkj.tmp
C:\WINDOWS\system32\hwycjfpn.ini
C:\WINDOWS\system32\qyuhuggr.ini
C:\WINDOWS\system32\jvmbdqrx.ini
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak2
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\WINDOWS\system32\hjkkj.tmp
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak2
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\WINDOWS\system32\hjkkj.tmp
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\wvurqrr.dll
C:\WINDOWS\system32\wvurqrr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bold.log
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Tiny\APPLIC~1.\mbols~1
C:\DOCUME~1\Tiny\APPLIC~1.\scurit~1
C:\DOCUME~1\Tiny\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Tiny\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Tiny\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\Tiny\MYDOCU~1.\icroso~1
C:\DOCUME~1\Tiny\MYDOCU~1.\mantec~1
C:\DOCUME~1\Tiny\MYDOCU~1.\stem~1
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\Common Files\ymante~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\icroso~1
C:\Program Files\sstem~1
C:\Program Files\winantispyware 2007
C:\Program Files\winantispyware 2007\msvcp71.dll
C:\Program Files\winantispyware 2007\msvcr71.dll
C:\Program Files\winantispyware 2007\shellext.dll
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\crosof~1.net
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\fnts~1
C:\WINDOWS\mbols~1
C:\WINDOWS\offun.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\ssembl~1
C:\WINDOWS\system32\cvhytjxb.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\hKit612k.exe
C:\WINDOWS\system32\KB18561603.exe
C:\WINDOWS\system32\KB40589569.exe
C:\WINDOWS\system32\KB52383366.exe
C:\WINDOWS\system32\KB66507128.exe
C:\WINDOWS\system32\KB76775265.exe
C:\WINDOWS\system32\KB93427757.exe
C:\WINDOWS\system32\KB93736873.exe
C:\WINDOWS\system32\KB96926207.exe
C:\WINDOWS\system32\lqktxmqk.exe
C:\WINDOWS\system32\nrrruocy.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\owstuqto.exe
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\thuhwryx.exe
C:\WINDOWS\system32\tyrnpios.exe
C:\WINDOWS\system32\uYD70G5v.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\windbg48.sys
C:\WINDOWS\system32\wnstssv32.exe
C:\WINDOWS\system32\X1
C:\WINDOWS\system32\X1\bk53.exe
C:\WINDOWS\system32\X2
C:\WINDOWS\system32\X2\mwspasrt83122.exe
C:\WINDOWS\system32\X3
C:\WINDOWS\system32\X3\626wr.exe
C:\WINDOWS\system32\X4
C:\WINDOWS\system32\X4\wen2.exe
C:\WINDOWS\system32\X5
C:\WINDOWS\system32\X9
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wbun.exe
C:\WINDOWS\wnsxs~1
C:\WINDOWS\xmlhelper.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_HKED42
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDBG48
-------\cmdService
-------\DomainService
-------\Net Agent
-------\RpcApi
-------\windbg48


