Unsolved
This post is more than 5 years old
8 Posts
0
2601
Spyware infection trying to download anti spyware software to my PC - HELP!
Logfile of HijackThis v1.99.1
Scan saved at 9:15:24 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\zshp1020.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fccbyxu.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {949d2194-ab85-103b-de04-eeb30c363a2a} - {a2a363c0-3bee-40ed-b301-58ba4912d949} - C:\WINDOWS\system32\rlklhwfo.dll
O2 - BHO: (no name) - {A704ACCD-BB42-4902-A8D8-7CF7847BD49F} - C:\Program Files\Internet Explorer\hokeposedC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gqeabyjh.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gqeabyjh.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f815a759] rundll32.exe "C:\WINDOWS\system32\waqfkesi.dll",b
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://www.golfdigest.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147622403015
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v14.166/qboax8.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
O20 - Winlogon Notify: fccbyxu - C:\WINDOWS\SYSTEM32\fccbyxu.dll
O20 - Winlogon Notify: gqeabyjh - C:\WINDOWS\SYSTEM32\gqeabyjh.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GRSVC - Unknown owner - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe (file missing)
Scan saved at 9:15:24 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\zshp1020.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fccbyxu.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {949d2194-ab85-103b-de04-eeb30c363a2a} - {a2a363c0-3bee-40ed-b301-58ba4912d949} - C:\WINDOWS\system32\rlklhwfo.dll
O2 - BHO: (no name) - {A704ACCD-BB42-4902-A8D8-7CF7847BD49F} - C:\Program Files\Internet Explorer\hokeposedC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gqeabyjh.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gqeabyjh.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f815a759] rundll32.exe "C:\WINDOWS\system32\waqfkesi.dll",b
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://www.golfdigest.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147622403015
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v14.166/qboax8.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
O20 - Winlogon Notify: fccbyxu - C:\WINDOWS\SYSTEM32\fccbyxu.dll
O20 - Winlogon Notify: gqeabyjh - C:\WINDOWS\SYSTEM32\gqeabyjh.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GRSVC - Unknown owner - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe (file missing)
bamajim
10.4K Posts
0
November 7th, 2007 11:00
1. Please download VundoFix.exe to your desktop.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
"The world is what you make of it"
coopsys282
8 Posts
0
November 8th, 2007 01:00
Logfile of HijackThis v1.99.1
Scan saved at 10:36:52 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f815a759] rundll32.exe "C:\WINDOWS\system32\bobsyrrq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://www.golfdigest.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147622403015
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v14.166/qboax8.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GRSVC - Unknown owner - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe (file missing)
coopsys282
8 Posts
0
November 8th, 2007 01:00
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 9:44:20 PM 11/7/2007
Listing files found while scanning....
C:\WINDOWS\system32\gqeabyjh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gqeabyjh.dll
C:\WINDOWS\system32\gqeabyjh.dll Has been deleted!
Performing Repairs to the registry.
Done!
But HiJackThis won't even start now. It crashes with a Micosoft Debug screen reporting the following module affected:
