1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Viruses, and trojans and the such

Discussion in 'Virus & Other Malware Removal' started by stimpomatic, Jul 7, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. stimpomatic

    stimpomatic Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    2
    here is my hijack this log. please help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:21:01 AM, on 7/7/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\Rundll32.exe
    C:\WINDOWS\cfg32.exe
    C:\Program Files\Zone_Alarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe
    C:\WINDOWS\??mbols\t?skmgr.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\ojxdmepq.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Hijack_This\HiJackThis.exe
    C:\Program Files\PIDGIN\pidgin.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\cfg32a.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
    O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY009
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\aoomcptw.dll",realset
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone_Alarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" -vt yazb
    O4 - HKCU\..\Run: [Rxlxdyrs] C:\WINDOWS\??mbols\t?skmgr.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\itpb_11.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DomainService - - C:\WINDOWS\System32\ojxdmepq.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

    --
    End of file - 4358 bytes
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    =============
    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This will take some time!!!!!!!!
     
  3. stimpomatic

    stimpomatic Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    2
    ComboFix Log

    "Owner" - 2007-07-08 14:56:54 - ComboFix 07-07-07.3


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\temp\tn3


    ((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


    2007-07-07 23:38 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Template
    2007-07-07 23:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-07 21:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-07 21:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
    2007-07-07 21:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-07 21:04 50,708 --a------ C:\WINDOWS\SYSTEM32\bbmvmbso.exe
    2007-07-07 20:58 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-07 20:45 50,708 --a------ C:\WINDOWS\SYSTEM32\taflpnku.exe
    2007-07-06 23:54 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\gtk-2.0
    2007-07-06 23:48 <DIR> d-------- C:\Program Files\Hijack_This
    2007-07-06 23:36 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
    2007-07-06 23:36 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
    2007-07-06 23:31 <DIR> d-------- C:\Program Files\AVG
    2007-07-06 23:21 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
    2007-07-06 23:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
    2007-07-06 23:20 75,932 --a------ C:\WINDOWS\SYSTEM32\drivers\klick.dat
    2007-07-06 23:20 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2007-07-06 23:20 74,396 --a------ C:\WINDOWS\SYSTEM32\drivers\klin.dat
    2007-07-06 23:20 14,368 --ahs---- C:\WINDOWS\SYSTEM32\drivers\fidbox.dat
    2007-07-06 23:20 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
    2007-07-06 23:20 1,568 --ahs---- C:\WINDOWS\SYSTEM32\drivers\fidbox2.dat
    2007-07-06 23:13 110,360 --a------ C:\WINDOWS\SYSTEM32\drivers\kl1.sys
    2007-07-06 23:13 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
    2007-07-06 23:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
    2007-07-06 23:11 <DIR> d-------- C:\WINDOWS\Internet Logs
    2007-07-06 23:08 <DIR> d-------- C:\Program Files\Zone_Alarm
    2007-07-06 13:44 50,708 --a------ C:\WINDOWS\SYSTEM32\iiiclrxl.exe
    2007-07-06 11:57 3,638 --a------ C:\WINDOWS\6zrq4cmn.exe
    2007-07-05 13:42 50,708 --a------ C:\WINDOWS\SYSTEM32\ojxdmepq.exe
    2007-07-05 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-07-05 13:38 <DIR> d-------- C:\Program Files\SBSD
    2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X9
    2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X4
    2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X3
    2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X2
    2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X1
    2007-07-05 13:32 <DIR> d-------- C:\Temp
    2007-07-04 11:36 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MSN6
    2007-07-04 11:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
    2007-07-04 00:26 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\.purple
    2007-07-04 00:21 <DIR> d-------- C:\Program Files\PIDGIN
    2007-07-03 23:45 <DIR> d-------- C:\Program Files\KRISTAL
    2007-07-03 23:45 <DIR> d-------- C:\Downloads
    2007-07-03 23:45 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GetRightToGo
    2007-07-03 23:42 0 --a------ C:\WINDOWS\nsreg.dat
    2007-07-03 23:41 <DIR> d-------- C:\Program Files\FireFox
    2007-07-03 23:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
    2007-07-03 23:37 7,680 --a------ C:\WINDOWS\SYSTEM32\bitsprx2.dll
    2007-07-03 23:37 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx3.dll
    2007-07-03 23:37 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
    2007-07-03 23:37 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
    2007-07-03 23:37 158,720 --a------ C:\WINDOWS\SYSTEM32\xpob2res.dll
