Viruses, and trojans and the such

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

stimpomatic

Thread Starter
Joined
Jul 7, 2007
Messages
2
here is my hijack this log. please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:01 AM, on 7/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\cfg32.exe
C:\Program Files\Zone_Alarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe
C:\WINDOWS\??mbols\t?skmgr.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\ojxdmepq.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Hijack_This\HiJackThis.exe
C:\Program Files\PIDGIN\pidgin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\cfg32a.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY009
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\aoomcptw.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone_Alarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Rxlxdyrs] C:\WINDOWS\??mbols\t?skmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\itpb_11.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\ojxdmepq.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 4358 bytes
 
Joined
Sep 7, 2004
Messages
49,014
NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

Download this file :

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
or
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

=============
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.

This will take some time!!!!!!!!
 

stimpomatic

Thread Starter
Joined
Jul 7, 2007
Messages
2
ComboFix Log

"Owner" - 2007-07-08 14:56:54 - ComboFix 07-07-07.3


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\temp\tn3


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-07 23:38 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Template
2007-07-07 23:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 21:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 21:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 21:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-07 21:04 50,708 --a------ C:\WINDOWS\SYSTEM32\bbmvmbso.exe
2007-07-07 20:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 20:45 50,708 --a------ C:\WINDOWS\SYSTEM32\taflpnku.exe
2007-07-06 23:54 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\gtk-2.0
2007-07-06 23:48 <DIR> d-------- C:\Program Files\Hijack_This
2007-07-06 23:36 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-07-06 23:36 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-07-06 23:31 <DIR> d-------- C:\Program Files\AVG
2007-07-06 23:21 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-07-06 23:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-06 23:20 75,932 --a------ C:\WINDOWS\SYSTEM32\drivers\klick.dat
2007-07-06 23:20 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-06 23:20 74,396 --a------ C:\WINDOWS\SYSTEM32\drivers\klin.dat
2007-07-06 23:20 14,368 --ahs---- C:\WINDOWS\SYSTEM32\drivers\fidbox.dat
2007-07-06 23:20 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-07-06 23:20 1,568 --ahs---- C:\WINDOWS\SYSTEM32\drivers\fidbox2.dat
2007-07-06 23:13 110,360 --a------ C:\WINDOWS\SYSTEM32\drivers\kl1.sys
2007-07-06 23:13 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-07-06 23:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-07-06 23:11 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-06 23:08 <DIR> d-------- C:\Program Files\Zone_Alarm
2007-07-06 13:44 50,708 --a------ C:\WINDOWS\SYSTEM32\iiiclrxl.exe
2007-07-06 11:57 3,638 --a------ C:\WINDOWS\6zrq4cmn.exe
2007-07-05 13:42 50,708 --a------ C:\WINDOWS\SYSTEM32\ojxdmepq.exe
2007-07-05 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 13:38 <DIR> d-------- C:\Program Files\SBSD
2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X9
2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X4
2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X3
2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X2
2007-07-05 13:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\X1
2007-07-05 13:32 <DIR> d-------- C:\Temp
2007-07-04 11:36 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MSN6
2007-07-04 11:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-07-04 00:26 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\.purple
2007-07-04 00:21 <DIR> d-------- C:\Program Files\PIDGIN
2007-07-03 23:45 <DIR> d-------- C:\Program Files\KRISTAL
2007-07-03 23:45 <DIR> d-------- C:\Downloads
2007-07-03 23:45 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GetRightToGo
2007-07-03 23:42 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-03 23:41 <DIR> d-------- C:\Program Files\FireFox
