Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed]Treveuren Or Other Plz Help


  • This topic is locked This topic is locked
8 replies to this topic

#1 riparian

riparian

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 14 July 2007 - 07:46 PM

i posted a while ago but was away on a business trip, now trying desperately to get my computer fixed. here is a copy of my combo fix log:

"James Uhm" - 2007-07-14 21:28:50 - ComboFix 07-07-14.6 - Service Pack 1 FAT32


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tuvwtqn.dll
C:\WINDOWS\system32\lvbxrvwv.dll
C:\WINDOWS\system32\dpqcnbgn.dll
C:\WINDOWS\system32\hsrqdccf.dll
C:\WINDOWS\system32\iyvckjvu.exe
C:\WINDOWS\system32\nyygknqe.exe
C:\WINDOWS\system32\pwstoqcw.dll
C:\WINDOWS\system32\tuvwtqn.dll
C:\WINDOWS\SYSTEM32\pqsru.bak1
C:\WINDOWS\SYSTEM32\pqsru.ini
C:\WINDOWS\SYSTEM32\pqsru.bak2
C:\WINDOWS\SYSTEM32\fccdqrsh.ini
C:\WINDOWS\system32\opnolji.dll
C:\WINDOWS\system32\ursqp.dll
C:\WINDOWS\system32\opnolji.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JAMESU~1\Desktop.\internet explorer.lnk
C:\Program Files\poolsv
C:\Program Files\TTC.dll
C:\tempb9
C:\tempb9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\DOWNLO~1\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UERS_9999_N91S1502NetInstaller.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\bvvnxaat.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\klqeinme.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S1\bk53.exe
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S2\mwspasrt83122.exe
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S4\wen2.exe
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S6\wr613.exe
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\tokiuucp.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-14 21:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 11:06 50,688 --a------ C:\WINDOWS\SYSTEM32\qwerty12.exe
2007-06-28 15:54 66,048 -r-hs---- C:\WINDOWS\SYSTEM\svchostw.exe
2007-06-28 15:54 66,048 -r-hs---- C:\WINDOWS\SYSTEM\regserv.exe
2007-06-28 15:54 23,552 -r-hs---- C:\WINDOWS\SYSTEM\svchostw.dll
2007-06-28 15:54 23,552 -r-hs---- C:\WINDOWS\SYSTEM\regserv.dll
2007-06-28 15:54 19,456 -r-hs---- C:\WINDOWS\SYSTEM\svchctrl.dll
2007-06-28 15:54 166,104 --a------ C:\WINDOWS\SYSTEM32\tsdiscon.dll
2007-06-28 15:54 11,776 -r-hs---- C:\WINDOWS\SYSTEM\svchctrl.exe
2007-06-20 01:17 2,624 --a------ C:\WINDOWS\SYSTEM32\ffuakshj.exe
2007-06-19 13:21 190,995 --a------ C:\WINDOWS\SYSTEM32\mpdsregr.exe
2007-06-19 13:14 921,920 -r-hs---- C:\WINDOWS\aikhznfA.exe
2007-06-19 13:14 46,592 --a------ C:\WINDOWS\aikhznf.exe
2007-06-19 13:10 192,628 --a------ C:\WINDOWS\SYSTEM32\rwinqndt.exe
2007-06-19 13:05 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-23 00:26:42 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-23 00:26:42 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-23 00:26:42 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-23 00:26:42 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-23 00:26:42 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-09-03 02:11:54 271 --sh--w C:\Program Files\desktop.ini
2004-09-03 02:11:54 23,357 ---h--w C:\Program Files\folder.htt
2004-01-27 18:23:24 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
2004-01-22 19:03:16 711 ----a-w C:\Program Files\JetShell.ini
2002-10-07 06:28:48 48 ----a-w C:\Program Files\JETVMAIL.INI


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2006A625-00CC-45FF-93D8-2306E9024BF9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"axej"="C:\Program Files\xgcf\uqjyrgs.exe" [2004-09-10 15:18]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-03-22 15:23 C:\WINDOWS\KHALMNPR.Exe]
"MP3PAgent"="C:\Program Files\Hanmaro\MediaRose\USBSync\MP3PAgent.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"@"="" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùxùüþ 


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\4ac8c624-2d76-47f5-951b-4cea31f6d8a1
C:\WINDOWS\System32\bdbamor.exe

