Tech Support Guy banner
Cancel

problem programs(HJT log included)

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 9 of 9 Posts
L

· Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
i'm over at a friends house, and decided to take a look at his computer since it was running like garbage, and was concerned by the following programs in the add/remove progams wizard: bar888, IpWins, and outerinfo... i looked around the forums a bit first, ran ad-aware se pro, and spybot.. and now bar888 is the only one in add/remove programs.. i downloaded HJT and i'll post the logfile here, and i know to wait for a response before i go trying to fix anything... any other info you need, just let me know... thanks

-----------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:19:14 AM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe
C:\WINDOWS\YSTEM3~1\rundll.exe
C:\Documents and Settings\Owner\My Documents\a?sembly\m?hta.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoia.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {86A523E8-BD02-8BF5-2020-E65B542A36B3} - C:\WINDOWS\system32\ebldremb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{382A8~1\Bar888.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [czpeexk.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\czpeexk.dll",rzqlgze
O4 - HKLM\..\Run: [{082A8597-047E-1033-0710-020208060001}] "C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aiuh] "C:\WINDOWS\YSTEM3~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Yqliaree] C:\Documents and Settings\Owner\My Documents\a?sembly\m?hta.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [qqoi] C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#2 ·
Download Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
 
L

· Registered
Joined
·
6 Posts
Discussion Starter · #3 ·
here's part 1:

-------------------------------------------------------------------------------------------------

Owner - 06-12-23 12:33:36.35 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Owner\Application Data\Install.dat
C:\WINDOWS\system32\wapisvsu.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\network monitor
C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}
C:\Program Files\Common Files\{382A8597-047E-1033-0710-020208060001}
C:\WINDOWS\ZGlja2FyZCBib25l

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\My Documents\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\ASEMBL~1\m?hta.exe
C:\QooBox\Purity\WINDOWS\YSTEM3~1
C:\QooBox\Purity\WINDOWS\YSTEM3~1\rundll.exe
C:\QooBox\Purity\WINDOWS\YSTEM3~1\YSTEM3~1

((((((((((((((((((((((((((((((( Files Created from 2006-11-23 to 2006-12-23 ))))))))))))))))))))))))))))))))))

