Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 41 Posts

·
Registered
Joined
·
43 Posts
Discussion Starter · #1 ·
My desktop tells me that my compupter says that I've been infected with spyware and should remove them as soon as possible. My task manager is blocked and for some reason my CA realtime spyware protection turns off about 5 seconds after i turn it on.

I don;t realy know where to start in fixing this, can you help me please? Heres a hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:37 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\system32\KB_963493.exe"
O4 - HKLM\..\Run: [j2211331] rundll32 C:\WINDOWS\system32\j2211331.dll sook
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.275.0\OEAddOn.exe
O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.275.0\SeekmoSA.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [BM2b0f6763] Rundll32.exe "C:\WINDOWS\system32\aplyqupe.dll",s
O4 - HKLM\..\Run: [283c54ff] rundll32.exe "C:\WINDOWS\system32\omlqjhad.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA967] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2060] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8673] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC412] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6933] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6770] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8497] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2350] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKCU\..\Run: [Restore Operation] C:\DOCUME~1\CULO\LOCALS~1\Temp\svchots.exe
O4 - HKCU\..\Run: [Windows Setup Manger] h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7424] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8968] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8229] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9624] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1595] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9962] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4007] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5779] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKUS\S-1-5-18\..\Run: [Windows Setup Manger] h (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [XP restart system] h (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Setup Manger] h (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - (no file)
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - AppInit_DLLs: c:\windows\system32\vtutqop.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 10961 bytes
 

·
Registered
Joined
·
686 Posts
Hello and welcome to Tech Support Guy.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
 

·
Registered
Joined
·
686 Posts
Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.

Step # 1: Download and Install SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Step # 2: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Step # 3: Run SDFix

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

The rest of the fix will be done in Normal mode.

Step # 4: Download and Run ComboFix

Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Step # 5: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

In your next post/reply, I need to see the SDFix report, the ComboFix Log, the Uninstall List, and a fresh HiJackThis log. Use multiple posts/replies, if you can't fit them all into one post.
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #5 ·
\??\C:\WINDOWS\system32\kprof
\??\C:\WINDOWS\system32\poof

kprof - Deleted
poof - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting

Service Qidg33 - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted
C:\WINDOWS\SYSTEM32\CENTER.EXE - Deleted
C:\PROGRA~1\MSNGAM~1\WOPU - Deleted
C:\WINDOWS\SYSTEM32\ATL7.DLL - Deleted
C:\WINDOWS\system32\drivers\Qidg33.sys - Deleted

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Program Files\E404 Helper - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\fse - Removed
Folder C:\WINDOWS\system32\f02WtR - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 20:25:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F8E0B90689E0FB64589F17321D20D248\Usage]
"CA_AntiSpyware_Files"=dword:386f1021

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\nwlmjysq.exe"="C:\\WINDOWS\\system32\\nwl"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 5 Dec 2005 2,299 A..H. --- "C:\Documents and Settings\CULO\IPH.BAK"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 21 Nov 2006 1,430,552 ..SH. --- "C:\WINDOWS\Cursors\sptc.tmp"
Fri 25 May 2007 7,176 ..SH. --- "C:\WINDOWS\Cursors\sptc.bak1"
Wed 20 Jun 2007 1,841,648 ..SH. --- "C:\WINDOWS\Cursors\sptc.bak2"
Wed 20 Jun 2007 1,841,244 A.SH. --- "C:\WINDOWS\system32\qtvwa.bak1"
Mon 2 Jul 2007 1,856,521 A.SH. --- "C:\WINDOWS\system32\qtvwa.bak2"
Mon 28 Aug 2006 19,456 A.SHR --- "C:\WINDOWS\Temp\parAC16.tmp"
Sun 29 May 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 29 May 2005 4,348 ...H. --- "C:\Documents and Settings\CULO\My Documents\My Music\License Backup\drmv1key.bak"
Wed 7 Dec 2005 20 A..H. --- "C:\Documents and Settings\CULO\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 29 May 2005 312 A.SH. --- "C:\Documents and Settings\CULO\My Documents\My Music\License Backup\drmv2key.bak"
Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\CULO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\CULO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\CULO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\CULO\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

---------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:07 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [j2211331] rundll32 C:\WINDOWS\system32\j2211331.dll sook
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.275.0\OEAddOn.exe
O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.275.0\SeekmoSA.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [283c54ff] rundll32.exe "C:\WINDOWS\system32\omlqjhad.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM2b0f6763] Rundll32.exe "C:\WINDOWS\system32\aplyqupe.dll",s
O4 - HKCU\..\Run: [Windows Setup Manger] h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [Windows Setup Manger] h (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [XP restart system] h (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Setup Manger] h (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - (no file)
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - AppInit_DLLs: c:\windows\system32\vtutqop.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 9023 bytes
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #7 ·
uninstall list from hijackthis