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 21:38:03
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

C:\windows\system\svchctrl.exe [1500] 0x811AC020


scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchctrl = c:\windows\system\svchctrl.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svchctrl = c:\windows\system\svchctrl.exe

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"svchctrl"="c:\\windows\\system\\svchctrl.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchctrl"="c:\\windows\\system\\svchctrl.exe"

Completion time: 2007-07-14 21:38:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-14 21:38

--- E O F ---




now here is a copy of my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:58 PM, on 7/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\xgcf\uqjyrgs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James Uhm\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2006A625-00CC-45FF-93D8-2306E9024BF9} - \
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [axej] C:\Program Files\xgcf\uqjyrgs.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MP3PAgent] C:\Program Files\Hanmaro\MediaRose\USBSync\MP3PAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netm...NMStarter24.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworl...pload_10212.cab
O16 - DPF: {447F9423-2046-4267-9B93-11626D001183} (RewardNetwork amLauncher Class) - http://affiliate.rew.../WSgooddayi.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - https://member.netma...kdfense8237.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworl...e/skcbgmset.cab
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandor...ge/pdrtvset.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



any help would be much appreciated!!! thanks!

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 14 July 2007 - 08:39 PM

A. Please run the following program:
  • Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktop
    http://www.mvps.org/.../DelDomains.inf

  • Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.
  • Then please restart your computer

    Note: You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using these features before.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://forums.tomcoyote.org/Treveuren_Other_Plz_Help_t81268.html

Collect::
C:\WINDOWS\System32\bdbamor.exe
C:\WINDOWS\SYSTEM32\qwerty12.exe
C:\WINDOWS\SYSTEM\svchostw.exe
C:\WINDOWS\SYSTEM32\ffuakshj.exe
C:\Program Files\folder.htt
C:\Program Files\Common Files\remove_tools.html
C:\WINDOWS\SYSTEM32\rwinqndt.exe
C:\WINDOWS\SYSTEM32\mpdsregr.exe
C:\WINDOWS\aikhznfA.exe
C:\WINDOWS\aikhznf.exe
C:\WINDOWS\SYSTEM32\tsdiscon.dll
C:\WINDOWS\SYSTEM\svchctrl.dll
C:\WINDOWS\SYSTEM\svchctrl.exe
C:\WINDOWS\SYSTEM\regserv.exe
C:\WINDOWS\SYSTEM\svchostw.dll
C:\WINDOWS\SYSTEM\regserv.dll

File::
C:\WINDOWS\System32\bdbamor.exe
C:\WINDOWS\SYSTEM32\qwerty12.exe
C:\WINDOWS\SYSTEM\svchostw.exe
C:\WINDOWS\SYSTEM32\ffuakshj.exe
C:\Program Files\folder.htt
C:\Program Files\Common Files\remove_tools.html
C:\WINDOWS\SYSTEM32\rwinqndt.exe
C:\WINDOWS\SYSTEM32\mpdsregr.exe
C:\WINDOWS\aikhznfA.exe
C:\WINDOWS\aikhznf.exe
C:\WINDOWS\SYSTEM32\tsdiscon.dll
C:\WINDOWS\SYSTEM\svchctrl.dll
C:\WINDOWS\SYSTEM\svchctrl.exe
C:\WINDOWS\SYSTEM\regserv.exe
C:\WINDOWS\SYSTEM\svchostw.dll
C:\WINDOWS\SYSTEM\regserv.dll

Folder::
C:\Program Files\xgcf
C:\Temp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"svchctrl"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchctrl"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\4ac8c624-2d76-47f5-951b-4cea31f6d8a1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\axej]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2006A625-00CC-45FF-93D8-2306E9024BF9}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 riparian

riparian

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 14 July 2007 - 09:36 PM

hi, thank you for the quick reply! i couldn't find the zip file you said would be on my desktop so i skipped that part. here is a copy of my combofix log:

"James Uhm" - 2007-07-14 23:18:26 - ComboFix 07-07-14.6 - Service Pack 1 FAT32
Command switches used :: C:\Documents and Settings\James Uhm\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\remove_tools.html
C:\Program Files\folder.htt
C:\Program Files\xgcf
C:\Program Files\xgcf\myalrim.exe
C:\Program Files\xgcf\spare.idx
C:\Program Files\xgcf\uqjyrgs.exe
C:\Temp
C:\WINDOWS\aikhznf.exe
C:\WINDOWS\aikhznfA.exe
C:\WINDOWS\SYSTEM\regserv.dll
C:\WINDOWS\SYSTEM\regserv.exe
C:\WINDOWS\SYSTEM\svchctrl.dll
C:\WINDOWS\SYSTEM\svchctrl.exe
C:\WINDOWS\SYSTEM\svchostw.dll
C:\WINDOWS\SYSTEM\svchostw.exe
C:\WINDOWS\SYSTEM32\ffuakshj.exe
C:\WINDOWS\SYSTEM32\mpdsregr.exe
C:\WINDOWS\SYSTEM32\qwerty12.exe
C:\WINDOWS\SYSTEM32\rwinqndt.exe
C:\WINDOWS\SYSTEM32\tsdiscon.dll


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-14 23:06 208,896 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-07-14 21:26 51,200 --a------ C:\WINDOWS\nircmd.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 02:55:22 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-07-15 02:55:22 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-05-23 00:26:42 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-23 00:26:42 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-23 00:26:42 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-23 00:26:42 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-23 00:26:42 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-09-03 02:11:54 271 --sh--w C:\Program Files\desktop.ini
2004-01-22 19:03:16 711 ----a-w C:\Program Files\JetShell.ini
2002-10-07 06:28:48 48 ----a-w C:\Program Files\JETVMAIL.INI


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"axej"="C:\Program Files\xgcf\uqjyrgs.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-03-22 15:23 C:\WINDOWS\KHALMNPR.Exe]
"MP3PAgent"="C:\Program Files\Hanmaro\MediaRose\USBSync\MP3PAgent.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Teea"="C:\PROGRA~1\MCROSO~1\wowexec.exe" []
"Xnsqcj"="C:\Program Files\??mantec\?ervices.exe" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùxùüþ 


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 23:26:21
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-14 23:26:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-14 23:26

--- E O F ---



and a copy of my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:35:29 PM, on 7/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\James Uhm\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [axej] C:\Program Files\xgcf\uqjyrgs.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MP3PAgent] C:\Program Files\Hanmaro\MediaRose\USBSync\MP3PAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Teea] "C:\PROGRA~1\MCROSO~1\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [Xnsqcj] "C:\Program Files\??mantec\?ervices.exe"
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netm...NMStarter24.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworl...pload_10212.cab
O16 - DPF: {447F9423-2046-4267-9B93-11626D001183} (RewardNetwork amLauncher Class) - http://affiliate.rew.../WSgooddayi.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - https://member.netma...kdfense8237.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworl...e/skcbgmset.cab
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandor...ge/pdrtvset.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


thanks again!!

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 14 July 2007 - 10:36 PM

Too bad you lost that file. There was some new stuff in there that we could have used. Those files are sent to the developer of the tool who studies them in-depth and then includes them in the next version of the tool. Right now we are in a holding pattern as I am asking for clarification on how to handle a certain entry. This one: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] rewardnet dùxùüþ  Probably won't have an answer before tomorrow afternoon.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 14 July 2007 - 11:19 PM