AppName: hijackthis.exe AppVer: 1.99.0.1 ModName: mllmm.dll
ModVer: 0.0.0.0 Offset: 0005f5c3
bamajim
10.4K Posts
0
November 8th, 2007 14:00
We have some items in hiding
1. Open the C:\Program Files\Hijackthis folder ->> Locate the hijackthis.exe file.
Rt Click that file ->> Select Rename ->> Rename it H.exe
Then rerun H.exe(formerly Hijackthis.exe) and post a fresh log
coopsys282
8 Posts
0
November 9th, 2007 00:00
Logfile of HijackThis v1.99.1
Scan saved at 9:27:06 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\WINDOWS\system32\rpttosxq.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\H.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fccbyxu.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {3165bfb3-b100-7418-e944-26c956bae5c8} - {8c5eab65-9c62-449e-8147-001b3bfb5613} - C:\WINDOWS\system32\oautulcw.dll
O2 - BHO: (no name) - {A704ACCD-BB42-4902-A8D8-7CF7847BD49F} - C:\Program Files\Internet Explorer\hokeposedC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D6DF3354-C767-4DC6-A618-7CD4C1AF2E0C} - C:\WINDOWS\system32\mllmm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [f815a759] rundll32.exe "C:\WINDOWS\system32\ehgdtibx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://www.golfdigest.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147622403015
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v14.166/qboax8.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
O20 - Winlogon Notify: fccbyxu - C:\WINDOWS\SYSTEM32\fccbyxu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DomainService - - C:\WINDOWS\system32\rpttosxq.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Unknown owner - C:\Program Files\Kaseya\Agent\AgentMon.exe" -s (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GRSVC - Unknown owner - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe (file missing)
bamajim
10.4K Posts
0
November 9th, 2007 11:00
Yep.
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
coopsys282
8 Posts
0
November 10th, 2007 11:00
ComboFix 07-11-06.4 - Lynn 2007-11-09 20:02:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.132 [GMT -5:00]
Running from: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gqeabyjh.dllbox
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak2
C:\WINDOWS\system32\mmllm.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.
2007-11-09 20:03 145,984 --a------ C:\WINDOWS\system32\xdoigifd.dll
2007-11-09 20:03 145,984 --a------ C:\WINDOWS\system32\egoebmdb.dll
2007-11-09 10:18 88,128 --a------ C:\WINDOWS\system32\cbjsfdma.dll
2007-11-09 10:12 77,888 --a------ C:\WINDOWS\system32\ubekyrds.dll
2007-11-09 10:09 71,232 --a------ C:\WINDOWS\system32\jqtlitmm.exe
2007-11-08 10:15 80,448 --a------ C:\WINDOWS\system32\oautulcw.dll
2007-11-08 10:09 71,232 --a------ C:\WINDOWS\system32\rpttosxq.exe
2007-11-07 22:55 102,400 --a------ C:\temp\KLicense.exe
2007-11-07 22:47 d-------- C:\Program Files\Kaseya
2007-11-07 22:47 122,880 --a------ C:\WINDOWS\system32\kaseyasp.dll
2007-11-07 22:47 13,696 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2007-11-07 22:47 6,144 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2007-11-07 22:09 d-------- C:\Program Files\Lavasoft
2007-11-07 22:09 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 22:08 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 21:44 d-------- C:\VundoFix Backups
2007-11-07 10:11 79,936 --a------ C:\WINDOWS\system32\holgcprj.dll
2007-11-07 10:11 71,232 --a------ C:\WINDOWS\system32\npbcdbdb.exe
2007-11-06 20:41 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 20:40 d-------- C:\Program Files\Spyware Doctor
2007-11-06 20:40 d-------- C:\Documents and Settings\Lynn\Application Data\PC Tools
2007-11-06 20:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-06 20:40 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-06 20:40 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-06 20:40 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-06 20:40 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-06 18:52 81,472 --a------ C:\WINDOWS\system32\rlklhwfo.dll
2007-11-06 18:43 71,232 --a------ C:\WINDOWS\system32\vadvwupw.exe
2007-11-06 18:40 145,984 --a------ C:\WINDOWS\system32\yfmauanr.dll
2007-11-06 07:10 d-------- C:\WINDOWS\ERUNT
2007-11-06 06:48 d-------- C:\Deckard
2007-11-06 06:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 06:21 81,472 --a------ C:\WINDOWS\system32\erydineo.dll
2007-11-06 06:16 87,104 --a------ C:\WINDOWS\system32\vlqopmap.dll
2007-11-05 08:24 83,008 --a------ C:\WINDOWS\system32\davfxfax.dll
2007-11-04 21:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 18:34 36,352 --a------ C:\WINDOWS\system32\hggeeef.dll
2007-11-04 18:25 36,352 --a------ C:\WINDOWS\system32\nnnonol.dll
2007-11-04 17:48 d-------- C:\WINDOWS\system32\Mz02r
2007-11-04 17:48 d-------- C:\temp\mZOr
2007-11-04 17:48 36,352 --a------ C:\WINDOWS\system32\nnlljhf.dll
2007-11-04 17:48 36,352 --a------ C:\WINDOWS\system32\fccbyxu.dll
2007-11-02 11:59 26,240 --a------ C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-10-15 20:40 d-------- C:\Program Files\iPod