    2007-07-03 23:35 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
    2007-07-03 23:35 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
    2007-07-03 23:35 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
    2007-07-03 23:35 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
    2007-07-03 23:35 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
    2007-07-03 23:35 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
    2007-07-03 23:18 666,624 -ra------ C:\WINDOWS\SYSTEM32\drivers\LSPMUSB.sys
    2007-07-03 23:01 <DIR> d-------- C:\Linksys Driver
    2007-07-03 13:45 <DIR> d-------- C:\Program Files\FLASH
    2007-07-03 13:13 4,215,160 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
    2007-07-03 13:13 13,005 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp Music Converter.dat
    2007-07-03 13:12 <DIR> d-------- C:\Program Files\DBpoweramp
    2007-06-29 04:50 56,448 --a------ C:\WINDOWS\SYSTEM32\drivers\USBAUDIO.sys
    2007-06-29 04:50 19,456 --a------ C:\WINDOWS\SYSTEM32\hidserv.dll
    2007-06-29 04:49 24,960 --a------ C:\WINDOWS\SYSTEM32\drivers\usbccgp.sys
    2007-06-29 04:35 79,616 --a------ C:\WINDOWS\SYSTEM32\drivers\wdmaud.sys
    2007-06-29 04:35 6,400 --a------ C:\WINDOWS\SYSTEM32\drivers\MSKSSRV.sys
    2007-06-29 04:35 57,472 --a------ C:\WINDOWS\SYSTEM32\drivers\sysaudio.sys
    2007-06-29 04:35 54,272 --a------ C:\WINDOWS\SYSTEM32\drivers\swmidi.sys
    2007-06-29 04:35 50,048 --a------ C:\WINDOWS\SYSTEM32\drivers\DMusic.sys
    2007-06-29 04:35 5,632 --a------ C:\WINDOWS\SYSTEM32\drivers\splitter.sys
    2007-06-29 04:35 5,120 --a------ C:\WINDOWS\SYSTEM32\drivers\MSPCLOCK.sys
    2007-06-29 04:35 4,608 --a------ C:\WINDOWS\SYSTEM32\drivers\MSPQM.sys
    2007-06-29 04:35 2,816 --a------ C:\WINDOWS\SYSTEM32\drivers\drmkaud.sys
    2007-06-29 04:35 159,232 --a------ C:\WINDOWS\SYSTEM32\drivers\kmixer.sys
    2007-06-29 04:35 122,472 --a------ C:\WINDOWS\SYSTEM32\drivers\aec.sys
    2007-06-29 04:34 8,704 -ra------ C:\WINDOWS\SYSTEM32\drivers\Pfmodnt.sys
    2007-06-29 04:34 65,536 -ra------ C:\WINDOWS\SYSTEM32\A3d.dll
    2007-06-29 04:34 64,512 -ra------ C:\WINDOWS\SYSTEM32\P17.dll
    2007-06-29 04:34 57,344 --a------ C:\WINDOWS\SYSTEM32\drivers\drmk.sys
    2007-06-29 04:34 53,248 -ra------ C:\WINDOWS\SYSTEM32\P17CPI.dll
    2007-06-29 04:34 42,752 --a------ C:\WINDOWS\SYSTEM32\drivers\stream.sys
    2007-06-29 04:34 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
    2007-06-29 04:34 20,992 -ra------ C:\WINDOWS\SYSTEM32\sfman32.dll
    2007-06-29 04:34 138,752 -ra------ C:\WINDOWS\SYSTEM32\drivers\ctsfm2k.sys
    2007-06-29 04:34 137,728 -ra------ C:\WINDOWS\SYSTEM32\P17res.dll
    2007-06-29 04:34 135,040 --a------ C:\WINDOWS\SYSTEM32\drivers\portcls.sys
    2007-06-29 04:34 134,144 --a------ C:\WINDOWS\SYSTEM32\drivers\ks.sys
    2007-06-29 04:34 133,632 -ra------ C:\WINDOWS\SYSTEM32\CtDvInst.dll
    2007-06-29 04:34 115,200 -ra------ C:\WINDOWS\SYSTEM32\sfms32.dll
    2007-06-29 04:34 106,496 -ra------ C:\WINDOWS\SYSTEM32\drivers\ctoss2k.sys
    2007-06-29 04:34 1,389,056 -ra------ C:\WINDOWS\SYSTEM32\drivers\P17.sys
    2007-06-29 04:32 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
    2007-06-29 04:32 <DIR> d-a------ C:\Program Files\Encarta Online
    2007-06-29 04:32 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
    2007-06-29 04:32 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\InterTrust
    2007-06-29 04:31 <DIR> d-------- C:\WINDOWS\Prefetch
    2007-06-29 04:29 509,353 --a------ C:\WINDOWS\SYSTEM32\drivers\ltmdmnt.sys


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-08 18:57:04 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\.purple
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2001-07-22 02:45:40 94,784 --sh--w C:\WINDOWS\twain.dll
    2001-08-18 05:36:34 46,592 --sh--w C:\WINDOWS\twain_32.dll
    2001-08-18 05:36:20 995,383 --sha-w C:\WINDOWS\SYSTEM32\mfc42.dll
    2001-08-18 05:36:26 50,688 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
    2001-08-18 05:36:26 401,462 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
    2001-08-18 05:36:26 322,560 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
    2001-08-18 05:36:28 569,344 --sha-w C:\WINDOWS\SYSTEM32\oleaut32.dll
    2001-08-18 05:36:28 106,496 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
    2001-08-18 05:36:54 9,728 --sha-w C:\WINDOWS\SYSTEM32\regsvr32.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2001-03-02 15:02 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    2005-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AD924F3-6353-4f92-B034-A900434ECCAF}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{893F5105-C87C-4575-E7B6-2E0697E2E34B}]
    C:\Program Files\Detto\lavunajib878.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 17:56]
    "NvCplDaemon"="NvQTwk" []
    "P17Helper"="P17.dll" [2005-05-02 23:38 C:\WINDOWS\SYSTEM32\P17.dll]
    "ZoneAlarm Client"="C:\Program Files\Zone_Alarm\zlclient.exe" [2007-06-21 21:54]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-06 23:36]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 10:14]
    "Notn"="C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" []
    "Rxlxdyrs"="C:\WINDOWS\??mbols\t?skmgr.exe" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
    "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 20:25]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
    rundll32 iesetup.dll,IEAccessUserInst