This one is for the books. Direct from the horse's mouth.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\server.log
Folder::
C:\Program Files\RewardNet
C:\Program Files\WebGuide
C:\PROGRAM FILES\xltoolbar
Driver::
websv
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Web-Guide(À¥°¡À̵å)_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shop-Guide(À¥°¡À̵å)_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{462CE774-9B41-4C5B-BE01-17ABB60E688F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9519BB86-28B6-4a0e-A5F7-FD81C56BC505}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6112BF8-8F9F-4b42-AC9C-9900EBB895C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F382D9F9-25D5-4f44-A6FF-33DACB2851A3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0B73C9D-78A6-36C7-B365-104FE04FD373}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0B73C9D-78A6-36C7-B365-104FE04FD375}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F0771CC-458C-369F-AD08-E555A5C2E2E3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7732E3A4-AB48-33A9-9AB8-443C710E09A3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF301EBA-70DE-376D-A3CE-777429C9D703}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF301EBA-70DE-376D-A3CE-777429C9D705}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CB0CF42-DA54-47d2-8999-23928A2DEA42}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{654A13EB-86F4-4592-B138-81986C4A08E2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{688F6649-8FFB-4E76-8924-74C0EC0827A4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8A4FC4-6523-4180-A8DC-21A2E227EDA2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{462CE774-9B41-4C5B-BE01-17ABB60E688F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{92851AEF-6984-4087-A0AC-804FE71DFD87}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D6112BF8-8F9F-4B42-AC9C-9900EBB895C1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F8635DDA-650D-44F2-AB42-7A096A4FD507}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F0771CC-458C-369F-AD08-E555A5C2E2E1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7732E3A4-AB48-33A9-9AB8-443C710E09A1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A0B73C9D-78A6-36C7-B365-104FE04FD371}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A0B73C9D-78A6-36C7-B365-104FE04FD376}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-1C44D0DA9B5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DF301EBA-70DE-376D-A3CE-777429C9D701}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DF301EBA-70DE-376D-A3CE-777429C9D704}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3CB0CF42-DA54-47d2-8999-23928A2DEA42}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09ABD650-1C76-40C8-9438-990CD42C1A9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{688F6649-8FFB-4E76-8924-74C0EC0827A4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E460E9-23EE-4BA8-B3D8-F1FBC88BE462}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4F4BC58D-B12A-411F-B55E-A9A2D8269F77}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7F699F81-05D3-4958-8E00-D2E5AD4F02F4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6112BF8-8F9F-4B42-AC9C-9900EBB895C2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3F0771CC-458C-369F-AD08-E555A5C2E2E2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7732E3A4-AB48-33A9-9AB8-443C710E09A2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A0B73C9D-78A6-36C7-B365-104FE04FD372}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DF301EBA-70DE-376D-A3CE-777429C9D702}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3CB0CF42-DA54-47d2-8999-23928A2DEA42}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C36A6F17-1909-45D5-AA32-DD2AD66AB482}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EF95B826-3798-4ED0-86A4-06F292EF68A8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiteX.LiteConnection]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiteX.LiteConnection.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiteX.LiteStatement]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiteX.LiteStatement.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNet.Utility]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNet.Utility.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.WebGuide]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.WebGuide.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.coHelper]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.coHelper.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.coLauncher]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.coLauncher.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.IEToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.IEToolbar.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.InfoBand]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.InfoBand.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.InfoBandObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.InfoBandObj.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.InHelper]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.InHelper.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dkbLauncher.coLauncher]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dkbLauncher.coLauncher.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNet.Utility]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNet.Utility.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.XLToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.XLToolbar.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.ShopGuide]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RewardNetwork.ShopGuide.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{20ECA797-B523-4e89-8210-FFFD3CD0F696}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\RewardNet]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WebGuide]
[-HKEY_LOCAL_MACHINE\SOFTWARE\XlToolBar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\RewardNetwork]
[-HKEY_LOCAL_MACHINE\SOFTWARE\ShopGuide]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\websv]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2DDC6074-A97A-43c5-903C-5095972A18F6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{20ECA797-B523-4e89-8210-FFFD3CD0F696}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EC9679F6-42B7-4593-9E1C-AF421066C123}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A0B73C9D-78A6-36C7-B365-104FE04FD373}"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A0B73C9D-78A6-36C7-B365-104FE04FD373}"=-
[HKEY_USERS\.Default\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A0B73C9D-78A6-36C7-B365-104FE04FD373}"=-
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A0B73C9D-78A6-36C7-B365-104FE04FD373}"=-
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A0B73C9D-78A6-36C7-B365-104FE04FD373}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"rewardnet"=-

[-HKEY_CURRENT_USER\SOFTWARE\Xltoolbar]
[-HKEY_CURRENT_USER\SOFTWARE\RewardNetwork]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\auction.co.kr]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\web-guide.co.kr]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DDC6074-A97A-43c5-903C-5095972A18F6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E22694D-7B92-42A1-89A7-668E2F7AA107}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3F0771CC-458C-369F-AD08-E555A5C2E2E3}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB3}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0B73C9D-78A6-36C7-B365-104FE04FD373}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CB0CF42-DA54-47d2-8999-23928A2DEA42}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{654A13EB-86F4-4592-B138-81986C4A08E2}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20ECA797-B523-4E89-8210-FFFD3CD0F696}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EC9679F6-42B7-4593-9E1C-AF421066C123}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F382D9F9-25D5-4F44-A6FF-33DACB2851A3}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{2DDC6074-A97A-43c5-903C-5095972A18F6}"=-
"{20ECA797-B523-4e89-8210-FFFD3CD0F696}"=-
"{EC9679F6-42B7-4593-9E1C-AF421066C123}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow]
"*.rewardnetwork.net"=-
"*.xltoolbar.co.kr"=-
"*.cleanx.co.kr"=-
"*.web-guide.co.kr"=-
"*.shop-guide.co.kr"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database]
"goicfboogidikkejccmclpieicihhlpo konpdo"=-