((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


2007-07-13 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 15:29 66,624 --a------ C:\WINDOWS\system32\mgfhowhh.dll
2007-07-13 15:20 66,112 --a------ C:\WINDOWS\system32\gmmpyves.exe
2007-07-13 15:14 165,376 --a------ C:\WINDOWS\system32\drivers\Hked42.sys
2007-07-13 15:04 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-13 01:02 66,624 --a------ C:\WINDOWS\system32\rftbyeci.dll
2007-07-13 00:56 66,112 --a------ C:\WINDOWS\system32\enoxkrbo.exe
2007-07-12 01:05 66,624 --a------ C:\WINDOWS\system32\lsrmjruk.dll
2007-07-12 00:56 66,112 --a------ C:\WINDOWS\system32\gisrimkh.exe
2007-07-07 23:01 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-07 20:38 6,743 --a------ C:\systkun.exe
2007-07-05 20:32 <DIR> d-------- C:\Temp\syscleaner
2007-07-05 20:28 <DIR> d-------- C:\DOCUME~1\Tiny\.housecall6.6
2007-07-05 17:01 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-05 02:17 10,000 --a------ C:\WINDOWS\system32\gejd9j3jr.dll
2007-07-05 02:16 13,573 --a------ C:\WINDOWS\system32\KB_963491.exe
2007-07-04 12:29 22,592 --a------ C:\WINDOWS\system32\RtM27K63.exe
2007-06-30 13:42 2,624 --a------ C:\WINDOWS\system32\nlfasgcy.exe
2007-06-30 01:34 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-30 01:34 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-30 01:34 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-30 01:25 <DIR> d-------- C:\Temp
2007-06-29 23:37 <DIR> d-------- C:\Program Files\Security Task Manager
2007-06-29 23:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-06-20 12:24 <DIR> d-------- C:\DOCUME~1\Tiny\Shared
2007-06-20 12:24 <DIR> d-------- C:\DOCUME~1\Tiny\Incomplete
2007-06-20 12:24 <DIR> d-------- C:\DOCUME~1\Tiny\APPLIC~1\LimeWire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 02:38:29 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-07-06 01:31:30 -------- d-----w C:\Program Files\Crazy Browser
2007-07-01 05:34:23 -------- d-----w C:\DOCUME~1\Tiny\APPLIC~1\uTorrent
2007-06-30 06:34:59 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-30 04:39:08 -------- d-----w C:\Program Files\AdSponsorOI
2007-06-30 04:32:11 -------- d-----w C:\Program Files\Common Files\rwrr
2007-06-08 01:55:09 -------- d-----w C:\DOCUME~1\Tiny\APPLIC~1\Viewpoint
2007-06-06 04:53:52 445 ----a-w C:\WINDOWS\EntPack.dat
2007-06-01 17:04:42 -------- d-----w C:\DOCUME~1\Tiny\APPLIC~1\DivX
2007-05-31 08:13:35 -------- d-----w C:\Program Files\DivX
2007-05-31 07:50:13 -------- d-----w C:\Program Files\7-Zip
2007-05-31 02:31:47 -------- d-----w C:\Program Files\4Musics OGG to MP3 Converter
2007-05-30 06:58:07 -------- d-----w C:\Program Files\CDisplay
2007-05-30 05:07:59 -------- d-----w C:\DOCUME~1\Tiny\APPLIC~1\Lavasoft
2007-05-30 05:07:48 -------- d-----w C:\Program Files\Lavasoft
2007-05-29 18:30:26 -------- d-----w C:\Program Files\Viewpoint
2007-05-18 14:02:36 -------- d-----w C:\DOCUME~1\Tiny\APPLIC~1\Aim
2007-05-18 14:02:31 -------- d-----w C:\Program Files\AIM
2007-05-18 14:01:02 -------- d-----w C:\Program Files\AOD
2007-05-15 20:33:28 513,152 ----a-w C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2007-05-15 18:38:20 -------- d-----w C:\Program Files\iPod Access for Windows
2007-05-15 18:25:02 -------- d-----w C:\DOCUME~1\Tiny\APPLIC~1\Purple Ghost Software, Inc
2007-05-15 16:42:04 -------- d-----w C:\Program Files\Red Chair Software
2007-05-15 15:09:37 -------- d-----w C:\Program Files\Common Files\L&H
2007-05-15 15:09:22 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-15 15:09:03 -------- d-----w C:\Program Files\Microsoft Works
2007-05-15 14:36:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-15 14:36:26 -------- d-----w C:\Program Files\CNet
2007-05-15 04:44:25 -------- d-----w C:\Program Files\Music Rescue
2007-05-15 04:32:35 -------- d-----w C:\Program Files\Messenger
2007-05-15 04:32:16 -------- d-----w C:\Program Files\Movie Maker
2007-05-15 04:30:36 -------- d-----w C:\Program Files\Windows NT
2007-05-15 03:22:51 -------- d-----w C:\DOCUME~1\Tiny\APPLIC~1\Apple Computer
2007-05-15 03:22:45 -------- d-----w C:\Program Files\iTunes
2007-05-15 03:22:41 -------- d-----w C:\Program Files\iPod
2007-05-15 03:22:25 -------- d-----w C:\Program Files\QuickTime
2007-05-15 03:21:53 -------- d-----w C:\Program Files\Apple Software Update
2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-11 14:15:24 0 --sha-r C:\MSDOS.SYS
2007-05-11 14:15:24 0 --sha-r C:\IO.SYS
2007-05-11 14:15:24 0 ----a-w C:\CONFIG.SYS
2007-05-11 14:15:24 0 ----a-w C:\AUTOEXEC.BAT
2007-05-11 14:12:02 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:24 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-04-23 00:15:24 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\UE9T\oH6n.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"DIAGENT"="C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.exe" [2001-08-30 01:00]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-03-27 20:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"Saj"="C:\Program Files\?icrosoft\r?gedit.exe" []
"Wjj"="C:\Program Files\s?stem\w?crtupd.exe" []
"Kql"="C:\WINDOWS\??crosoft.NET\?ervices.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved]


