Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Popups,and Virus Issues Please Help Help Help !


  • This topic is locked This topic is locked
12 replies to this topic

#1 DIVA69VAMPED

DIVA69VAMPED

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 09 September 2007 - 12:49 AM

POPUPS TAKING OVER COMPUTER AND KEYBOARD THE WINANTIVIRUSPRO IS THE STARTING VIRUS OTHERS ARE MOUNTING PLEASE HELP URGENT COMPUTER SLOWLY BREAKING DOWN PLEASE PLEASE PLEASE HELP HIJACKTHIS LOG FILE BELOW TTY



Logfile of HijackThis v1.99.1
Scan saved at 1:42:12 AM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PeoplePC\ISP6530\Browser\PPShared.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O3 - Toolbar: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\system32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\olobpqrq.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189277119218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189276897375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1E14C58-E40E-4F2F-9B04-49F0D372CF53}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 September 2007 - 09:12 AM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Next:


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 DIVA69VAMPED

DIVA69VAMPED

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 09 September 2007 - 11:30 AM



THANK YOU FOR REPLYING I DID AS YOU REQUESTED HERE MY LOGS FROM COMBOFIX AND HIJACKTHIS I HOPE YOU CAN HELP ME THANX AGAIN....MELINDA


ComboFix 07-09-06 - "DEAN BUTLER" 2007-09-09 12:11:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\cookies.ini


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))


2007-09-09 00:39 90,176 --a------ C:\WINDOWS\system32\olobpqrq.dll
2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-09-08 13:38 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-09-08 13:38 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-09-08 13:38 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-09-08 13:38 <DIR> d-------- C:\Program Files\Sygate
2007-09-08 10:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 00:36 90,176 --a------ C:\WINDOWS\system32\swydefiw.dll
2007-09-07 18:51 <DIR> d-------- C:\Neurostar
2007-09-07 14:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 13:41 <DIR> d-------- C:\Program Files\FileASSASSIN
2007-09-07 13:38 <DIR> d-------- C:\FileASSASSIN
2007-09-07 12:48 <DIR> d-------- C:\Program Files\CCleaner
2007-09-06 19:07 90,176 --a------ C:\WINDOWS\system32\sflehdnt.dll
2007-09-06 16:30 74,816 --a------ C:\WINDOWS\system32\toaejcre.dll
2007-09-05 16:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-05 16:06 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-09-05 13:46 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-05 00:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-04 16:16 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-04 14:49 74,816 --a------ C:\WINDOWS\system32\ipyhvnkw.dll
2007-09-02 14:45 2,267,903 ---hs---- C:\WINDOWS\system32\qstwa.bak2
2007-09-02 02:16 6,456 ---hs---- C:\WINDOWS\system32\qstwa.bak1
2007-09-02 02:14 297,568 --a------ C:\WINDOWS\system32\awtsq.dll
2007-09-02 02:09 43,542 --a------ C:\WINDOWS\system32\vtutrom.dll
2007-08-25 21:33 <DIR> d-------- C:\Program Files\VDMSound
2007-08-25 18:34 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-25 18:34 286,720 --------- C:\WINDOWS\Setup1.exe
2007-08-25 18:33 <DIR> d-------- C:\temp
2007-08-24 02:08 <DIR> d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\IMVU
2007-08-20 16:16 4 --ah----- C:\WINDOWS\uccspecb.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-09 00:28 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 06:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WholeSecurity
2007-09-01 03:25 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\LimeWire
2007-08-19 15:03 --------- d-------- C:\Program Files\LimeWire
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-03 19:00 --------- d-------- C:\Program Files\Wisdom-soft ScreenHunter 5 Free
2007-08-03 19:00 --------- d-------- C:\Program Files\Wisdom-soft
2007-08-03 07:12 --------- d-------- C:\Program Files\Common Files\Scanner
2007-08-03 07:04 --------- d-------- C:\Program Files\Yahoo!
2007-08-02 09:02 --------- dr-h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-27 13:16 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\Yahoo!
2007-07-24 17:14 --------- d-------- C:\Program Files\desktop weather
2007-07-14 08:56 --------- d-------- C:\Program Files\Webshots
2007-07-14 08:55 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\Webshots
2007-07-12 19:55 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-07-12 19:52 --------- d-------- C:\Program Files\Real
2007-07-12 19:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-07-12 19:46 --------- d-------- C:\Program Files\MSN Messenger
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-07-02 07:05 61440 --a------ C:\WINDOWS\uninstall.exe
2007-07-02 07:05 52 --a------ C:\mem.bin