[-HKEY_USERS\.Default\SOFTWARE\Xltoolbar]
[-HKEY_USERS\.Default\SOFTWARE\RewardNetwork]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\auction.co.kr]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\web-guide.co.kr]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DDC6074-A97A-43c5-903C-5095972A18F6}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E22694D-7B92-42A1-89A7-668E2F7AA107}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3F0771CC-458C-369F-AD08-E555A5C2E2E3}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB3}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0B73C9D-78A6-36C7-B365-104FE04FD373}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CB0CF42-DA54-47d2-8999-23928A2DEA42}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{654A13EB-86F4-4592-B138-81986C4A08E2}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20ECA797-B523-4E89-8210-FFFD3CD0F696}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EC9679F6-42B7-4593-9E1C-AF421066C123}]
[-HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F382D9F9-25D5-4F44-A6FF-33DACB2851A3}]
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{2DDC6074-A97A-43c5-903C-5095972A18F6}"=-
"{20ECA797-B523-4e89-8210-FFFD3CD0F696}"=-
"{EC9679F6-42B7-4593-9E1C-AF421066C123}"=-
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\New Windows\Allow]
"*.rewardnetwork.net"=-
"*.xltoolbar.co.kr"=-
"*.cleanx.co.kr"=-
"*.web-guide.co.kr"=-
"*.shop-guide.co.kr"=-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database]
"goicfboogidikkejccmclpieicihhlpo konpdo"=-

[-HKEY_USERS\S-1-5-19\SOFTWARE\Xltoolbar]
[-HKEY_USERS\S-1-5-19\SOFTWARE\RewardNetwork]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\auction.co.kr]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\web-guide.co.kr]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DDC6074-A97A-43c5-903C-5095972A18F6}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E22694D-7B92-42A1-89A7-668E2F7AA107}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3F0771CC-458C-369F-AD08-E555A5C2E2E3}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB3}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0B73C9D-78A6-36C7-B365-104FE04FD373}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CB0CF42-DA54-47d2-8999-23928A2DEA42}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{654A13EB-86F4-4592-B138-81986C4A08E2}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20ECA797-B523-4E89-8210-FFFD3CD0F696}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EC9679F6-42B7-4593-9E1C-AF421066C123}]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F382D9F9-25D5-4F44-A6FF-33DACB2851A3}]
[-HKEY_USERS\S-1-5-20\SOFTWARE\Xltoolbar]
[-HKEY_USERS\S-1-5-20\SOFTWARE\RewardNetwork]
[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{2DDC6074-A97A-43c5-903C-5095972A18F6}"=-
"{20ECA797-B523-4e89-8210-FFFD3CD0F696}"=-
"{EC9679F6-42B7-4593-9E1C-AF421066C123}"=-
[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\New Windows\Allow]
"*.rewardnetwork.net"=-
"*.xltoolbar.co.kr"=-
"*.cleanx.co.kr"=-
"*.web-guide.co.kr"=-
"*.shop-guide.co.kr"=-
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database]
"goicfboogidikkejccmclpieicihhlpo konpdo"=-

[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\auction.co.kr]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\web-guide.co.kr]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DDC6074-A97A-43c5-903C-5095972A18F6}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E22694D-7B92-42A1-89A7-668E2F7AA107}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3F0771CC-458C-369F-AD08-E555A5C2E2E3}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86BA3446-BCC4-323B-9EC5-EEE4D1EB8DB3}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0B73C9D-78A6-36C7-B365-104FE04FD373}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F90BB714-01B6-438B-8993-F6E46ACBFA24}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CB0CF42-DA54-47d2-8999-23928A2DEA42}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{654A13EB-86F4-4592-B138-81986C4A08E2}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20ECA797-B523-4E89-8210-FFFD3CD0F696}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EC9679F6-42B7-4593-9E1C-AF421066C123}]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F382D9F9-25D5-4F44-A6FF-33DACB2851A3}]
[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{2DDC6074-A97A-43c5-903C-5095972A18F6}"=-
"{20ECA797-B523-4e89-8210-FFFD3CD0F696}"=-
"{EC9679F6-42B7-4593-9E1C-AF421066C123}"=-
[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\New Windows\Allow]
"*.rewardnetwork.net"=-
"*.xltoolbar.co.kr"=-
"*.cleanx.co.kr"=-
"*.web-guide.co.kr"=-
"*.shop-guide.co.kr"=-
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database]
"goicfboogidikkejccmclpieicihhlpo konpdo"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Post edited to include another folder