AccessDiver v4.402
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
AIM 6
AOL Instant Messenger
AOL Toolbar 2.0
Apple Software Update
Avant Browser (remove only)
avast! Antivirus
Banctec Service Agreement
Bat
Bodog Poker Version 2.13.4.21
CA Internet Security Suite
Compact Wireless-G USB Adapter
Conexant D850 56K V.9x DFVc Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
DellSupport
Digital Line Detect
EarthLink setup files
Get High Speed Internet!
H&R Block Tax Offer
HijackThis 2.0.2
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java(TM) 6 Update 3
Learn2 Player (Uninstall Only)
LimeWire 4.16.6
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Modem Helper
Mozilla Firefox (2.0.0.12)
My Way Search Assistant
NetWaiting
NetZeroInstallers
NLOP
Photo Click
RealPlayer
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
SpywareBlaster v3.5.1
SuperMegaSpoof 2.0
Sygate Personal Firewall
Ulead Photo Explorer 8.0 SE Basic
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #8 ·
Fresh hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:53 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [j2211331] rundll32 C:\WINDOWS\system32\j2211331.dll sook
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Windows Setup Manger] h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [Windows Setup Manger] h (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [XP restart system] h (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Setup Manger] h (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - AppInit_DLLs: c:\windows\system32\vtutqop.dll
O20 - Winlogon Notify: ahkmi - ahkmi.dll (file missing)
O20 - Winlogon Notify: awttrro - awttrro.dll (file missing)
O20 - Winlogon Notify: LFCgr1 - LFCgr1.dll (file missing)
O20 - Winlogon Notify: ntload32 - ntload32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 8632 bytes
 

·
Registered
Joined
·
686 Posts
Seems your missing an important part of you're operating system. Let's get it reinstalled in case you ever need it.
Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named, to your desktop along with ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until I have reviewed the log.
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #12 ·
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
 

·
Registered
Joined
·
686 Posts
The log looks good, you can reboot your computer.

Does your CA Internet Security Suite have both AntiVirus and Firewall capabilities? If it does, please either uninstall the Suite or uninstall avast! Antivirus and Sygate Personal Firewall and keep CA as your AntiVirus and Firewall. Having multiple AntiViruses and Firewalls running at the same time could cause system instability, slowdown and crashes.

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire 4.16.6

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Step # 1 Upload Files

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\sizelimit.ocx
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

C:\Documents and Settings\NetworkService\Application Data\Install.dat
C:\WINDOWS\Cursors\sptc.ini2
C:\\WINDOWS\\system32\\nwlmjysq.exe


If Jotti is busy, Go to VirusTotal and scan the file(s) there.

Step # 2: Remove Poker programs
From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.

I would advise you to go to Add/Remove programs and uninstall the following poker program(s):

Bodog Poker Version 2.13.4.21

NLOP


Here are links to some poker sites regarded as safe for your reference.
1. http://www.pokerstars.net/ - This is a free to use/play site with play money.
2. http://www.pokerstars.com/ - This is a free to use/play site with play money and real money.

Step # 3: Add/Remove Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Bat

My Way Search Assistant


Reboot your computer.

Step # 4: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
    
    C:\WINDOWS\system32\283c4671
    C:\WINDOWS\changeurl_30.dll
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\system32\winfrun32.bin
    C:\WINDOWS\system32\long.exe
    C:\WINDOWS\system32\syswcc32.exe
    C:\WINDOWS\system32\winsys2181.exe
    C:\Documents and Settings\CULO\Application Data\tmp9C.tmp.exe
    C:\WINDOWS\system32\qtvwa.bak1
    C:\WINDOWS\system32\qtvwa.bak2
    C:\WINDOWS\system32\drivers\d_kmd.sys
    C:\WINDOWS\system32\A83KEFCD.exe
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At9.job
    C:\WINDOWS\system32\j2211331.dll
    C:\WINDOWS\system32\ahkmi.dll
    C:\WINDOWS\system32\awttrro.dll
    C:\WINDOWS\system32\LFCgr1.dll
    C:\WINDOWS\system32\ntload32.dll
    C:\windows\system32\vtutqop.dll
    
    Folder::
    
    C:\Documents and Settings\All Users\Application Data\Rabio
    C:\Program Files\NLOP
    C:\Program Files\Bat
    C:\Documents and Settings\CULO\Application Data\LimeWire
    C:\Program Files\LimeWire
    C:\Program Files\Bodog Poker
    C:\Program Files\Cashfiesta
    C:\Documents and Settings\CULO\Application Data\Cashfiesta
    C:\Program Files\Common Files\ErrorSafe Free
    C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\bak
    C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\bak
    
    AWF::
    
    C:\Program Files\AIM\bak\aim.exe
    
    Registry::
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Setup Manger"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "j2211331"=-
    "was_check"=-
    "UERScw"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Setup Manger"=-
    "XP restart system"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ahkmi]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttrro]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LFCgr1]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ntload32]
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    Driver::
    
    d_kmd
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the results from Jotti/Virustotal, ComboFix Log and a fresh HiJackThis Log. Use multiple posts if you can fit everything into one post.
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #15 ·
ill uninstall my avast antivirus but id rather keep my sygate firewall. Sygate is easier for me to understand and inplus during my CA suit download i didnt include the CA firewall as part of my download.