((((((((((((((((((((((((((((( snapshot_2007-09-06_163712.85 )))))))))))))))))))))))))))))))))))))))))

----a-r 1,038,336 2007-09-08 15:58:39 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
----a-r 178,688 2007-09-08 15:58:39 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
----a-r 4,608 2007-09-08 18:38:33 C:\WINDOWS\Installer\{F34D9A5F-484A-4E31-A9D3-908CB265B289}\IconC989D247.exe
----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\spmsg.dll
----a-w 213,216 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\spuninst.exe
----a-w 22,752 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\spcustom.dll
----a-w 716,000 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\update.exe
----a-w 371,424 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\updspapi.dll
----a-w 99,480 2004-10-15 23:31:58 C:\WINDOWS\system32\FwsVpn.dll
----a-w 135,168 2007-07-12 06:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 06:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 07:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 7,680 2007-04-13 20:19:52 C:\WINDOWS\system32\lsdelete.exe
----a-w 16,789,464 2007-08-03 02:34:12 C:\WINDOWS\system32\MRT.exe
----a-w 218,264 2004-10-15 23:31:56 C:\WINDOWS\system32\SetAid.dll
-c--a-w 92,504 2007-07-31 00:19:20 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 53,080 2007-07-31 00:19:16 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,712,984 2007-07-31 00:19:42 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 325,976 2007-07-31 00:19:32 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 203,096 2007-07-31 00:19:46 C:\WINDOWS\system32\dllcache\wuweb.dll
----a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.0.6000.381\wuapi.dll
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll

----a-w 135,168 2007-03-14 07:31:24 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-03-14 07:31:28 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-03-14 09:04:46 C:\WINDOWS\system32\javaws.exe
----a-w 14,970,328 2007-04-27 20:45:14 C:\WINDOWS\system32\MRT.exe
-c--a-w 75,544 2005-05-26 11:16:24 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 465,176 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 124,184 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,343,768 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 127,256 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 41,240 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 173,536 2005-05-26 11:19:32 C:\WINDOWS\system32\dllcache\wuweb.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 15:59 1379352 --a------ C:\Program Files\Wisdom-soft\tbWisd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148}]
2007-09-02 02:09 43542 --a------ C:\WINDOWS\system32\vtutrom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCA1B2D2-762D-4575-8C6B-8D752A7973C8}]
2007-09-02 02:15 297568 --a------ C:\WINDOWS\system32\awtsq.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= C:\Program Files\Wisdom-soft\tbWisd.dll [2007-07-17 15:59 1379352]

[HKEY_CLASSES_ROOT\CLSID\{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24]
"Bart Station"="C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe" [2007-03-12 18:04]
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-05-19 20:57]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 12:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-10-26 21:07]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-10-26 21:08]
"PPScheduler"="C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" []
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2007-04-27 15:43]
"CTFMon"="C:\WINDOWS\system32\CTF\ctfmon.exe" []
"LtMoh"="C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe" [2003-03-19 18:39]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 08:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"FolderView"="C:\WINDOWS\system32\olobpqrq.dll" [2007-09-09 00:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-27 09:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50]