2006-12-23 12:07 d-------- C:\WINDOWS\system32\ActiveScan
2006-12-23 12:07 d-------- C:\WINDOWS\LastGood.Tmp
2006-12-23 11:11 d-------- C:\Program Files\Hijackthis
2006-12-23 10:53 d-------- C:\WINDOWS\qqoi
2006-12-23 10:53 d-------- C:\Program Files\Common Files\qqoi
2006-12-23 10:51 d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-23 10:51 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-23 10:24 88,340 --a------ C:\WINDOWS\system32\jebtsbta.exe
2006-12-23 10:24 825,996 ---hs---- C:\WINDOWS\system32\tttss.bak1
2006-12-23 10:24 44,052 --a------ C:\WINDOWS\system32\ebeiumad.dll
2006-12-23 10:24 277,044 ---hs---- C:\WINDOWS\system32\ssttt.dll
2006-12-23 10:19 72,704 --a------ C:\WINDOWS\system32\drvlim.dll
2006-12-23 10:19 56,320 --a------ C:\WINDOWS\system32\ebldremb.dll
2006-12-23 10:19 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2006-12-23 10:19 22,541 ---hs---- C:\WINDOWS\system32\ssqpnki.dll
2006-12-23 07:55 93,184 --a------ C:\WINDOWS\system32\czpeexk.dll
2006-12-23 07:55 71,680 --a------ C:\WINDOWS\system32\itbwqwf.dll
2006-12-23 07:55 3,648 --a------ C:\WINDOWS\system32\kernels1118.exe
2006-12-23 07:55 3,584 --a------ C:\WINDOWS\system32\msasvc.exe
2006-12-23 07:53 17,920 --a------ C:\WINDOWS\system32\winwil32.dll
2006-12-23 07:52 9,769 --a------ C:\ctsosaq.exe
2006-12-23 07:52 3,648 --a------ C:\tomvnwhd.exe
2006-12-23 07:52 23,552 --a------ C:\eufjxc.exe
2006-12-23 07:06 d-------- C:\Program Files\CheckIt
2006-12-23 06:38 d--h----- C:\WINDOWS\PIF
2006-12-23 06:20 d--hs---- C:\Config.Msi
2006-12-23 06:04 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-12-23 05:42 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-12-23 05:42 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-23 05:42 d-------- C:\Program Files\Symantec
2006-12-23 05:42 d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-23 05:42 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-12-23 04:38 d-------- C:\Program Files\Soulseek-Test212121
2006-12-23 01:32 d-------- C:\Program Files\Common Files\Scanner
2006-12-23 01:32 d-------- C:\Program Files\ComcastToolbar
2006-12-22 23:08 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-12-22 22:49 98,176 --a------ C:\WINDOWS\system32\drivers\NBF.SYS
2006-12-22 22:35 40,960 --a------ C:\WINDOWS\system32\parport.dll
2006-12-22 22:35 4,256 --a------ C:\WINDOWS\system32\drivers\UserPort.sys
2006-12-19 04:31 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-19 04:30 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2006-12-19 04:30 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2006-12-19 04:30 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2006-12-19 04:16 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2006-12-19 04:13 d-------- C:\Program Files\Diablo II
2006-12-18 12:30 d-------- C:\Program Files\Microsoft Visual Studio
2006-12-18 12:30 d-------- C:\msdn
2006-12-18 12:27 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-12-18 12:27 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-12-18 12:27 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2006-12-18 12:27 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2006-12-18 12:27 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-12-18 12:27 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-12-18 12:27 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-12-18 12:27 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-12-18 12:26 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-12-18 12:08 d-------- C:\Program Files\MTV Networks
2006-12-18 11:55 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-12-18 10:23 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2006-12-18 09:40 d-------- C:\Program Files\QuickTime
2006-12-18 09:40 d-------- C:\Program Files\Apple Software Update
2006-12-18 09:40 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-12-17 23:40 d-------- C:\WINDOWS\system32\DRM
2006-12-17 23:39 d-------- C:\Program Files\Windows Media Connect 2
2006-12-17 23:37 d-------- C:\WINDOWS\system32\LogFiles
2006-12-17 23:37 d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-17 23:36 d-------- C:\WINDOWS\system32\ReinstallBackups
2006-12-17 23:27 dr--s---- C:\WINDOWS\assembly
2006-12-17 23:27 d-------- C:\WINDOWS\system32\URTTemp
2006-12-17 23:27 d-------- C:\WINDOWS\Microsoft.NET
2006-12-17 23:14 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-12-17 23:12 dr-h----- C:\Documents and Settings\Owner\Application Data\yahoo!
2006-12-17 21:24 d-------- C:\Documents and Settings\Owner\Application Data\vlc
2006-12-17 21:23 d-------- C:\Program Files\VideoLAN
2006-12-17 21:20 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2006-12-17 21:06 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2006-12-17 20:58 d-------- C:\WINDOWS\WBEM
2006-12-17 20:58 d-------- C:\WINDOWS\system32\en-US
2006-12-17 20:57 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-17 20:57 d--h-c--- C:\WINDOWS\ie7
2006-12-17 20:56 d-------- C:\WINDOWS\network diagnostic
2006-12-17 20:44 d-------- C:\Program Files\uTorrent
2006-12-17 20:40 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-12-17 20:36 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-17 20:35 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-12-17 20:32 d-------- C:\Program Files\Soulseek
2006-12-17 20:30 d-------- C:\Program Files\Jasc Software Inc
2006-12-17 20:30 d-------- C:\Program Files\Common Files\Jasc Software Inc
2006-12-17 20:30 d-------- C:\Documents and Settings\Owner\Application Data\Jasc Software Inc
2006-12-17 20:30 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2006-12-17 20:24 d-------- C:\Program Files\Support.com
2006-12-17 20:24 d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2006-12-17 20:23 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-12-17 20:21 d--h----- C:\Program Files\InstallShield Installation Information