Is there a diffrence between the 2 firewalls?
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #16 ·
when i tryed to uninstall "my way search assistant" somthin popped up saying this

" Error loading C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll"

"The specified module cannot be found"
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #17 ·
C:\WINDOWS\system32\sizelimit.ocx

Scan taken on 16 Mar 2008 06:23:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

-----------------------------------------------------------------------------------
C:\Documents and Settings\NetworkService\Application Data\Install.dat

Scan taken on 16 Mar 2008 06:26:43 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
------------------------------------------------------------------------------------------------

C:\WINDOWS\Cursors\sptc.ini2

Scan taken on 16 Mar 2008 06:29:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
------------------------------------------------------------------------------------------------------------
C:\\WINDOWS\\system32\\nwlmjysq.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #18 ·
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:36 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 7215 bytes

ComboFix 08-03-14.4 - CULO 2008-03-16 3:55:56.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.193 [GMT -5:00]
Running from: C:\Documents and Settings\CULO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-16 03:42 . 2008-03-16 03:42 20,480 --a------ C:\WINDOWS\apphelp32.dll
2008-03-16 03:42 . 2008-03-16 03:42 18,944 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-16 02:35 . 2008-03-16 02:35 d-------- C:\WINDOWS\FLEOK
2008-03-16 02:35 . 2008-03-16 02:35 d-------- C:\Program Files\zango
2008-03-16 02:35 . 2008-03-16 02:35 d-------- C:\Program Files\stc
2008-03-16 02:35 . 2008-03-16 02:35 d-------- C:\Program Files\180solutions
2008-03-16 02:35 . 2008-03-16 02:35 d-------- C:\Program Files\180searchassistant
2008-03-16 02:35 . 2008-03-16 02:35 d-------- C:\Program Files\180search assistant
2008-03-16 02:35 . 2008-03-16 02:35 17,920 --a------ C:\WINDOWS\didduid.ini
2008-03-16 02:35 . 2008-03-16 02:35 10,752 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-16 02:05 . 2008-03-16 02:05 d-------- C:\Program Files\Enigma Software Group
2008-03-16 01:13 . 2008-03-16 01:13 90,544 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-15 20:06 . 2005-03-02 13:09 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-03-15 20:04 . 2008-03-15 20:04 d-------- C:\WINDOWS\ERUNT
2008-03-15 19:29 . 2008-03-15 20:30 d----c--- C:\SDFix
2008-03-15 16:58 . 2008-03-15 16:58 d-------- C:\Program Files\Windows Defender
2008-03-15 16:43 . 2008-03-15 16:43 d-------- C:\Documents and Settings\CULO\Application Data\Uniblue
2008-03-15 15:59 . 2008-03-16 01:51 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-15 13:55 . 2008-03-15 13:55 d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-15 13:55 . 2008-03-15 14:05 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 04:58 . 2008-03-15 04:58 d-------- C:\Program Files\Sysmnt
2008-03-01 02:02 . 2008-03-01 02:02 d-------- C:\Program Files\MySQL
2008-03-01 01:17 . 2008-03-01 01:36 d-------- C:\Program Files\QuickSpoof
2008-02-26 23:46 . 2008-02-26 23:49 d-------- C:\Program Files\PokerOffice
2008-02-26 23:34 . 2008-02-26 23:34 d-------- C:\Documents and Settings\CULO\Application Data\Straight Stats
2008-02-26 15:07 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-26 15:07 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-26 15:07 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-26 15:07 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-02-24 23:21 . 2008-02-26 23:50 d-------- C:\Program Files\Real
2008-02-24 23:21 . 2008-02-24 23:21 d-------- C:\Program Files\Common Files\xing shared
2008-02-17 17:36 . 2008-02-17 17:36 d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-02-17 03:06 . 2008-02-17 03:07 d-------- C:\Program Files\AIM6
2008-02-17 03:06 . 2008-02-17 03:08 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-17 03:06 . 2008-02-17 03:06 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 03:24 . 2008-02-16 03:32 d-------- C:\Program Files\MegaSpoof
2008-02-16 03:24 . 2003-07-08 10:13 28,672 --a------ C:\WINDOWS\system32\sizelimit.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 08:40 --------- d-----w C:\Program Files\AIM
2008-03-16 07:02 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-16 06:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 20:43 --------- d-----w C:\Program Files\Viewpoint
2008-03-15 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-13 20:49 --------- d-----w C:\Program Files\Avant Browser
2008-02-28 12:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 04:35 --------- d--h--w C:\Documents and Settings\CULO\Application Data\ijjigame
2008-02-25 04:21 --------- d-----w C:\Program Files\Common Files\Real
2008-02-17 08:06 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-10 01:38 --------- d-----w C:\Program Files\Alwil Software
2008-02-09 20:12 --------- d-----w C:\Program Files\Trend Micro
2008-02-09 19:50 --------- d-----w C:\Program Files\Java
2008-02-09 19:49 --------- d-----w C:\Program Files\Common Files\Java
2008-02-09 04:37 --------- d-----w C:\Program Files\DellSupport
2008-02-09 04:05 --------- d-----w C:\Program Files\CA
2008-02-09 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-06-21 03:01 1,492,554 -csh--w C:\WINDOWS\Cursors\sptc.ini2
2007-06-21 02:57 1,841,648 -csh--w C:\WINDOWS\Cursors\sptc.bak2
2007-05-26 04:10 7,176 -csh--w C:\WINDOWS\Cursors\sptc.bak1
2006-11-21 22:22 1,430,552 -csh--w C:\WINDOWS\Cursors\sptc.tmp
2007-05-26 04:10 7,176 -csh--w C:\WINDOWS\Cursors\sptc.bak1
2007-06-21 02:57 1,841,648 -csh--w C:\WINDOWS\Cursors\sptc.bak2
2007-06-21 03:01 1,492,554 -csh--w C:\WINDOWS\Cursors\sptc.ini2
.