2007-10-10 08:02 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 03:32 --------- d-----w C:\Program Files\QuickTime
2007-10-23 08:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\AdobeUM
2007-10-16 01:40 --------- d-----w C:\Program Files\iTunes
2007-10-12 19:27 --------- d-----w C:\Documents and Settings\Lynn\Application Data\ICAClient
2007-10-10 03:10 --------- d-----w C:\Program Files\Citrix
2007-10-10 03:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\Citrix
2007-10-10 02:51 --------- d-----w C:\Program Files\Google
2007-10-09 20:24 81 ----a-w C:\CTX.DAT
2007-09-26 20:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 15:48 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-22 23:21 --------- d-----w C:\Program Files\Java
2007-09-22 06:42 --------- d-----w C:\Program Files\Iomega
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-10-05 15:42 561,152 ----a-w C:\Documents and Settings\Lynn\chatlnk.exe
.
((((((((((((((((((((((((((((( snapshot@2007-11-06_ 6.33.30.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-06 12:10:57 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:57 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-06 12:10:44 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:44 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000002\UsrClass.dat
+ 2007-11-08 03:09:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-08 03:09:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-08 03:09:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-08 03:09:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-11-04 22:14:09 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 02:37:16 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 22:14:09 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 02:37:16 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-10 01:11:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_154.dat
+ 2007-11-10 01:11:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5e8.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe
----a-w 180,269 2006-06-10 19:34:21 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 57,344 2003-09-17 15:43:36 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe
----a-w 53,248 2004-04-26 13:04:14 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 1,831,936 2007-05-15 03:37:07 C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe
----a-w 68,856 2007-07-28 02:42:16 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
----a-r 98,304 2005-03-18 23:17:02 C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe
----a-w 32,768 2002-07-16 15:55:37 C:\Program Files\Iomega\DriveIcons\bak\deskup.exe
----a-w 86,016 2002-08-13 19:30:57 C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe
----a-w 267,064 2007-09-14 14:00:06 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-26 18:42:04 C:\Program Files\iTunes\iTunesHelper.exe
----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\bak\QTTask.exe
----a-w 3,092,480 2005-08-06 00:35:44 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe
----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 118,784 2004-08-21 01:51:14 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 155,648 2004-08-21 01:55:14 C:\WINDOWS\system32\bak\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{351ad655-792f-4eb7-b39c-9599d0459d44}]
2007-11-09 10:12 77888 --a------ C:\WINDOWS\system32\ubekyrds.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-04 17:48 36352 --a------ C:\WINDOWS\system32\fccbyxu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A704ACCD-BB42-4902-A8D8-7CF7847BD49F}]
C:\Program Files\Internet Explorer\hokeposedC:\WINDOWS\system32\g2\caws83122.exe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-09 20:03 145984 --a------ C:\WINDOWS\system32\egoebmdb.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\egoebmdb.dll [2007-11-09 20:03 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\egoebmdb.dll [2007-11-09 20:03 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 16:51 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-04 20:04]
"f815a759"="C:\WINDOWS\system32\cbjsfdma.dll" [2007-11-09 10:18]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\fccbyxu.dll [2007-11-04 17:48 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\egoebmdb]
egoebmdb.dll 2007-11-09 20:03 145984 C:\WINDOWS\system32\egoebmdb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbyxu]
fccbyxu.dll 2007-11-04 17:48 36352 C:\WINDOWS\system32\fccbyxu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllmm.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s
R2 WMP54GRSVC;WMP54GRSVC;"C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe"
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys
S3 AR5513;%ATHER.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 CSRBC;CSRBC.Sys CSR test driver;C:\WINDOWS\system32\Drivers\csrbcxp.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 02:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 20:36:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-09 20:38:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-06 06:35
.