    Contents of the 'Scheduled Tasks' folder
    2007-07-07 04:12:15 C:\WINDOWS\tasks\ Easy Internet Sign-up.job
    2007-06-29 08:32:23 C:\WINDOWS\tasks\ISP signup reminder 1.job
    2007-06-29 08:32:23 C:\WINDOWS\tasks\ISP signup reminder 3.job
    2007-06-29 08:32:21 C:\WINDOWS\tasks\Registration reminder 1.job
    2007-06-29 08:32:23 C:\WINDOWS\tasks\Registration reminder 2.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-08 14:59:11
    Windows 5.1.2600 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-08 14:59:59
    C:\ComboFix-quarantined-files.txt ... 2007-07-08 14:59
    C:\ComboFix2.txt ... 2007-07-07 21:15

    --- E O F ---

    Hijack This Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:55:53 PM, on 7/8/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\Rundll32.exe
    C:\Program Files\Zone_Alarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\KRISTAL\KRISTAL Audio Engine\KRISTAL.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\System32\notepad.exe
    C:\Program Files\Hijack_This\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)
    O2 - BHO: 0 - {893F5105-C87C-4575-E7B6-2E0697E2E34B} - C:\Program Files\Detto\lavunajib878.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone_Alarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" -vt yazb
    O4 - HKCU\..\Run: [Rxlxdyrs] C:\WINDOWS\??mbols\t?skmgr.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

    --
    End of file - 4106 bytes

    SUPERantispyware log

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/08/2007 at 00:19 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3266
    Trace Rules Database Version: 1277

    Scan type : Complete Scan
    Total Scan Time : 00:38:45

    Memory items scanned : 458
    Memory threats detected : 0
    Registry items scanned : 3969
    Registry threats detected : 0
    File items scanned : 18268
    File threats detected : 87

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

    Adware.ClickSpring-Variant
    C:\QOOBOX\QUARANTINE\C\DOCUME~1\OWNER\MYDOCU~1\SEMBLY~1\ATI2EVXX.EXE.VIR

    Unclassified.Unknown Origin
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\GAMES\HOKETOH83122.DLL.VIR

    Trojan.Downloader-Gen/Installer
    C:\QOOBOX\QUARANTINE\C\WINDOWS\B122.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003306.EXE

    Adware.SearchClickAds
    C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32A.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32O.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32R.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32S.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\STUB_MMA2.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003295.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003296.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003298.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003307.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003308.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003309.DLL

    Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\QOOBOX\QUARANTINE\C\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NETINSTALLER.EXE.VIR

    Trojan.ZenoSearch
    C:\QOOBOX\QUARANTINE\C\WINDOWS\ITPB_11.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003313.EXE

    Spyware.RelevantKnowledge
    C:\QOOBOX\QUARANTINE\C\WINDOWS\ITPB_3.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003311.EXE

    Adware.ClickSpring
    C:\QooBox\Quarantine\C\WINDOWS\MBOLS~1\TSKMGR~1.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003304.EXE

    Adware.Vundo Variant
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AOOMCPTW.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RXCRMXIR.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003314.DLL

    Trojan.Downloader-Gen/Blah
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AWTQNNL.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003315.DLL

    Trojan.Downloader-Gen/HitItQuitIt
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GEBBCAW.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IIFGHHH.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OPNOONL.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003316.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003317.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0004314.DLL

    Adware.ClickSpring/Resident
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LGXPPASH.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003301.DLL

    Trojan.Unknown Origin
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAPISVCC32.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003299.EXE

    Adware.Mirar/NetNucleus
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINNB58.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003305.DLL

    Trojan.ZQuest
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003300.DLL

    Trojan.Downloader-ClickSpring/NDrv
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0004336.DLL

    Adware.ZenoSearch
    C:\WINDOWS\NQEXL0578.EXE

    thanks for your help
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix these with HiJackThis – mark them, close IE, click fix checked

    O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)

    O2 - BHO: 0 - {893F5105-C87C-4575-E7B6-2E0697E2E34B} - C:\Program Files\Detto\lavunajib878.dll (file missing)

    O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" -vt yazb

    O4 - HKCU\..\Run: [Rxlxdyrs] C:\WINDOWS\??mbols\t?skmgr.exe

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode




    How are things???
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/592710

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice