Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Solved: Winantivirus infected my computer help me!

1K views 9 replies 2 participants last post by  cybertech 
#1 ·
On Microsoft internet explorer i have been experiencing popups posing as windows messeges asking me to download 'Winantivirus' and saying my computer is not protected even after pressing alt+f4 i get more and more eventually leading to IE opening up and trying to download a file. It dosent affect firefox but when i do open it up occasionally an IE window opens up and displays a web page from yourdebts.co.uk. Spybot, avg and ad aware dont seem to be able to remove it and seem to pick up a smitfruad toolbar on every scan. I have a hijack this log here:

Logfile of HijackThis v1.99.1
Scan saved at 16:58:44, on 05/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMART Board software\SMARTBoardService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SMART Board software\SMARTBoardTools.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\SMART Board software\Aware.exe
C:\Program Files\SMART Board software\Marker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\lxcfcoms.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/football
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/football
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [ypwfkzup.exe] C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
O4 - HKLM\..\Run: [j0271334] rundll32 C:\WINDOWS\system32\j0271334.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\eeiypedv.dll",realset
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Uuse] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\chkntfs.exe" -vt yazb
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board software\SMARTBoardTools.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug211623/CNetOnlineInstall.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176837942130
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A70C7225-92E3-40BD-B06B-C65EEF6EB91D}: NameServer = 192.168.5.151
O18 - Filter: text/html - (no CLSID) - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board software\SMARTBoardService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

someone please help me!
thanks
 
See less See more
#3 ·
I did what you said and when my computer rebooted after the combofix scan th firewall had been disabled and the time didnt show at first, it show now though

heres the combofix log:

"Administrator" - 2007-06-05 17:24:13 Service Pack 2
ComboFix 07-06-3 - Running from: "C:\Program Files\Mozilla Firefox\"

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\qopnk.dll
C:\WINDOWS\system32\pwalqayq.dll
C:\WINDOWS\system32\sdbcbqkb.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\knpoq.ini
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\awtqr.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