------- Sigcheck -------

2005-03-13 20:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-03-13 19:55 359808 1898df9a9d550da97c2ed41ae3c76a25 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_20.53.47.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-16 07:35:38 24,320 ----a-w C:\WINDOWS\FLEOK\180ax.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [ ]
"eTrustPPAP"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" [ ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:25 177416]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-02-08 23:07 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 13:42 230664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-24 23:20 185896]
"POEngine"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-08-16 21:10 410888]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-11 10:16:45 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=

S1 d_kmd;d_kmd;C:\WINDOWS\system32\drivers\d_kmd.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 19:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 08:22:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 03:57:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-16 3:58:02
ComboFix-quarantined-files.txt 2008-03-16 08:57:35
ComboFix2.txt 2008-03-16 08:46:12
ComboFix3.txt 2008-03-16 08:41:28
ComboFix4.txt 2008-03-16 01:54:24
 

·
Registered
Joined
·
686 Posts
Please keep your computer offline as much as possible, only going online to follow my instructions that I post to you.

Also, I'd like you to post ComboFix2.txt and ComboFix3.txt in your next post/reply. Do this before running the CFScript that I will be having you run in this post.

ill uninstall my avast antivirus but id rather keep my sygate firewall. Sygate is easier for me to understand and inplus during my CA suit download i didnt include the CA firewall as part of my download.

Is there a diffrence between the 2 firewalls?
I can't say, I've never used either Firewall. If Sygate is easy for you to use and understand, you can go ahead and keep it. I just wanted to be sure that you didn't have two firewalls running at the same time.

when i tryed to uninstall "my way search assistant" somthin popped up saying this

" Error loading C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll"

"The specified module cannot be found"
Doing some research on this, I found out that this means that My Way Search Assistant is uninstalled, just that it's uninstall list entry is still there, we'll take care of that later.

Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.

  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
    
    C:\WINDOWS\changeurl_30.dll
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\system32\drivers\d_kmd.sys
    C:\WINDOWS\didduid.ini
    C:\WINDOWS\system32\SIPSPI32.dll
    C:\\WINDOWS\\system32\\nwlmjysq.exe
    
    Folder:
    
    C:\WINDOWS\FLEOK
    C:\Program Files\zango
    C:\Program Files\stc
    C:\Program Files\180solutions
    C:\Program Files\180searchassistant
    C:\Program Files\180search assistant
    C:\Program Files\Enigma Software Group
    C:\PROGRA~1\MyWaySA\
    
    Registry::
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
    
    "C:\\WINDOWS\\system32\\nwlmjysq.exe"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
    "DisableTaskMgr"=-
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    
    Driver:
    
    d_kmd
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see three ComboFix Logs (ComboFix2, ComboFix3 and the ComboFix Log you get after running the latest CFScript) and a fresh HiJackThis Log (taken after the latest CFScript has been run). Use multiple posts/replies if can't fit them all into one post.
 
1 - 20 of 41 Posts
Status
Not open for further replies.
Top