2006-12-17 20:21 d-------- C:\Program Files\Common Files\InstallShield
2006-12-17 20:17 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-12-17 20:14 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-12-17 20:14 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-12-17 20:13 d-------- C:\Program Files\Common Files\Adobe
2006-12-17 20:13 d-------- C:\Program Files\Adobe
2006-12-17 20:13 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-12-17 20:09 d-------- C:\Program Files\DivX
2006-12-17 20:07 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2006-12-17 20:07 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-12-17 20:07 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-12-17 20:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-12-17 20:07 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-12-17 20:07 d-------- C:\WINDOWS\RegisteredPackages
2006-12-17 20:06 d-------- C:\Program Files\Winamp
2006-12-17 20:05 d-------- C:\Program Files\PowerISO
2006-12-17 20:05 d-------- C:\Program Files\Lavasoft
2006-12-17 20:05 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-17 20:04 d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2006-12-17 20:03 d-------- C:\Program Files\Yahoo!
2006-12-17 20:02 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2006-12-17 20:01 d-------- C:\Program Files\Mozilla Firefox
2006-12-17 20:01 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-12-17 20:00 d-------- C:\Program Files\Nero
2006-12-17 20:00 d-------- C:\Program Files\Common Files\Ahead
2006-12-17 19:57 d-------- C:\Program Files\WinRAR
2006-12-17 19:50 d--hs---- C:\RECYCLER
2006-12-17 19:49 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2006-12-17 19:49 d-------- C:\WINDOWS\Downloaded Installations
2006-12-17 19:49 d-------- C:\Program Files\Viewpoint
2006-12-17 19:49 d-------- C:\Program Files\AWS
2006-12-17 19:49 d-------- C:\Program Files\AOD
2006-12-17 19:49 d-------- C:\Program Files\AIM
2006-12-17 19:49 d-------- C:\Documents and Settings\Owner\Application Data\Aim
2006-12-17 19:49 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-12-17 19:48 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-17 19:48 d--h----- C:\WINDOWS\$hf_mig$
2006-12-17 19:48 d-------- C:\WINDOWS\system32\PreInstall
2006-12-17 19:45 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-17 19:45 d--hs---- C:\Documents and Settings\Owner\UserData
2006-12-17 19:45 d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-17 19:44 dr-h----- C:\Documents and Settings\Owner\SendTo
2006-12-17 19:44 dr-h----- C:\Documents and Settings\Owner\Recent
2006-12-17 19:44 dr-h----- C:\Documents and Settings\Owner\Application Data\.
2006-12-17 19:44 dr-h----- C:\Documents and Settings\Owner\Application Data
2006-12-17 19:44 dr------- C:\Documents and Settings\Owner\Start Menu
2006-12-17 19:44 dr------- C:\Documents and Settings\Owner\My Documents
2006-12-17 19:44 dr------- C:\Documents and Settings\Owner\Favorites
2006-12-17 19:44 d--hs---- C:\Documents and Settings\Owner\Cookies
2006-12-17 19:44 d--h----- C:\Program Files\Uninstall Information
2006-12-17 19:44 d--h----- C:\Documents and Settings\Owner\Templates
2006-12-17 19:44 d--h----- C:\Documents and Settings\Owner\PrintHood
2006-12-17 19:44 d--h----- C:\Documents and Settings\Owner\NetHood
2006-12-17 19:44 d--h----- C:\Documents and Settings\Owner\Local Settings
2006-12-17 19:44 d---s---- C:\WINDOWS\system32\Microsoft
2006-12-17 19:44 d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-17 19:44 d-------- C:\WINDOWS\SoftwareDistribution
2006-12-17 19:44 d-------- C:\WINDOWS\Prefetch
2006-12-17 19:44 d-------- C:\Documents and Settings\Owner\Desktop
2006-12-17 19:44 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-12-17 19:44 d-------- C:\Documents and Settings\Owner\Application Data\..
2006-12-17 19:44 d-------- C:\Documents and Settings\Owner\..
2006-12-17 19:44 d-------- C:\Documents and Settings\Owner\.
2006-12-17 19:40 8,704 --a------ C:\WINDOWS\system32\snmptrap.exe
2006-12-17 19:40 6,144 --a------ C:\WINDOWS\system32\snmpmib.dll
2006-12-17 19:40 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2006-12-17 19:40 33,280 --a------ C:\WINDOWS\system32\snmp.exe
2006-12-17 19:40 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2006-12-17 19:39 92,160 --a------ C:\WINDOWS\system32\evntwin.exe
2006-12-17 19:39 39,936 --a------ C:\WINDOWS\system32\hostmib.dll
2006-12-17 19:39 35,328 --a------ C:\WINDOWS\system32\iprip.dll
2006-12-17 19:39 24,064 --a------ C:\WINDOWS\system32\evntcmd.exe
2006-12-17 19:39 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2006-12-17 19:38 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-12-17 19:38 0 -rahs---- C:\MSDOS.SYS
2006-12-17 19:38 0 -rahs---- C:\IO.SYS
2006-12-17 19:38 0 --a------ C:\CONFIG.SYS
2006-12-17 19:38 0 --a------ C:\AUTOEXEC.BAT
2006-12-17 19:38 d-------- C:\WINDOWS\system32\xircom
2006-12-17 19:38 d-------- C:\Program Files\xerox
2006-12-17 19:38 d-------- C:\Program Files\microsoft frontpage
2006-12-17 19:37 d--hs---- C:\Documents and Settings\All Users\DRM
2006-12-17 19:36 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-12-17 19:36 dr------- C:\WINDOWS\Offline Web Pages
2006-12-17 19:36 d--h----- C:\Program Files\WindowsUpdate
2006-12-17 19:36 d---s---- C:\WINDOWS\Downloaded Program Files
2006-12-17 19:36 d-------- C:\WINDOWS\system32\DirectX