Contents of the 'Scheduled Tasks' folder
2007-07-04 01:59:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-05 08:00:00 C:\WINDOWS\tasks\At4.job
2007-07-05 05:00:31 C:\WINDOWS\tasks\At49.job
2007-07-05 06:00:32 C:\WINDOWS\tasks\At50.job
2007-07-05 07:00:31 C:\WINDOWS\tasks\At51.job
2007-07-05 08:00:32 C:\WINDOWS\tasks\At52.job
2007-07-05 09:00:31 C:\WINDOWS\tasks\At53.job
2007-07-05 10:00:31 C:\WINDOWS\tasks\At54.job
2007-07-05 11:01:21 C:\WINDOWS\tasks\At55.job
2007-07-05 12:00:31 C:\WINDOWS\tasks\At56.job
2007-07-05 13:00:30 C:\WINDOWS\tasks\At57.job
2007-07-05 14:00:31 C:\WINDOWS\tasks\At58.job
2007-07-05 15:00:30 C:\WINDOWS\tasks\At59.job
2007-07-05 16:00:35 C:\WINDOWS\tasks\At60.job
2007-07-05 17:00:32 C:\WINDOWS\tasks\At61.job
2007-07-05 18:00:01 C:\WINDOWS\tasks\At62.job
2007-07-04 19:00:35 C:\WINDOWS\tasks\At63.job
2007-07-04 20:00:32 C:\WINDOWS\tasks\At64.job
2007-07-04 21:00:32 C:\WINDOWS\tasks\At65.job
2007-07-05 22:00:02 C:\WINDOWS\tasks\At66.job
2007-07-04 23:00:30 C:\WINDOWS\tasks\At67.job
2007-07-05 00:00:30 C:\WINDOWS\tasks\At68.job
2007-07-05 01:00:31 C:\WINDOWS\tasks\At69.job
2007-07-05 02:00:31 C:\WINDOWS\tasks\At70.job
2007-07-05 03:00:31 C:\WINDOWS\tasks\At71.job
2007-07-05 04:00:33 C:\WINDOWS\tasks\At72.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 15:43:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-13 15:43:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-13 15:43

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 3:49:49 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Tiny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.obu.edu/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Saj] "C:\Program Files\?icrosoft\r?gedit.exe"
O4 - HKCU\..\Run: [Wjj] "C:\Program Files\s?stem\w?crtupd.exe"
O4 - HKCU\..\Run: [Kql] C:\WINDOWS\??crosoft.NET\?ervices.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
OK, run the ATF then start SuperAntiSpyware and let it run while you are gone.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.
 

obutiny

Thread Starter
Joined
Jul 8, 2007
Messages
6
Here are the logs. Thanks, again.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2007 at 10:22 PM

Application Version : 3.9.1008

Core Rules Database Version : 3269
Trace Rules Database Version: 1280

Scan type : Complete Scan
Total Scan Time : 01:59:00

Memory items scanned : 309
Memory threats detected : 0
Registry items scanned : 4720
Registry threats detected : 6
File items scanned : 59615
File threats detected : 162

Trojan.Windows Overlay Components/SysMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallString

Adware.ClickSpring/Yazzle
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#UninstallString
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1122OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1275OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1275OINUNINSTALLER.EXE.VIR

Adware.ClickSpring/Outer Info Network
C:\Documents and Settings\Tiny\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Tiny\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Tiny\Start Menu\Programs\Outerinfo

Adware.Adservs
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\ASAPPSRV.DLL.Q_510DE02_Q
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007546.DLL

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\CISSLFZ.EXE.Q_2CFB600_Q
C:\PROGRAM FILES\COMMON FILES\RWRR\RWRRL.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSTSSV32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP13\A0003971.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP15\A0004014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP17\A0004038.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP18\A0004057.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP21\A0004179.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP30\A0005269.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP34\A0005336.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP36\A0005362.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP37\A0005382.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP40\A0006481.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP44\A0006548.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP46\A0006576.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP47\A0006582.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP48\A0006588.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007539.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007540.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007575.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007586.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP51\A0008583.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP53\A0009592.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0011577.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019648.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019651.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019663.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019669.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019717.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019726.EXE
C:\WINDOWS\UE9T\OH6N.VBS

Adware.SysMon
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\CISSLFZA.EXE.Q_2CFE556_Q
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\X1\BK53.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007585.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019741.EXE