2007-06-05 15:52 131,124 --a------ C:\WINDOWS\system32\eeiypedv.dll
2007-06-05 15:52 10,752 --a------ C:\WINDOWS\system32\j0271334.dll
2007-06-05 15:51 14,868 --a------ C:\WINDOWS\system32\xyelsyfe.exe
2007-06-04 16:57 d-------- C:\Program Files\Enigma Software Group
2007-06-04 16:50 2,580 --a------ C:\WINDOWS\system32\fihncknv.exe
2007-06-03 09:59 d-------- C:\WINDOWS\CSC
2007-06-02 20:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-02 20:43 d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-02 17:24 d-------- C:\Program Files\Lavasoft
2007-06-02 17:23 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 17:08 d-------- C:\WINDOWS\system32\NtmsData
2007-06-02 17:05 d-------- C:\Program Files\SUPERAntiSpyware
2007-06-02 17:05 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-02 10:52 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-02 09:54 2,580 --a------ C:\WINDOWS\system32\lnqtcsva.exe
2007-06-02 09:46 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-01 20:45 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-01 17:52 206 --a------ C:\WINDOWS\g276527.exe
2007-06-01 12:23 1 --a------ C:\WINDOWS\system32\ps.dat
2007-06-01 12:20 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ypwfkzup.exe
2007-06-01 12:20 206 --a------ C:\WINDOWS\g10934342.exe
2007-06-01 09:39 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Pegasys Inc
2007-05-31 20:53 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SWiSHvideo
2007-05-31 18:37 d-------- C:\Program Files\Convertion Etalon
2007-05-31 18:26 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-05-31 18:26 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-05-31 18:26 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\GeoVid
2007-05-31 09:03 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-31 09:01 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-30 10:49 d-------- C:\WINDOWS\system32\cache329
2007-05-30 10:47 d-------- C:\WINDOWS\cdmxtras
2007-05-30 10:44 10 --a------ C:\WINDOWS\smdat32m.sys
2007-05-29 19:42 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-05-29 19:42 d-------- C:\Program Files\Ascentive
2007-05-29 19:09 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-05-29 19:09 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-05-29 19:09 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-05-29 19:09 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-05-29 19:09 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-05-29 19:09 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-05-29 19:09 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-05-29 19:09 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-05-29 19:09 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-05-29 19:09 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-05-29 19:09 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-05-29 19:09 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-05-29 19:09 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-05-29 19:09 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-05-29 19:09 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-05-29 19:09 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-05-29 19:08 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-05-29 17:23 d-------- C:\DVDTemp
2007-05-28 13:28 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\shctxex.vb
2007-05-28 13:27 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-05-28 13:27 516,173 --a------ C:\WINDOWS\system32\msvcp60d.dll
2007-05-28 13:27 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2007-05-28 13:27 385,100 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-05-28 13:27 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2007-05-28 13:27 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-05-28 13:12 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll
2007-05-28 13:12 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll
2007-05-28 13:12 780,288 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2007-05-28 13:12 778,240 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2007-05-28 13:12 764,416 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2007-05-28 13:12 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll
2007-05-28 13:12 495,104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2007-05-28 13:12 382,464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2007-05-28 13:12 312,320 --a------ C:\WINDOWS\system32\NCTVideoView.dll
2007-05-28 13:12 249,856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2007-05-28 13:12 215,552 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2007-05-28 13:12 2,846,720 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll
2007-05-28 13:12 188,416 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2007-05-28 13:12 147,456 --a------ C:\WINDOWS\system32\viscomqtenc.dll
2007-05-28 13:12 139,264 --a------ C:\WINDOWS\system32\viscomqtde.dll
2007-05-28 13:12 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-05-28 13:12 d-------- C:\WINDOWS\system32\RMBin
2007-05-27 17:18 d--h----- C:\WINDOWS\PIF
2007-05-27 16:03 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-05-27 16:03 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-27 16:03 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-27 16:03 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-27 16:03 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-05-27 16:03 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-05-27 12:48 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-05-27 12:21 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-05-27 10:59 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-05-27 10:55 92,208 --a------ C:\WINDOWS\system32\WING.DLL
2007-05-27 10:55 188,960 --a------ C:\WINDOWS\system32\WINGDE.DLL
2007-05-27 10:55 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2007-05-27 10:55 d-------- C:\Unin32F
2007-05-25 19:48 d-------- C:\Program Files\DivX
2007-05-19 16:54 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-05-19 16:54 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-05-19 16:54 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-05-19 16:54 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-05-19 16:54 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-05-19 16:54 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-05-19 11:54 d-------- C:\Program Files\Nvu
2007-05-17 18:02 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\OpenOffice.org2
2007-05-14 16:32 d-------- C:\Program Files\CamStudio

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-03 16:27:52 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Nvu
2007-04-27 15:59:58 -------- d-----w C:\Program Files\Google
2007-04-24 16:31:52 -------- d-----w C:\Program Files\Address.net DNS Client
2007-04-23 00:15:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:36 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:34 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:32 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:32 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:32 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:48 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-23 00:01:48 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-21 19:44:18 -------- d-----w C:\Program Files\VideoEgg
2007-04-21 19:44:18 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\VideoEgg
2007-04-18 19:46:18 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 15:57:48 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-04-18 15:57:48 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-04-17 17:57:42 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-14 11:56:04 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MyFamily.com
2007-04-14 11:55:12 -------- d-----w C:\Program Files\Family Tree Maker 2006
2007-04-14 11:02:02 -------- d-----w C:\Program Files\CCleaner
2007-04-14 09:46:56 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-14 09:43:36 -------- d-----w C:\Program Files\Nero
2007-04-08 17:53:08 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-04-08 08:53:40 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-03-25 11:35:30 19,575 ----a-w C:\WINDOWS\hpoins01.dat
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 12:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{040FA520-78C6-41ce-81D0-9E733ABC1A29}=C:\WINDOWS\system32\comi.dll []
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}=C:\WINDOWS\system32\opnljjg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 18:54]
"LTSMMSG"="LTSMMSG.exe" [2003-04-18 09:06 C:\WINDOWS\ltsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2003-05-07 11:51 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TFNF5"="TFNF5.exe" [2001-08-03 16:08 C:\WINDOWS\system32\TFNF5.exe]
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 19:26]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 13:38]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 13:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-09 22:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"ypwfkzup.exe"="C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe" [2007-06-01 12:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}"="C:\WINDOWS\system32\opnljjg.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljjg]
opnljjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winqpb32]
winqpb32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-28 11:36:10 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1174822529.job