--- E O F ---
bamajim
10.4K Posts
0
November 12th, 2007 12:00
Sorry for the delay
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\xdoigifd.dll
C:\WINDOWS\system32\egoebmdb.dll
C:\WINDOWS\system32\cbjsfdma.dll
C:\WINDOWS\system32\ubekyrds.dll
C:\WINDOWS\system32\jqtlitmm.exe
C:\WINDOWS\system32\oautulcw.dll
C:\WINDOWS\system32\rpttosxq.exe
C:\WINDOWS\system32\holgcprj.dll
C:\WINDOWS\system32\npbcdbdb.exe
C:\WINDOWS\system32\vadvwupw.exe
C:\WINDOWS\system32\yfmauanr.dll
C:\WINDOWS\system32\erydineo.dll
C:\WINDOWS\system32\vlqopmap.dll
C:\WINDOWS\system32\davfxfax.dll
C:\WINDOWS\system32\hggeeef.dll
C:\WINDOWS\system32\nnnonol.dll
C:\WINDOWS\system32\Mz02r
C:\temp\mZOr
C:\WINDOWS\system32\nnlljhf.dll
C:\WINDOWS\system32\fccbyxu.dll
C:\WINDOWS\system32\g2\caws83122.exe.dll
Folder::
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Hewlett-Packard\OrderReminder\bak
C:\Program Files\Iomega\DriveIcons\bak
C:\Program Files\iTunes\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Messenger\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\g2
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{351ad655-792f-4eb7-b39c-9599d0459d44}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A704ACCD-BB42-4902-A8D8-7CF7847BD49F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f815a759"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\egoebmdb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbyxu]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
"The world is what you make of it"
coopsys282
8 Posts
0
November 13th, 2007 01:00
ComboFix 07-11-06.4 - Lynn 2007-11-12 20:54:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126 [GMT -5:00]
Running from: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\CFScript.txt
* Created a new restore point
FILE
C:\temp\mZOr
C:\WINDOWS\system32\cbjsfdma.dll
C:\WINDOWS\system32\davfxfax.dll
C:\WINDOWS\system32\egoebmdb.dll
C:\WINDOWS\system32\erydineo.dll
C:\WINDOWS\system32\fccbyxu.dll
C:\WINDOWS\system32\g2\caws83122.exe.dll
C:\WINDOWS\system32\hggeeef.dll
C:\WINDOWS\system32\holgcprj.dll
C:\WINDOWS\system32\jqtlitmm.exe
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\nnlljhf.dll
C:\WINDOWS\system32\nnnonol.dll
C:\WINDOWS\system32\npbcdbdb.exe
C:\WINDOWS\system32\oautulcw.dll
C:\WINDOWS\system32\rpttosxq.exe
C:\WINDOWS\system32\ubekyrds.dll
C:\WINDOWS\system32\vadvwupw.exe
C:\WINDOWS\system32\vlqopmap.dll
C:\WINDOWS\system32\xdoigifd.dll
C:\WINDOWS\system32\yfmauanr.dll
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Lynn\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Favorites\Online Security Guide.lnk
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\OrderReminder\bak
C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe
C:\Program Files\Iomega\DriveIcons\bak
C:\Program Files\Iomega\DriveIcons\bak\deskup.exe
C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe
C:\Program Files\iTunes\bak
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Messenger\bak
C:\Program Files\Messenger\bak\msmsgs.exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Yahoo!\Messenger\bak\ypager.exe
C:\WINDOWS\bak
C:\WINDOWS\bak\UpdReg.EXE
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\cbjsfdma.dll
C:\WINDOWS\system32\davfxfax.dll
C:\WINDOWS\system32\egoebmdb.dllbox
C:\WINDOWS\system32\erydineo.dll
C:\WINDOWS\system32\fccbyxu.dll
C:\WINDOWS\system32\hggeeef.dll
C:\WINDOWS\system32\holgcprj.dll
C:\WINDOWS\system32\jqtlitmm.exe
C:\WINDOWS\system32\nnlljhf.dll
C:\WINDOWS\system32\nnnonol.dll
C:\WINDOWS\system32\npbcdbdb.exe
C:\WINDOWS\system32\nxiwtdmh.dllbox
C:\WINDOWS\system32\oautulcw.dll
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.bak2
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\rpttosxq.exe
C:\WINDOWS\system32\ubekyrds.dll
C:\WINDOWS\system32\vadvwupw.exe
C:\WINDOWS\system32\vlqopmap.dll
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\xdoigifd.dll
C:\WINDOWS\system32\yfmauanr.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.