2006-12-17 19:35 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-12-17 19:35 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-12-17 19:35 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-12-17 19:35 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-12-17 19:35 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-12-17 19:35 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-12-17 19:35 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-12-17 19:35 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-12-17 19:35 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-12-17 19:35 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-12-17 19:35 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2006-12-17 19:35 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-12-17 19:35 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-12-17 19:35 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-17 19:35 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-12-17 19:35 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-12-17 19:35 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-12-17 19:35 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-12-17 19:35 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-12-17 19:35 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-12-17 19:35 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-12-17 19:35 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-12-17 19:35 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-12-17 19:35 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-12-17 19:35 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-12-17 19:35 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-12-17 19:35 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-12-17 19:35 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-12-17 19:35 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-12-17 19:35 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-17 19:35 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-12-17 19:35 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-17 19:35 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-12-17 19:35 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-17 19:35 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-12-17 19:35 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-12-17 19:35 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-12-17 19:35 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-12-17 19:35 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-17 19:35 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-12-17 19:35 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-12-17 19:35 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-17 19:35 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-12-17 19:35 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-12-17 19:35 d---s---- C:\WINDOWS\Tasks
2006-12-17 19:35 d-------- C:\WINDOWS\system32\Restore
2006-12-17 19:35 d-------- C:\WINDOWS\system32\Macromed
2006-12-17 19:35 d-------- C:\WINDOWS\srchasst
2006-12-17 19:35 d-------- C:\Program Files\Outlook Express
2006-12-17 19:35 d-------- C:\Program Files\NetMeeting
2006-12-17 19:35 d-------- C:\Program Files\Movie Maker
2006-12-17 19:35 d-------- C:\Program Files\Internet Explorer
2006-12-17 19:35 d-------- C:\Program Files\ComPlus Applications
2006-12-17 19:35 d-------- C:\Program Files\Common Files\System
2006-12-17 19:35 d-------- C:\Program Files\Common Files\Services
2006-12-17 19:35 d-------- C:\Program Files\Common Files\MSSoap
2006-12-17 19:34 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-12-17 19:34 d-------- C:\WINDOWS\Registration
2006-12-17 19:34 d-------- C:\Program Files\Windows Media Player
2006-12-17 19:34 d-------- C:\Program Files\Online Services
2006-12-17 19:34 d-------- C:\Program Files\MSN Gaming Zone
2006-12-17 19:34 d-------- C:\Program Files\Messenger
2006-12-17 19:33 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2006-12-17 19:33 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-12-17 19:33 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-12-17 19:33 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-12-17 19:33 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-12-17 19:33 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-12-17 19:33 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-12-17 19:33 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-12-17 19:33 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-12-17 19:33 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-12-17 19:33 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-12-17 19:33 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-12-17 19:33 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-12-17 19:33 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-12-17 19:33 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-12-17 19:33 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-12-17 19:33 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-12-17 19:33 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-12-17 19:33 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-12-17 19:33 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-12-17 19:33 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-12-17 19:33 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-12-17 19:33 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-12-17 19:33 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-12-17 19:33 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-12-17 19:33 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-12-17 19:33 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-12-17 19:33 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-12-17 19:33 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-12-17 19:33 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-12-17 19:33 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2006-12-17 19:33 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-12-17 19:33 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-12-17 19:33 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-12-17 19:33 