Edited by Trevuren, 14 July 2007 - 11:36 PM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#6 riparian

riparian

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 15 July 2007 - 03:21 AM

well!! my computer is considerably faster and i no longer get weird internet pop up ads. for some reason my realplayer program stopped working but that's not essential. here are my logs:

"James Uhm" - 2007-07-15 5:08:26 - ComboFix 07-07-14.6 - Service Pack 1 FAT32
Command switches used :: C:\Documents and Settings\James Uhm\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\RewardNet
C:\Program Files\RewardNet\rnutil.dll


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-14 23:06 208,896 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-07-14 21:26 51,200 --a------ C:\WINDOWS\nircmd.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 02:55:22 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-07-15 02:55:22 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-05-23 00:26:42 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-23 00:26:42 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-23 00:26:42 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-23 00:26:42 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-23 00:26:42 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-09-03 02:11:54 271 --sh--w C:\Program Files\desktop.ini
2004-01-22 19:03:16 711 ----a-w C:\Program Files\JetShell.ini
2002-10-07 06:28:48 48 ----a-w C:\Program Files\JETVMAIL.INI


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"axej"="C:\Program Files\xgcf\uqjyrgs.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-03-22 15:23 C:\WINDOWS\KHALMNPR.Exe]
"MP3PAgent"="C:\Program Files\Hanmaro\MediaRose\USBSync\MP3PAgent.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Teea"="C:\PROGRA~1\MCROSO~1\wowexec.exe" []
"Xnsqcj"="C:\Program Files\??mantec\?ervices.exe" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 05:12:18
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-15 5:12:41
C:\ComboFix-quarantined-files.txt ... 2007-07-15 05:12
C:\ComboFix2.txt ... 2007-07-14 23:26

--- E O F ---


hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:10 AM, on 7/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\James Uhm\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [axej] C:\Program Files\xgcf\uqjyrgs.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MP3PAgent] C:\Program Files\Hanmaro\MediaRose\USBSync\MP3PAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Teea] "C:\PROGRA~1\MCROSO~1\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [Xnsqcj] "C:\Program Files\??mantec\?ervices.exe"
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netm...NMStarter24.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworl...pload_10212.cab
O16 - DPF: {447F9423-2046-4267-9B93-11626D001183} (RewardNetwork amLauncher Class) - http://affiliate.rew.../WSgooddayi.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - https://member.netma...kdfense8237.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworl...e/skcbgmset.cab
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandor...ge/pdrtvset.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


anything more that needs to be done?

#7 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 15 July 2007 - 11:44 AM

A. Please run the following program:
  • Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktop
    http://www.mvps.org/.../DelDomains.inf

  • Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.
Note: You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using these features before.

B. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [axej] C:\Program Files\xgcf\uqjyrgs.exe
    O4 - HKCU\..\Run: [Xnsqcj] "C:\Program Files\??mantec\?ervices.exe"
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - https://member.netma...kdfense8237.cab


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode
    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):

    C:\Program Files\??mantec<==Folder and all its content. You will have to look for a folder in \Program Files that ens with the letters mantec. The first letters could be any character, even Sym or Ym. When you find a likely candidate, RIGHT click on the file and choose Properties. If it doesn't say that it was made by Symantec, then delete it.
    C:\Program Files\xgcf<==Folder and all its content


  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

Edited by Trevuren, 15 July 2007 - 11:45 AM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 24 July 2007 - 09:10 PM

I hope you are well and not experiencing any difficulties carrying out my last set of instructions. If you are, do not hesitate to ask for further explanations. If however, your problem has been solved or you no longer require our assistance, please advise us accordingly and we will archive your topic.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 02 August 2007 - 07:17 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users