2007-11-12 20:54 145,984 --a------ C:\WINDOWS\system32\nxiwtdmh.dll
2007-11-12 20:54 145,984 --a------ C:\WINDOWS\system32\htjodbld.dll
2007-11-12 08:54 81,472 --a------ C:\WINDOWS\system32\mvhbipbd.dll
2007-11-12 08:51 89,664 --a------ C:\WINDOWS\system32\edcehlyu.dll
2007-11-12 08:51 71,232 --a------ C:\WINDOWS\system32\jgrgykwh.exe
2007-11-11 08:57 79,936 --a------ C:\WINDOWS\system32\gbejjqrc.dll
2007-11-11 08:51 71,232 --a------ C:\WINDOWS\system32\vxubloyq.exe
2007-11-10 08:56 81,472 --a------ C:\WINDOWS\system32\ibalhclw.dll
2007-11-10 08:50 71,232 --a------ C:\WINDOWS\system32\fbdxemrx.exe
2007-11-07 22:55 102,400 --a------ C:\temp\KLicense.exe
2007-11-07 22:47 d-------- C:\Program Files\Kaseya
2007-11-07 22:47 122,880 --a------ C:\WINDOWS\system32\kaseyasp.dll
2007-11-07 22:47 13,696 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2007-11-07 22:47 6,144 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2007-11-07 22:09 d-------- C:\Program Files\Lavasoft
2007-11-07 22:09 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 22:08 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 21:44 d-------- C:\VundoFix Backups
2007-11-06 20:41 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 20:40 d-------- C:\Program Files\Spyware Doctor
2007-11-06 20:40 d-------- C:\Documents and Settings\Lynn\Application Data\PC Tools
2007-11-06 20:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-06 20:40 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-06 20:40 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-06 20:40 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-06 20:40 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-06 18:52 81,472 --a------ C:\WINDOWS\system32\rlklhwfo.dll
2007-11-06 07:10 d-------- C:\WINDOWS\ERUNT
2007-11-06 06:48 d-------- C:\Deckard
2007-11-06 06:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 17:48 d-------- C:\WINDOWS\system32\Mz02r
2007-11-04 17:48 d-------- C:\temp\mZOr
2007-11-02 11:59 26,240 --a------ C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-10-15 20:40 d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 01:58 --------- d-----w C:\Program Files\QuickTime
2007-11-13 01:58 --------- d-----w C:\Program Files\iTunes
2007-11-08 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 08:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\AdobeUM
2007-10-12 19:27 --------- d-----w C:\Documents and Settings\Lynn\Application Data\ICAClient
2007-10-10 03:10 --------- d-----w C:\Program Files\Citrix
2007-10-10 03:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\Citrix
2007-10-10 02:51 --------- d-----w C:\Program Files\Google
2007-10-09 20:24 81 ----a-w C:\CTX.DAT
2007-09-26 20:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 15:48 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-22 23:21 --------- d-----w C:\Program Files\Java
2007-09-22 06:42 --------- d-----w C:\Program Files\Iomega
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-10-05 15:42 561,152 ----a-w C:\Documents and Settings\Lynn\chatlnk.exe
.