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-12-17 19:33 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-12-17 19:33 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-12-17 19:33 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-17 19:33 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-12-17 19:33 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2006-12-17 19:33 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-12-17 19:33 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-12-17 19:33 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-12-17 19:33 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-12-17 19:33 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-12-17 19:33 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-12-17 19:33 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-12-17 19:33 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-12-17 19:33 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-12-17 19:33 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-12-17 19:33 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-12-17 19:33 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-12-17 19:33 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-17 19:33 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-12-17 19:33 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-12-17 19:33 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-12-17 19:33 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-12-17 19:33 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-12-17 19:33 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-12-17 19:33 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-12-17 19:33 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-12-17 19:33 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-12-17 19:33 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-12-17 19:33 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-12-17 19:33 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-12-17 19:33 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-12-17 19:33 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-12-17 19:33 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-12-17 19:33 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-12-17 19:33 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-12-17 19:33 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-17 19:33 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-12-17 19:33 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-12-17 19:33 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-17 19:33 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-12-17 19:33 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-12-17 19:33 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-12-17 19:33 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-12-17 19:33 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-12-17 19:33 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-12-17 19:33 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-17 19:33 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-12-17 19:33 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-12-17 19:33 d-------- C:\WINDOWS\system32\MsDtc
2006-12-17 19:33 d-------- C:\WINDOWS\system32\Com
2006-12-17 19:33 d-------- C:\Program Files\Windows NT
2006-12-17 19:33 d-------- C:\Program Files\MSN
2006-12-17 13:30 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-12-17 13:30 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-12-17 13:30 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-12-17 13:30 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-12-17 13:30 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-12-17 13:30 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-12-17 13:30 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-12-17 13:30 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-12-17 13:30 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-12-17 13:30 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-12-17 13:30 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-12-17 13:30 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-12-17 13:29 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2006-12-17 13:29 860,480 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-12-17 13:29 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-12-17 13:29 51,200 --a------ C:\WINDOWS\system32\sfman32.dll
2006-12-17 13:29 42,240 --a------ C:\WINDOWS\system32\drivers\VIAAGP.SYS
2006-12-17 13:29 36,480 --a------ C:\WINDOWS\system32\drivers\sfmanm.sys
2006-12-17 13:29 258,048 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-12-17 13:29 256,512 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-12-17 13:29 2,636,672 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-12-17 13:29 162,816 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2006-12-17 13:29 1,505,792 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-12-17 13:28 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2006-12-17 13:28 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-17 13:28 6,912 --a------ C:\WINDOWS\system32\drivers\ctlfacem.sys
2006-12-17 13:28 495,616 --a------ C:\WINDOWS\system32\sblfx.dll
2006-12-17 13:28 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-12-17 13:28 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll
2006-12-17 13:28 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys
2006-12-17 13:28 283,904 --a------ C:\WINDOWS\system32\drivers\emu10k1m.sys
2006-12-17 13:28 256,512 --a------ C:\WINDOWS\system32\devcon32.dll
2006-12-17 13:28 24,064 --a------ C:\WINDOWS\system32\devldr32.exe
2006-12-17 13:28 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-12-17 13:28 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#4 ·
next