2007-07-03 23:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-07-03 23:37 7,680 --a------ C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-07-03 23:37 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-07-03 23:37 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-07-03 23:37 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-07-03 23:37 158,720 --a------ C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-07-03 23:35 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-03 23:35 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-03 23:35 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-03 23:35 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-03 23:35 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-07-03 23:35 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-07-03 23:18 666,624 -ra------ C:\WINDOWS\SYSTEM32\drivers\LSPMUSB.sys
2007-07-03 23:01 <DIR> d-------- C:\Linksys Driver
2007-07-03 13:45 <DIR> d-------- C:\Program Files\FLASH
2007-07-03 13:13 4,215,160 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
2007-07-03 13:13 13,005 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-07-03 13:12 <DIR> d-------- C:\Program Files\DBpoweramp
2007-06-29 04:50 56,448 --a------ C:\WINDOWS\SYSTEM32\drivers\USBAUDIO.sys
2007-06-29 04:50 19,456 --a------ C:\WINDOWS\SYSTEM32\hidserv.dll
2007-06-29 04:49 24,960 --a------ C:\WINDOWS\SYSTEM32\drivers\usbccgp.sys
2007-06-29 04:35 79,616 --a------ C:\WINDOWS\SYSTEM32\drivers\wdmaud.sys
2007-06-29 04:35 6,400 --a------ C:\WINDOWS\SYSTEM32\drivers\MSKSSRV.sys
2007-06-29 04:35 57,472 --a------ C:\WINDOWS\SYSTEM32\drivers\sysaudio.sys
2007-06-29 04:35 54,272 --a------ C:\WINDOWS\SYSTEM32\drivers\swmidi.sys
2007-06-29 04:35 50,048 --a------ C:\WINDOWS\SYSTEM32\drivers\DMusic.sys
2007-06-29 04:35 5,632 --a------ C:\WINDOWS\SYSTEM32\drivers\splitter.sys
2007-06-29 04:35 5,120 --a------ C:\WINDOWS\SYSTEM32\drivers\MSPCLOCK.sys
2007-06-29 04:35 4,608 --a------ C:\WINDOWS\SYSTEM32\drivers\MSPQM.sys
2007-06-29 04:35 2,816 --a------ C:\WINDOWS\SYSTEM32\drivers\drmkaud.sys
2007-06-29 04:35 159,232 --a------ C:\WINDOWS\SYSTEM32\drivers\kmixer.sys
2007-06-29 04:35 122,472 --a------ C:\WINDOWS\SYSTEM32\drivers\aec.sys
2007-06-29 04:34 8,704 -ra------ C:\WINDOWS\SYSTEM32\drivers\Pfmodnt.sys
2007-06-29 04:34 65,536 -ra------ C:\WINDOWS\SYSTEM32\A3d.dll
2007-06-29 04:34 64,512 -ra------ C:\WINDOWS\SYSTEM32\P17.dll
2007-06-29 04:34 57,344 --a------ C:\WINDOWS\SYSTEM32\drivers\drmk.sys
2007-06-29 04:34 53,248 -ra------ C:\WINDOWS\SYSTEM32\P17CPI.dll
2007-06-29 04:34 42,752 --a------ C:\WINDOWS\SYSTEM32\drivers\stream.sys
2007-06-29 04:34 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
2007-06-29 04:34 20,992 -ra------ C:\WINDOWS\SYSTEM32\sfman32.dll
2007-06-29 04:34 138,752 -ra------ C:\WINDOWS\SYSTEM32\drivers\ctsfm2k.sys
2007-06-29 04:34 137,728 -ra------ C:\WINDOWS\SYSTEM32\P17res.dll
2007-06-29 04:34 135,040 --a------ C:\WINDOWS\SYSTEM32\drivers\portcls.sys
2007-06-29 04:34 134,144 --a------ C:\WINDOWS\SYSTEM32\drivers\ks.sys
2007-06-29 04:34 133,632 -ra------ C:\WINDOWS\SYSTEM32\CtDvInst.dll
2007-06-29 04:34 115,200 -ra------ C:\WINDOWS\SYSTEM32\sfms32.dll
2007-06-29 04:34 106,496 -ra------ C:\WINDOWS\SYSTEM32\drivers\ctoss2k.sys
2007-06-29 04:34 1,389,056 -ra------ C:\WINDOWS\SYSTEM32\drivers\P17.sys
2007-06-29 04:32 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-06-29 04:32 <DIR> d-a------ C:\Program Files\Encarta Online
2007-06-29 04:32 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
2007-06-29 04:32 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\InterTrust
2007-06-29 04:31 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-29 04:29 509,353 --a------ C:\WINDOWS\SYSTEM32\drivers\ltmdmnt.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 18:57:04 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\.purple
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2001-07-22 02:45:40 94,784 --sh--w C:\WINDOWS\twain.dll
2001-08-18 05:36:34 46,592 --sh--w C:\WINDOWS\twain_32.dll
2001-08-18 05:36:20 995,383 --sha-w C:\WINDOWS\SYSTEM32\mfc42.dll
2001-08-18 05:36:26 50,688 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2001-08-18 05:36:26 401,462 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2001-08-18 05:36:26 322,560 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2001-08-18 05:36:28 569,344 --sha-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2001-08-18 05:36:28 106,496 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2001-08-18 05:36:54 9,728 --sha-w C:\WINDOWS\SYSTEM32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 15:02 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AD924F3-6353-4f92-B034-A900434ECCAF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{893F5105-C87C-4575-E7B6-2E0697E2E34B}]
C:\Program Files\Detto\lavunajib878.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 17:56]
"NvCplDaemon"="NvQTwk" []
"P17Helper"="P17.dll" [2005-05-02 23:38 C:\WINDOWS\SYSTEM32\P17.dll]
"ZoneAlarm Client"="C:\Program Files\Zone_Alarm\zlclient.exe" [2007-06-21 21:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-06 23:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 10:14]
"Notn"="C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" []
"Rxlxdyrs"="C:\WINDOWS\??mbols\t?skmgr.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 20:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