((((((((((((((((((((((((((((( snapshot@2007-11-06_ 6.33.30.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-06 12:10:57 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:57 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-06 12:10:44 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:44 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000002\UsrClass.dat
+ 2007-11-08 03:09:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-08 03:09:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-08 03:09:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-08 03:09:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-11-04 22:14:09 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 02:37:16 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 22:14:09 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 02:37:16 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-13 02:02:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
+ 2007-11-13 02:02:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{214a7e93-97ba-4c1d-b346-59f1b2e11245}]
2007-11-12 08:54 81472 --a------ C:\WINDOWS\system32\mvhbipbd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-12 20:54 145984 --a------ C:\WINDOWS\system32\nxiwtdmh.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\nxiwtdmh.dll [2007-11-12 20:54 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 16:51 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-04 20:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nxiwtdmh]
nxiwtdmh.dll 2007-11-12 20:54 145984 C:\WINDOWS\system32\nxiwtdmh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturq.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s
R2 WMP54GRSVC;WMP54GRSVC;"C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe"
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys
S3 AR5513;%ATHER.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 CSRBC;CSRBC.Sys CSR test driver;C:\WINDOWS\system32\Drivers\csrbcxp.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 02:36:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 22:04:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-12 22:05:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-09 20:38
C:\ComboFix3.txt ... 2007-11-06 06:35
.
--- E O F ---
bamajim
10.4K Posts
0
November 13th, 2007 12:00
Good job so far. This infection that you have likes to make copies of itself.
Rt click and delete the CFScript.txt file we made earlier, we are going to make another one.
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\nxiwtdmh.dll
C:\WINDOWS\system32\htjodbld.dll
C:\WINDOWS\system32\mvhbipbd.dll
C:\WINDOWS\system32\edcehlyu.dll
C:\WINDOWS\system32\jgrgykwh.exe
C:\WINDOWS\system32\gbejjqrc.dll
C:\WINDOWS\system32\vxubloyq.exe
C:\WINDOWS\system32\ibalhclw.dll
C:\WINDOWS\system32\fbdxemrx.exe
C:\WINDOWS\system32\rlklhwfo.dll
C:\WINDOWS\system32\Mz02r
C:\temp\mZOr
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
"The world is what you make of it"
coopsys282
8 Posts
0
November 14th, 2007 02:00
ComboFix 07-11-06.4 - Lynn 2007-11-13 21:31:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00]
Running from: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\CFScript.txt
* Created a new restore point
FILE
C:\temp\mZOr
C:\WINDOWS\system32\edcehlyu.dll
C:\WINDOWS\system32\fbdxemrx.exe
C:\WINDOWS\system32\gbejjqrc.dll
C:\WINDOWS\system32\htjodbld.dll
C:\WINDOWS\system32\ibalhclw.dll
C:\WINDOWS\system32\jgrgykwh.exe
C:\WINDOWS\system32\mvhbipbd.dll
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\nxiwtdmh.dll
C:\WINDOWS\system32\rlklhwfo.dll
C:\WINDOWS\system32\vxubloyq.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Lynn\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\edcehlyu.dll
C:\WINDOWS\system32\fbdxemrx.exe
C:\WINDOWS\system32\gbejjqrc.dll
C:\WINDOWS\system32\htjodbld.dll
C:\WINDOWS\system32\ibalhclw.dll
C:\WINDOWS\system32\jgrgykwh.exe
C:\WINDOWS\system32\mvhbipbd.dll
C:\WINDOWS\system32\nxiwtdmh.dll
C:\WINDOWS\system32\nxiwtdmh.dllbox
C:\WINDOWS\system32\rlklhwfo.dll
C:\WINDOWS\system32\vxubloyq.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.