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm
_ _ _ _

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
 
L

· Registered
Joined
·
6 Posts
Discussion Starter · #5 ·
part 2 followed by the HJT log AFTER
----------------------------------------------------------------------------------------------

2006-12-17 13:27 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2006-12-17 13:27 9,008 --a------ C:\WINDOWS\system\VER.DLL
2006-12-17 13:27 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2006-12-17 13:27 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2006-12-17 13:27 8,704 --a------ C:\WINDOWS\system32\batt.dll
2006-12-17 13:27 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2006-12-17 13:27 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-12-17 13:27 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2006-12-17 13:27 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2006-12-17 13:27 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2006-12-17 13:27 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2006-12-17 13:27 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2006-12-17 13:27 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2006-12-17 13:27 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll
2006-12-17 13:27 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2006-12-17 13:27 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2006-12-17 13:27 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-12-17 13:27 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2006-12-17 13:27 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2006-12-17 13:27 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-12-17 13:27 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2006-12-17 13:27 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-12-17 13:27 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2006-12-17 13:27 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-12-17 13:27 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2006-12-17 13:27 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-12-17 13:27 d-a------ C:\Program Files\Common Files\..
2006-12-17 13:27 d-a------ C:\Program Files\.
2006-12-17 13:27 d-a------ C:\Program Files
2006-12-17 13:27 d--hs---- C:\WINDOWS\Installer
2006-12-17 13:27 d--hs---- C:\Program Files\..
2006-12-17 13:27 d-------- C:\Program Files\Common
Files\SpeechEngines
2006-12-17 13:27 d-------- C:\Program Files\Common Files\ODBC
2006-12-17 13:27 d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-17 13:27 d-------- C:\Program Files\Common Files\.
2006-12-17 13:27 d-------- C:\Program Files\Common Files
2006-12-17 13:26 dr-h----- C:\Documents and Settings\All Users\Application Data\.
2006-12-17 13:26 dr-h----- C:\Documents and Settings\All Users\Application Data
2006-12-17 13:26 dr------- C:\Documents and Settings\All Users\Start Menu
2006-12-17 13:26 dr------- C:\Documents and Settings\All Users\Documents
2006-12-17 13:26 d--hs---- C:\System Volume Information
2006-12-17 13:26 d--h----- C:\Documents and Settings\All Users\Templates
2006-12-17 13:26 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-12-17 13:26 d-------- C:\WINDOWS\system32\CatRoot2
2006-12-17 13:26 d-------- C:\WINDOWS\system32\CatRoot
2006-12-17 13:26 d-------- C:\Documents and Settings\All Users\Favorites
2006-12-17 13:26 d-------- C:\Documents and Settings\All Users\Desktop
2006-12-17 13:26 d-------- C:\Documents and Settings\All Users\Application Data\..
2006-12-17 13:26 d-------- C:\Documents and Settings\All Users\..
2006-12-17 13:26 d-------- C:\Documents and Settings\All Users\.
2006-12-17 13:26 d-------- C:\Documents and Settings
2006-12-17 13:18 dr-hsc--- C:\WINDOWS\system32\dllcache
2006-12-17 13:18 dr--s---- C:\WINDOWS\Fonts
2006-12-17 13:18 dr------- C:\WINDOWS\Web
2006-12-17 13:18 d-a------ C:\WINDOWS\system32\drivers\..
2006-12-17 13:18 d-a------ C:\WINDOWS\system32\.
2006-12-17 13:18 d-a------ C:\WINDOWS\system32
2006-12-17 13:18 d--hs---- C:\WINDOWS\..
2006-12-17 13:18 d--h----- C:\WINDOWS\inf
2006-12-17 13:18 d-------- C:\WINDOWS\WinSxS
2006-12-17 13:18 d-------- C:\WINDOWS\twain_32
2006-12-17 13:18 d-------- C:\WINDOWS\Temp
2006-12-17 13:18 d-------- C:\WINDOWS\system32\wins
2006-12-17 13:18 d-------- C:\WINDOWS\system32\wbem
2006-12-17 13:18 d-------- C:\WINDOWS\system32\usmt
2006-12-17 13:18 d-------- C:\WINDOWS\system32\spool
2006-12-17 13:18 d-------- C:\WINDOWS\system32\ShellExt
2006-12-17 13:18 d-------- C:\WINDOWS\system32\Setup
2006-12-17 13:18 d-------- C:\WINDOWS\system32\ras