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\qopnk.dll
C:\WINDOWS\system32\pwalqayq.dll
C:\WINDOWS\system32\sdbcbqkb.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\knpoq.ini
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\awtqr.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\qopnk.dll
C:\WINDOWS\system32\pwalqayq.dll
C:\WINDOWS\system32\sdbcbqkb.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\knpoq.ini
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\awtqr.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

2007-06-02 20:43 d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-03 16:27:52 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Nvu
2007-04-27 15:59:58 -------- d-----w C:\Program Files\Google
2007-04-24 16:31:52 -------- d-----w C:\Program Files\Address.net DNS Client
2007-04-23 00:15:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:36 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:34 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:32 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:32 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:32 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:48 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-23 00:01:48 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-21 19:44:18 -------- d-----w C:\Program Files\VideoEgg
2007-04-21 19:44:18 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\VideoEgg
2007-04-18 19:46:18 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 15:57:48 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-04-18 15:57:48 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-04-17 17:57:42 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-14 11:56:04 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MyFamily.com
2007-04-14 11:55:12 -------- d-----w C:\Program Files\Family Tree Maker 2006
2007-04-14 11:02:02 -------- d-----w C:\Program Files\CCleaner
2007-04-14 09:46:56 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-14 09:43:36 -------- d-----w C:\Program Files\Nero
2007-04-08 17:53:08 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-04-08 08:53:40 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-03-25 11:35:30 19,575 ----a-w C:\WINDOWS\hpoins01.dat
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 12:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{040FA520-78C6-41ce-81D0-9E733ABC1A29}=C:\WINDOWS\system32\comi.dll []
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}=C:\WINDOWS\system32\opnljjg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 18:54]
"LTSMMSG"="LTSMMSG.exe" [2003-04-18 09:06 C:\WINDOWS\ltsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2003-05-07 11:51 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TFNF5"="TFNF5.exe" [2001-08-03 16:08 C:\WINDOWS\system32\TFNF5.exe]
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 19:26]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 13:38]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 13:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-09 22:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"ypwfkzup.exe"="C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe" [2007-06-01 12:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}"="C:\WINDOWS\system32\opnljjg.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljjg]
opnljjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winqpb32]
winqpb32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-28 11:36:10 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1174822529.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-05 17:41:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Files hidden from API:
C:\WINDOWS\.jagex_cache_32
C:\WINDOWS\.file_store_32

Completion time: 2007-06-05 17:43:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-05 17:42

--- E O F ---

and heres a fresh hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 17:46:49, on 05/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMART Board software\SMARTBoardService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\22391.cfexe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SMART Board software\SMARTBoardTools.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SMART Board software\Aware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SMART Board software\Marker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\ComboFix\23419.cfexe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/football
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - C:\WINDOWS\system32\opnljjg.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ypwfkzup.exe] C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board software\SMARTBoardTools.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug211623/CNetOnlineInstall.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176837942130
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A70C7225-92E3-40BD-B06B-C65EEF6EB91D}: NameServer = 192.168.5.151
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: opnljjg - opnljjg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winqpb32 - winqpb32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board software\SMARTBoardService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

Thanks
 
#4 ·
Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.
 