Adware.eZula
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\HDHAPCEP.EXE.Q_804E041_Q
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CVHYTJXB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LQKTXMQK.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NRRRUOCY.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OWSTUQTO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\THUHWRYX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TYRNPIOS.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0016584.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019730.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019731.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019732.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019733.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019734.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019735.EXE

Unclassified.Unknown Origin
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\HOKE83122.DLL.Q_F148002_Q
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP13\A0003967.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007537.EXE

Adware.ClickSpring/Resident
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\LEXQ.DLL.Q_804EE00_Q
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP15\A0004010.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP17\A0004034.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP18\A0004053.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP21\A0004175.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP34\A0005333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP37\A0005378.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP39\A0005392.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP39\A0005394.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP40\A0006477.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP44\A0006544.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP46\A0006573.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP47\A0006578.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP48\A0006584.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007547.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP53\A0009588.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0011573.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0016581.DLL

Trojan.Downloader-ClickSpring/NDrv
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\OUTERINFO.DLL.Q_E42A002_Q
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007588.DLL

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\RWRR\RWRRD\CLASS-BARREL
C:\PROGRAM FILES\COMMON FILES\RWRR\RWRRD\VOCABULARY

Unclassified.Unknown Origin/System
C:\PROGRAM FILES\COMMON FILES\RWRR\RWRRD\RWRRC.DLL

Trojan.Downloader-Gen
C:\PROGRAM FILES\COMMON FILES\RWRR\RWRRP.EXE

Adware.k8l
C:\PROGRAM FILES\WINDOWSUPDATE\PROFSYXY.HTML

Adware.SearchClickAds
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32A.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007576.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007577.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007578.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007579.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019711.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019712.EXE

Trojan.Downloader-Gen/BasicMath
C:\QOOBOX\QUARANTINE\C\WINDOWS\DLS0523PMW.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019748.EXE

Trojan.Downloader-VisFX
C:\QOOBOX\QUARANTINE\C\WINDOWS\OFFUN.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019749.EXE

Trojan.Downloader-Gen/WinUpd-Fake
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KB52383366.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019720.EXE
C:\WINDOWS\SYSTEM32\KB_963491.EXE

Trojan.Downloader-Gen/FirBurg
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KB66507128.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019721.EXE

Trojan.Downloader-Gen/Blah
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KHFEDDE.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019755.DLL

Trojan.Downloader-Gen/BundleBase
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\O02PREZ\O02PREZ1065.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019745.EXE

Rootkit.ShapeChanger
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINDBG48.SYS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019746.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\HKED42.SYS

Trojan.Downloader-Gen/HitItQuitIt
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WVURQRR.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019762.DLL

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\WBUN.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007565.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019753.EXE

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP13\A0003968.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP15\A0004011.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP17\A0004035.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP18\A0004054.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP21\A0004176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP30\A0005266.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP37\A0005379.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP39\A0005393.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP39\A0005395.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP40\A0006478.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP44\A0006545.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP47\A0006579.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP48\A0006585.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP48\A0007391.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007536.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP51\A0008580.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP53\A0009589.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0011574.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0016582.EXE

Trojan.Downloader-Gen/RetAd
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP19\A0004070.EXE

Adware.ClickSpring-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP19\A0004111.EXE

Adware.webHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP22\A0004198.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP22\A0004199.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP22\A0004200.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP22\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP22\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP22\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007558.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007559.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007566.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007567.EXE

Trojan.NetMon/DNSChange
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007538.EXE

TargetSaver, Inc. Process
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP49\A0007543.EXE

Adware.WebBuying-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007564.EXE

Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP50\A0007587.DLL

Trojan.Downloader-MSDCom32
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0017622.DLL

Trojan.Rootkit-Windev/I
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019644.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019678.SYS

Trojan.Downloader-Gen/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019650.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019662.EXE

Trojan.Rootkit-TnCore
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019655.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019666.SYS

Trojan.Downloader-PoofPoof/Rootkit
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019656.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019673.SYS

Trojan.Rootkit-TnCore/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7BC0CB5C-E6DD-413D-AEBA-54DE0BD38BBC}\RP55\A0019744.EXE