Contents of the 'Scheduled Tasks' folder
2007-07-07 04:12:15 C:\WINDOWS\tasks\ Easy Internet Sign-up.job
2007-06-29 08:32:23 C:\WINDOWS\tasks\ISP signup reminder 1.job
2007-06-29 08:32:23 C:\WINDOWS\tasks\ISP signup reminder 3.job
2007-06-29 08:32:21 C:\WINDOWS\tasks\Registration reminder 1.job
2007-06-29 08:32:23 C:\WINDOWS\tasks\Registration reminder 2.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 14:59:11
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-08 14:59:59
C:\ComboFix-quarantined-files.txt ... 2007-07-08 14:59
C:\ComboFix2.txt ... 2007-07-07 21:15

--- E O F ---

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:53 PM, on 7/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Zone_Alarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\KRISTAL\KRISTAL Audio Engine\KRISTAL.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Hijack_This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)
O2 - BHO: 0 - {893F5105-C87C-4575-E7B6-2E0697E2E34B} - C:\Program Files\Detto\lavunajib878.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone_Alarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Rxlxdyrs] C:\WINDOWS\??mbols\t?skmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 4106 bytes

SUPERantispyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/08/2007 at 00:19 AM

Application Version : 3.9.1008

Core Rules Database Version : 3266
Trace Rules Database Version: 1277

Scan type : Complete Scan
Total Scan Time : 00:38:45

Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 3969
Registry threats detected : 0
File items scanned : 18268
File threats detected : 87

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Adware.ClickSpring-Variant
C:\QOOBOX\QUARANTINE\C\DOCUME~1\OWNER\MYDOCU~1\SEMBLY~1\ATI2EVXX.EXE.VIR

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\GAMES\HOKETOH83122.DLL.VIR

Trojan.Downloader-Gen/Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\B122.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003306.EXE

Adware.SearchClickAds
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32A.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32O.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32R.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32S.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\STUB_MMA2.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003295.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003296.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003298.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003307.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003308.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003309.DLL

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\QOOBOX\QUARANTINE\C\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NETINSTALLER.EXE.VIR

Trojan.ZenoSearch
C:\QOOBOX\QUARANTINE\C\WINDOWS\ITPB_11.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003313.EXE

Spyware.RelevantKnowledge
C:\QOOBOX\QUARANTINE\C\WINDOWS\ITPB_3.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003311.EXE

Adware.ClickSpring
C:\QooBox\Quarantine\C\WINDOWS\MBOLS~1\TSKMGR~1.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003304.EXE

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AOOMCPTW.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RXCRMXIR.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003314.DLL

Trojan.Downloader-Gen/Blah
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AWTQNNL.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003315.DLL

Trojan.Downloader-Gen/HitItQuitIt
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GEBBCAW.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IIFGHHH.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OPNOONL.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003316.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003317.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0004314.DLL

Adware.ClickSpring/Resident
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LGXPPASH.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003301.DLL

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAPISVCC32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003299.EXE

Adware.Mirar/NetNucleus
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINNB58.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003305.DLL

Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0003300.DLL

Trojan.Downloader-ClickSpring/NDrv
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0004336.DLL

Adware.ZenoSearch
C:\WINDOWS\NQEXL0578.EXE

thanks for your help
 
Joined
Sep 7, 2004
Messages
49,014
Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)

O2 - BHO: 0 - {893F5105-C87C-4575-E7B6-2E0697E2E34B} - C:\Program Files\Detto\lavunajib878.dll (file missing)

O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\SEMBLY~1\ati2evxx.exe" -vt yazb

O4 - HKCU\..\Run: [Rxlxdyrs] C:\WINDOWS\??mbols\t?skmgr.exe

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode




How are things???
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top