#5 ·
I did what you said here is the results of the dr web scanner

xyelsyfe.exe;C:\WINDOWS\system32;Trojan.Click.2485;Deleted.;
j0271334.dll;C:\WINDOWS\system32;Trojan.Click.2485;Deleted.;
eeiypedv.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0000092.dll;C:\System Volume Information\_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP3;Trojan.Virtumod;Deleted.;
A0000093.DLL;C:\System Volume Information\_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP3;Trojan.Virtumod;Deleted.;
A0000101.DLL;C:\System Volume Information\_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP3;Trojan.Virtumod;Deleted.;
A0000103.DLL;C:\System Volume Information\_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP3;Trojan.Virtumod;Deleted.;
A0000157.exe;C:\System Volume Information\_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP4;Trojan.Click.2485;Deleted.;
A0000158.dll;C:\System Volume Information\_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP4;Trojan.Click.2485;Deleted.;
A0000159.dll;C:\System Volume Information\_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP4;Trojan.Virtumod;Deleted.;
qopnk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
pwalqayq.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
sdbcbqkb.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
awtqr.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;

and heres the new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 17:36:07, on 06/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMART Board software\SMARTBoardService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\22391.cfexe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SMART Board software\SMARTBoardTools.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SMART Board software\Aware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SMART Board software\Marker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\ComboFix\23419.cfexe
C:\Documents and Settings\Administrator\Desktop\drweb-cureit.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cureit.exe
C:\WINDOWS\System32\lxcfcoms.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/football
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - C:\WINDOWS\system32\opnljjg.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ypwfkzup.exe] C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board software\SMARTBoardTools.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug211623/CNetOnlineInstall.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176837942130
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A70C7225-92E3-40BD-B06B-C65EEF6EB91D}: NameServer = 192.168.5.151
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: opnljjg - opnljjg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winqpb32 - winqpb32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board software\SMARTBoardService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
 
#6 ·
Run HJT again and put a check in the following:

O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - C:\WINDOWS\system32\opnljjg.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [ypwfkzup.exe] C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe
O20 - Winlogon Notify: opnljjg - opnljjg.dll (file missing)
O20 - Winlogon Notify: winqpb32 - winqpb32.dll (file missing)

Close all applications and browser windows before you click "fix checked".

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Application Data\ypwfkzup.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.
 
#7 ·
Here is the super anti spyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2007 at 06:37 PM

Application Version : 3.8.1002

Core Rules Database Version : 3250
Trace Rules Database Version: 1261

Scan type : Complete Scan
Total Scan Time : 00:51:16

Memory items scanned : 380
Memory threats detected : 0
Registry items scanned : 5359
Registry threats detected : 1
File items scanned : 45938
File threats detected : 3

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}

Adware.ClickSpring/Outer Info Network
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\OIUNINSTALLER.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1162OINUNINSTALLER.EXE.VIR

Trojan.Net-Panama/PHIL
C:\_OTMOVEIT\MOVEDFILES\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\YPWFKZUP.EXE

and heres i a fresh hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:29:48, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMART Board software\SMARTBoardService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SMART Board software\SMARTBoardTools.exe
C:\Program Files\SMART Board software\Aware.exe
C:\Program Files\SMART Board software\Marker.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/football
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board software\SMARTBoardTools.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug211623/CNetOnlineInstall.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176837942130
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A70C7225-92E3-40BD-B06B-C65EEF6EB91D}: NameServer = 192.168.5.151
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board software\SMARTBoardService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

Thanks
 
#10 ·
You can remove all of the tools I requested you to load and their associated files and folders.

SUPERAntiSpyware is a trial version, you can remove that when the trial period has expired.

It's a good idea to Flush your System Restore after removing malware:
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Here are some additional links for you to check out.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top