2007-11-07 22:55 102,400 --a------ C:\temp\KLicense.exe
2007-11-07 22:47 d-------- C:\Program Files\Kaseya
2007-11-07 22:47 122,880 --a------ C:\WINDOWS\system32\kaseyasp.dll
2007-11-07 22:47 13,696 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2007-11-07 22:47 6,144 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2007-11-07 22:09 d-------- C:\Program Files\Lavasoft
2007-11-07 22:09 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 22:08 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 21:44 d-------- C:\VundoFix Backups
2007-11-06 20:41 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 20:40 d-------- C:\Program Files\Spyware Doctor
2007-11-06 20:40 d-------- C:\Documents and Settings\Lynn\Application Data\PC Tools
2007-11-06 20:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-06 20:40 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-06 20:40 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-06 20:40 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-06 20:40 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-06 07:10 d-------- C:\WINDOWS\ERUNT
2007-11-06 06:48 d-------- C:\Deckard
2007-11-06 06:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 17:48 d-------- C:\WINDOWS\system32\Mz02r
2007-11-04 17:48 d-------- C:\temp\mZOr
2007-11-02 11:59 26,240 --a------ C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-10-15 20:40 d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 01:58 --------- d-----w C:\Program Files\QuickTime
2007-11-13 01:58 --------- d-----w C:\Program Files\iTunes
2007-11-08 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 08:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\AdobeUM
2007-10-12 19:27 --------- d-----w C:\Documents and Settings\Lynn\Application Data\ICAClient
2007-10-10 03:10 --------- d-----w C:\Program Files\Citrix
2007-10-10 03:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\Citrix
2007-10-10 02:51 --------- d-----w C:\Program Files\Google
2007-10-09 20:24 81 ----a-w C:\CTX.DAT
2007-09-26 20:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 15:48 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-22 23:21 --------- d-----w C:\Program Files\Java
2007-09-22 06:42 --------- d-----w C:\Program Files\Iomega
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-10-05 15:42 561,152 ----a-w C:\Documents and Settings\Lynn\chatlnk.exe
.
((((((((((((((((((((((((((((( snapshot@2007-11-06_ 6.33.30.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-06 12:10:57 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:57 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-06 12:10:44 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:44 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000002\UsrClass.dat
+ 2007-11-08 03:09:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-08 03:09:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-08 03:09:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-08 03:09:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-11-04 22:14:09 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 02:37:16 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 22:14:09 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 02:37:16 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-14 02:36:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1b0.dat
+ 2007-11-14 02:36:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_608.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 16:51 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-04 20:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nxiwtdmh]
nxiwtdmh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys
S3 AR5513;%ATHER.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 CSRBC;CSRBC.Sys CSR test driver;C:\WINDOWS\system32\Drivers\csrbcxp.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 02:36:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 23:48:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-13 23:49:37 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-12 22:05
C:\ComboFix3.txt ... 2007-11-09 20:38
.
--- E O F ---
bamajim
10.4K Posts
0
November 14th, 2007 13:00
I'm getting ready to give up on this one. How many more times do you think we need to do this?
Sometimes, it takes a few runs at infections to completely remove them. I have seen it take as amy as 10 to 20 times to fix some. I think the cleaning of your PC is progressing at a rapid pace, and good progress is being made.
But the choice to continue is up to you. If you do not want to continue let me know and I, as a volunteer here, will move on to help others.
Let me now what you decide
"The world is what you make of it"
coopsys282
8 Posts
0
November 16th, 2007 02:00
bamajim
10.4K Posts
0
November 19th, 2007 12:00
Sorry for the delay. Let's continue.
Run an online virus scan called Kaspersky from HERE.
2. A new smaller window will pop up. Press on " Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
5. Then click on " My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
==========
Note: For IE7 uers. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.
"The world is what you make of it"