Trojan.Downloader-Gen/AllowCookie
C:\WINDOWS\SYSTEM32\NLFASGCY.EXE


Logfile of HijackThis v1.99.1
Scan saved at 11:03:25 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tiny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.obu.edu/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Saj] "C:\Program Files\?icrosoft\r?gedit.exe"
O4 - HKCU\..\Run: [Wjj] "C:\Program Files\s?stem\w?crtupd.exe"
O4 - HKCU\..\Run: [Kql] C:\WINDOWS\??crosoft.NET\?ervices.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Run HJT again and put a check in the following:

O4 - HKCU\..\Run: [Saj] "C:\Program Files\?icrosoft\r?gedit.exe"
O4 - HKCU\..\Run: [Wjj] "C:\Program Files\s?stem\w?crtupd.exe"
O4 - HKCU\..\Run: [Kql] C:\WINDOWS\??crosoft.NET\?ervices.exe

Close all applications and browser windows before you click "fix checked".


I don't see any anti-virus software running.
Load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free. Run a full scan and post the AVG scan results and a new HJT log.
 

obutiny

Thread Starter
Joined
Jul 8, 2007
Messages
6
Here is the only sort of log for the AVG I could find.


General properties
Report name Complete Test
Start time 7/14/2007 13:33
End time 7/14/2007 2:24:40 PM (total: 51:18.2 Min)
Launch method Scanning launched manually
Scanning result Threats found
Report status Scanning completed successfully

Object summary
Scanned 77107
Threats Found 37
Cleaned 0
Moved to vault 4
Deleted 22
Errors 0
C:\SDFix\backups\backups.zip:\backups\core.sys Trojan horse BackDoor.Generic7.GTL Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\gmc.exe.exe Trojan horse Downloader.Tibs.6.K Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\KB12931930.exe Trojan horse Proxy.LFD Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\KB28125911.exe Trojan horse Proxy.PHC Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\KB34040802.exe Trojan horse Proxy.LFD Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\KB42687917.exe Trojan horse Proxy.LFD Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\ntio256.sys Trojan horse BackDoor.Generic3.LJS Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\partnership.dll Trojan horse Proxy.PAM Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\protector.exe Trojan horse Proxy.GJI Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\retadpu2000219.exe Trojan horse Downloader.Agent.MCC Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\svchots.exe Trojan horse Downloader.Generic5.SI Infected, Embedded object, Deleted
C:\SDFix\backups\backups.zip:\backups\windev-62be-3bb8.sys Trojan horse Downloader.Tibs.5.BL Infected, Embedded object, Deleted
C:\Program Files\Creative\SBLive\Program\AHQInit.exe Moved to Vault
C:\systkun.exe Deleted
C:\Documents and Settings\All Users\Application Data\SecTaskMan\vefgpiod.dll.q_804241_q Deleted
C:\Documents and Settings\All Users\Application Data\SecTaskMan\xpre.exe.q_33F1EE00_q Deleted
C:\Documents and Settings\All Users\Application Data\SecTaskMan\xrun.exe.q_33F11_q Deleted
C:\Program Files\AdSponsorOI\tpaldr.exe Deleted
C:\Program Files\Creative\SBLive\Program\AHQInit.exe Deleted
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe Moved to Vault
C:\QooBox\Quarantine\C\WINDOWS\system32\hKit612k.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjh.dll.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\KB18561603.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\KB76775265.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\KB93427757.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\KB93736873.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\KB96926207.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\uYD70G5v.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\X3\626wr.exe.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\X4\wen2.exe.vir Deleted
C:\SDFix\backups\backups.zip Moved to Vault, Archive
C:\WINDOWS\Updreg.exe Moved to Vault
C:\WINDOWS\system32\enoxkrbo.exe Deleted
C:\WINDOWS\system32\gejd9j3jr.dll Deleted
C:\WINDOWS\system32\gisrimkh.exe Deleted
C:\WINDOWS\system32\gmmpyves.exe Deleted
C:\WINDOWS\system32\RtM27K63.exe Deleted



Logfile of HijackThis v1.99.1
Scan saved at 2:37:31 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Documents and Settings\Tiny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.obu.edu/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

obutiny

Thread Starter
Joined
Jul 8, 2007
Messages
6
It's running amazing. Thank you so much for your help. I really didn't want to have to reformat my computer because I have had to do that before.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Great! Happy to hear it!!

You can remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

OTMoveIt by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders if you want to use that. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. Also remove OTMoveIt.

SUPERAntiSpyware is a trial version so you can keep that until the trial is over and then uninstall.


It's a good idea to Flush your System Restore after removing malware:
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


Here are some additional links for you to check out to help you with your computer security.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools



You're welcome!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top