2006-12-17 13:18 d-------- C:\WINDOWS\system32\oobe
2006-12-17 13:18 d-------- C:\WINDOWS\system32\npp
2006-12-17 13:18 d-------- C:\WINDOWS\system32\mui
2006-12-17 13:18 d-------- C:\WINDOWS\system32\inetsrv
2006-12-17 13:18 d-------- C:\WINDOWS\system32\IME
2006-12-17 13:18 d-------- C:\WINDOWS\system32\icsxml
2006-12-17 13:18 d-------- C:\WINDOWS\system32\ias
2006-12-17 13:18 d-------- C:\WINDOWS\system32\export
2006-12-17 13:18 d-------- C:\WINDOWS\system32\drivers\etc
2006-12-17 13:18 d-------- C:\WINDOWS\system32\drivers\disdn
2006-12-17 13:18 d-------- C:\WINDOWS\system32\drivers\.
2006-12-17 13:18 d-------- C:\WINDOWS\system32\drivers
2006-12-17 13:18 d-------- C:\WINDOWS\system32\dhcp
2006-12-17 13:18 d-------- C:\WINDOWS\system32\config
2006-12-17 13:18 d-------- C:\WINDOWS\system32\3com_dmi
2006-12-17 13:18 d-------- C:\WINDOWS\system32\3076
2006-12-17 13:18 d-------- C:\WINDOWS\system32\2052
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1054
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1042
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1041
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1037
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1033
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1031
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1028
2006-12-17 13:18 d-------- C:\WINDOWS\system32\1025
2006-12-17 13:18 d-------- C:\WINDOWS\system32\..
2006-12-17 13:18 d-------- C:\WINDOWS\system\..
2006-12-17 13:18 d-------- C:\WINDOWS\system\.
2006-12-17 13:18 d-------- C:\WINDOWS\system
2006-12-17 13:18 d-------- C:\WINDOWS\security
2006-12-17 13:18 d-------- C:\WINDOWS\Resources
2006-12-17 13:18 d-------- C:\WINDOWS\repair
2006-12-17 13:18 d-------- C:\WINDOWS\Provisioning
2006-12-17 13:18 d-------- C:\WINDOWS\PeerNet
2006-12-17 13:18 d-------- C:\WINDOWS\pchealth
2006-12-17 13:18 d-------- C:\WINDOWS\mui
2006-12-17 13:18 d-------- C:\WINDOWS\msapps
2006-12-17 13:18 d-------- C:\WINDOWS\msagent
2006-12-17 13:18 d-------- C:\WINDOWS\Media
2006-12-17 13:18 d-------- C:\WINDOWS\java
2006-12-17 13:18 d-------- C:\WINDOWS\ime
2006-12-17 13:18 d-------- C:\WINDOWS\Help
2006-12-17 13:18 d-------- C:\WINDOWS\Driver Cache
2006-12-17 13:18 d-------- C:\WINDOWS\Debug
2006-12-17 13:18 d-------- C:\WINDOWS\Cursors
2006-12-17 13:18 d-------- C:\WINDOWS\Connection Wizard
2006-12-17 13:18 d-------- C:\WINDOWS\Config
2006-12-17 13:18 d-------- C:\WINDOWS\AppPatch
2006-12-17 13:18 d-------- C:\WINDOWS\addins
2006-12-17 13:18 d-------- C:\WINDOWS\.
2006-12-17 13:18 d-------- C:\WINDOWS
2006-12-12 10:30 520,192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-12-12 10:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 10:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 10:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 10:25 806,912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 10:25 806,912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 10:25 790,528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 10:25 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 10:25 635,486 --a------ C:\WINDOWS\system32\DivX.dll
2006-12-12 10:25 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-12-12 10:25 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 10:25 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-12-12 10:25 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 10:25 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 10:25 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 10:25 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 10:24 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-12 10:24 118,784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-11-27 02:45 60,416 --------- C:\WINDOWS\system32\tzchange.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Aiuh"="\"C:\\WINDOWS\\YSTEM3~1\\rundll.exe\" -vt yazb"
"Yqliaree"="C:\\Documents and Settings\\Owner\\My Documents\\a?sembly\\m?hta.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"qqoi"="C:\\PROGRA~1\\COMMON~1\\qqoi\\qqoim.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"tgcmd"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server /startmonitor /deaf"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"czpeexk.dll"="C:\\WINDOWS\\system32\\rundll32.exe \"C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\czpeexk.dll\",rzqlgze"
"{082A8597-047E-1033-0710-020208060001}"="\"C:\\Program Files\\Common Files\\{082A8597-047E-1033-0710-020208060001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-23 12:37:53.73
C:\ComboFix.txt ... 06-12-23 12:37

--------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:44:12 PM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\COMMON~1\qqoi\qqoia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {86A523E8-BD02-8BF5-2020-E65B542A36B3} - C:\WINDOWS\system32\ebldremb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{382A8~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [czpeexk.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\czpeexk.dll",rzqlgze
O4 - HKLM\..\Run: [{082A8597-047E-1033-0710-020208060001}] "C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aiuh] "C:\WINDOWS\YSTEM3~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Yqliaree] C:\Documents and Settings\Owner\My Documents\a?sembly\m?hta.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [qqoi] C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#6 ·
before running sdfix

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
 
L

· Registered
Joined
·
6 Posts
Discussion Starter · #7 ·
well, i already ran the Sdfix, i try to keep on top of things.... i'll go back and run the other one... should i re-run the sdfix after words? heres the log from sdfix...
----------------------------------------------------------------------------------------------------------

SDFix: Version 1.51
****************

Sat 12/23/2006 - 13:21:13.04

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

MsaSvc

File Path:

C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINDOWS\system32\kernels1118.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\Temp\win1.tmp
C:\WINDOWS\Temp\win1A.tmp
C:\WINDOWS\Temp\win1B.tmp
C:\WINDOWS\Temp\win1C.tmp
C:\WINDOWS\Temp\win1E.tmp
C:\WINDOWS\Temp\win2.tmp
C:\WINDOWS\Temp\win20.tmp
C:\WINDOWS\Temp\win22.tmp
C:\WINDOWS\Temp\win24.tmp
C:\WINDOWS\Temp\win26.tmp
C:\WINDOWS\Temp\win29.tmp
C:\WINDOWS\Temp\win2B.tmp
C:\WINDOWS\Temp\win2C.tmp
C:\WINDOWS\Temp\win2E.tmp
C:\WINDOWS\Temp\win3.tmp
C:\WINDOWS\Temp\win4.tmp
C:\WINDOWS\Temp\win5.tmp
C:\WINDOWS\Temp\win6.tmp
C:\WINDOWS\Temp\win7.tmp
C:\WINDOWS\Temp\win8.tmp
C:\WINDOWS\Temp\win9.tmp
C:\WINDOWS\Temp\winA.tmp
C:\WINDOWS\Temp\winB.tmp
C:\WINDOWS\Temp\winC.tmp
C:\WINDOWS\Temp\winD.tmp

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------

Rootkit PE386 Found!. Rootkit scan Needed...

Authorized Applications Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\trlrm\\RMHSvc.exe"="C:\\WINDOWS\\trlrm\\RMHSvc.exe:*:Enabled:RMHSvc.exe"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Soulseek-Test212121\\slsk.exe"="C:\\Program Files\\Soulseek-Test212121\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\WINDOWS\\trlrm\\RMHSvc.exe"="C:\\WINDOWS\\trlrm\\RMHSvc.exe:*:Enabled:RMHSvc.exe"

Files:
------
C:\WINDOWS\system32\svchosts.exe

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINDOWS\system32\rqroolk.dll
C:\WINDOWS\system32\ssqpnki.dll
C:\WINDOWS\system32\ssttt.dll
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\ASEMBL~1\m?hta.exe
C:\QooBox\Purity\WINDOWS\YSTEM3~1\rundll.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Owner\My Documents\Progies\Norton Utilities Pack 2K6 V3 - CNC\Support\GBW\common\MSDOS\IO.SYS
C:\Documents and Settings\Owner\My Documents\Progies\Norton Utilities Pack 2K6 V3 - CNC\Support\GBW\common\MSDOS\MSDOS.SYS
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

FINISHED!
 
L

· Registered
Joined
·
6 Posts
Discussion Starter · #8 ·
well i ran rustbfix... it only rebooted once, only wanted to... and i only got one logfile, the pelog.txt... here are the results of that
----------------------------------------------------------------------------------------------------------
************************* Rustock.b-fix -- By ejvindh *************************
Sat 12/23/2006 13:43:30.07

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69550
Total size: 69550 bytes.
Attempting to remove ADS...
system32: deleted 69550 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

---------------------------------------------------------------------------------------------------
and heres a new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:48:15 PM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoia.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\qqoi\qqoil.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {86A523E8-BD02-8BF5-2020-E65B542A36B3} - C:\WINDOWS\system32\ebldremb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{382A8~1\Bar888.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [czpeexk.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\czpeexk.dll",rzqlgze
O4 - HKLM\..\Run: [{082A8597-047E-1033-0710-020208060001}] "C:\Program Files\Common Files\{082A8597-047E-1033-0710-020208060001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aiuh] "C:\WINDOWS\YSTEM3~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Yqliaree] C:\Documents and Settings\Owner\My Documents\a?sembly\m?hta.exe
O4 - HKCU\..\Run: [qqoi] C:\PROGRA~1\COMMON~1\qqoi\qqoim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#9 ·
still got a lot more to do

next

download gmer rootkit detector from http://gmer.thespykiller.co.uk/index.php

unzip it & double click the gmer.exe file

select rootkit tab & press scan

when it has finished press save & post back the log it makes

also select the autostarts tab & do the same there

http://gmer.thespykiller.co.uk/catchme.php

Download catchme.exe ( 25kB ) to your desktop.

Double click the catchme.exe to run it

Open catchme.log to see results
 
1 - 9 of 9 Posts
Status
Not open for further replies.
About this Discussion
8 Replies
2 Participants
Last post:
dvk01
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top