C:\DOCUME~1\DEANBU~1\STARTM~1\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-07-14 08:55:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148}"= C:\WINDOWS\system32\vtutrom.dll [2007-09-02 02:09 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsq]
C:\WINDOWS\system32\awtsq.dll 2007-09-02 02:15 297568 C:\WINDOWS\system32\awtsq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutrom]
vtutrom.dll 2007-09-02 02:09 43542 C:\WINDOWS\system32\vtutrom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchpad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchpad.lnk
backup=C:\WINDOWS\pss\Launchpad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DEAN BUTLER^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DEAN BUTLER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderView]
rundll32.exe "C:\WINDOWS\system32\sflehdnt.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\WINDOWS\system32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R3 DCamUSBUVT;ICM532A;C:\WINDOWS\system32\Drivers\usbuvt.sys
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dc76f09-0610-11dc-9047-806d6172696f}]
AutoRun\command- E:\autorun.exe
readit\command- notepad readme.doc


Contents of the 'Scheduled Tasks' folder
"2007-09-09 17:11:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-09-07 22:46:28 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 12:19:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-09 12:22:34
C:\ComboFix-quarantined-files.txt ... 2007-09-09 12:22
C:\ComboFix2.txt ... 2007-09-07 12:28
C:\ComboFix3.txt ... 2007-09-06 16:38

--- E O F ---





Logfile of HijackThis v1.99.1
Scan saved at 12:24:32 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PeoplePC\ISP6530\Browser\PPShared.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HIJACKTHIS\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148} - C:\WINDOWS\system32\vtutrom.dll
O2 - BHO: (no name) - {CCA1B2D2-762D-4575-8C6B-8D752A7973C8} - C:\WINDOWS\system32\awtsq.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O3 - Toolbar: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\system32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\olobpqrq.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189277119218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189276897375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1E14C58-E40E-4F2F-9B04-49F0D372CF53}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtsq - C:\WINDOWS\system32\awtsq.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll (file missing)
O20 - Winlogon Notify: vtutrom - C:\WINDOWS\SYSTEM32\vtutrom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 September 2007 - 11:54 AM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\olobpqrq.dll
C:\WINDOWS\system32\sflehdnt.dll
C:\WINDOWS\system32\toaejcre.dll
C:\WINDOWS\system32\ipyhvnkw.dll
C:\WINDOWS\system32\qstwa.bak2
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\vtutrom.dll
C:\WINDOWS\Setup1.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCA1B2D2-762D-4575-8C6B-8D752A7973C8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FolderView"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutrom]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dc76f09-0610-11dc-9047-806d6172696f}]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 DIVA69VAMPED

DIVA69VAMPED

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 09 September 2007 - 02:54 PM


THANX HERE IS THE REQUESTED LOG FILE I HOPE YOU CAN HELP ME IT TOOK ME 2 HOURS TO RECONNECT SORRY ITS JUST MESSING MY COMPUTER UP TY....MELINDA


ComboFix 07-09-06 - "DEAN BUTLER" 2007-09-09 13:22:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.128 [GMT -5:00]
Command switches used :: C:\Documents and Settings\DEAN BUTLER\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\olobpqrq.dll
C:\WINDOWS\system32\sflehdnt.dll
C:\WINDOWS\system32\toaejcre.dll
C:\WINDOWS\system32\ipyhvnkw.dll
C:\WINDOWS\system32\qstwa.bak2
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\vtutrom.dll
C:\WINDOWS\Setup1.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Setup1.exe
C:\WINDOWS\system32\ipyhvnkw.dll
C:\WINDOWS\system32\olobpqrq.dll
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\qstwa.bak2
C:\WINDOWS\system32\sflehdnt.dll
C:\WINDOWS\system32\toaejcre.dll


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))


2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-09-08 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-09-08 13:38 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-09-08 13:38 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-09-08 13:38 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-09-08 13:38 <DIR> d-------- C:\Program Files\Sygate
2007-09-08 10:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 00:36 90,176 --a------ C:\WINDOWS\system32\swydefiw.dll
2007-09-07 18:51 <DIR> d-------- C:\Neurostar
2007-09-07 14:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 13:41 <DIR> d-------- C:\Program Files\FileASSASSIN
2007-09-07 13:38 <DIR> d-------- C:\FileASSASSIN
2007-09-07 12:48 <DIR> d-------- C:\Program Files\CCleaner
2007-09-05 16:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-05 16:06 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-09-05 13:46 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-05 00:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-04 16:16 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-02 02:14 297,568 --------- C:\WINDOWS\system32\awtsq.dll
2007-09-02 02:09 43,542 --------- C:\WINDOWS\system32\vtutrom.dll
2007-08-25 21:33 <DIR> d-------- C:\Program Files\VDMSound
2007-08-25 18:34 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-25 18:33 <DIR> d-------- C:\temp
2007-08-24 02:08 <DIR> d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\IMVU
2007-08-20 16:16 4 --ah----- C:\WINDOWS\uccspecb.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-09 13:37 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 06:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WholeSecurity
2007-09-01 03:25 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\LimeWire
2007-08-19 15:03 --------- d-------- C:\Program Files\LimeWire
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-03 19:00 --------- d-------- C:\Program Files\Wisdom-soft ScreenHunter 5 Free
2007-08-03 19:00 --------- d-------- C:\Program Files\Wisdom-soft
2007-08-03 07:12 --------- d-------- C:\Program Files\Common Files\Scanner
2007-08-03 07:04 --------- d-------- C:\Program Files\Yahoo!
2007-08-02 09:02 --------- dr-h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-27 13:16 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\Yahoo!
2007-07-24 17:14 --------- d-------- C:\Program Files\desktop weather
2007-07-14 08:56 --------- d-------- C:\Program Files\Webshots
2007-07-14 08:55 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\Webshots
2007-07-12 19:55 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-07-12 19:52 --------- d-------- C:\Program Files\Real
2007-07-12 19:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-07-12 19:46 --------- d-------- C:\Program Files\MSN Messenger
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-07-02 07:05 61440 --a------ C:\WINDOWS\uninstall.exe
2007-07-02 07:05 52 --a------ C:\mem.bin


((((((((((((((((((((((((((((( snapshot_2007-09-06_163712.85 )))))))))))))))))))))))))))))))))))))))))

----a-r 1,038,336 2007-09-08 15:58:39 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
----a-r 178,688 2007-09-08 15:58:39 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
----a-r 4,608 2007-09-08 18:38:33 C:\WINDOWS\Installer\{F34D9A5F-484A-4E31-A9D3-908CB265B289}\IconC989D247.exe
----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\spmsg.dll
----a-w 213,216 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\spuninst.exe
----a-w 22,752 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\spcustom.dll
----a-w 716,000 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\update.exe
----a-w 371,424 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\updspapi.dll
----a-w 99,480 2004-10-15 23:31:58 C:\WINDOWS\system32\FwsVpn.dll
----a-w 135,168 2007-07-12 06:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 06:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 07:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 7,680 2007-04-13 20:19:52 C:\WINDOWS\system32\lsdelete.exe
----a-w 16,789,464 2007-08-03 02:34:12 C:\WINDOWS\system32\MRT.exe
----a-w 218,264 2004-10-15 23:31:56 C:\WINDOWS\system32\SetAid.dll
-c--a-w 92,504 2007-07-31 00:19:20 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 53,080 2007-07-31 00:19:16 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,712,984 2007-07-31 00:19:42 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 325,976 2007-07-31 00:19:32 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 203,096 2007-07-31 00:19:46 C:\WINDOWS\system32\dllcache\wuweb.dll
----a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.0.6000.381\wuapi.dll
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll

----a-w 135,168 2007-03-14 07:31:24 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-03-14 07:31:28 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-03-14 09:04:46 C:\WINDOWS\system32\javaws.exe
----a-w 14,970,328 2007-04-27 20:45:14 C:\WINDOWS\system32\MRT.exe
-c--a-w 75,544 2005-05-26 11:16:24 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 465,176 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 124,184 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,343,768 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 127,256 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 41,240 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 173,536 2005-05-26 11:19:32 C:\WINDOWS\system32\dllcache\wuweb.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 15:59 1379352 --a------ C:\Program Files\Wisdom-soft\tbWisd.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= C:\Program Files\Wisdom-soft\tbWisd.dll [2007-07-17 15:59 1379352]

[HKEY_CLASSES_ROOT\CLSID\{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24]
"Bart Station"="C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe" [2007-03-12 18:04]
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-05-19 20:57]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 12:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-10-26 21:07]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-10-26 21:08]
"PPScheduler"="C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" []
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2007-04-27 15:43]
"CTFMon"="C:\WINDOWS\system32\CTF\ctfmon.exe" []
"LtMoh"="C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe" [2003-03-19 18:39]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 08:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-27 09:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50]

C:\DOCUME~1\DEANBU~1\STARTM~1\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-07-14 08:55:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchpad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchpad.lnk
backup=C:\WINDOWS\pss\Launchpad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DEAN BUTLER^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DEAN BUTLER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderView]
rundll32.exe "C:\WINDOWS\system32\sflehdnt.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\WINDOWS\system32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R3 DCamUSBUVT;ICM532A;C:\WINDOWS\system32\Drivers\usbuvt.sys
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys


Contents of the 'Scheduled Tasks' folder
"2007-09-09 18:11:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-09-07 22:46:28 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 13:34:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-09-09 13:40:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 13:39
C:\ComboFix2.txt ... 2007-09-09 12:22
C:\ComboFix3.txt ... 2007-09-07 12:28

--- E O F ---

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 September 2007 - 03:12 PM

I can see some new bad guys as well as old ones.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\swydefiw.dll
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\vtutrom.dll
C:\WINDOWS\system32\sflehdnt.dll
C:\WINDOWS\system32\gzmrotate.dll

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 DIVA69VAMPED

DIVA69VAMPED

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 09 September 2007 - 03:56 PM



HERE IT IS TY...MELINDA


ComboFix 07-09-06 - "DEAN BUTLER" 2007-09-09 16:31:27.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.160 [GMT -5:00]
Command switches used :: C:\Documents and Settings\DEAN BUTLER\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\swydefiw.dll
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\vtutrom.dll
C:\WINDOWS\system32\sflehdnt.dll
C:\WINDOWS\system32\gzmrotate.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\swydefiw.dll
C:\WINDOWS\system32\vtutrom.dll


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))


2007-09-08 13:38 <DIR> d-------- C:\Program Files\Sygate
2007-09-08 10:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 18:51 <DIR> d-------- C:\Neurostar
2007-09-07 14:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 13:41 <DIR> d-------- C:\Program Files\FileASSASSIN
2007-09-07 13:38 <DIR> d-------- C:\FileASSASSIN
2007-09-07 12:48 <DIR> d-------- C:\Program Files\CCleaner
2007-09-05 16:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-05 16:06 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-09-05 13:46 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-05 00:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-04 16:16 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-25 21:33 <DIR> d-------- C:\Program Files\VDMSound
2007-08-25 18:34 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-25 18:33 <DIR> d-------- C:\temp
2007-08-24 02:08 <DIR> d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\IMVU
2007-08-20 16:16 4 --ah----- C:\WINDOWS\uccspecb.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-09 16:38 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 06:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WholeSecurity
2007-09-01 03:25 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\LimeWire
2007-08-19 15:03 --------- d-------- C:\Program Files\LimeWire
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-03 19:00 --------- d-------- C:\Program Files\Wisdom-soft ScreenHunter 5 Free
2007-08-03 19:00 --------- d-------- C:\Program Files\Wisdom-soft
2007-08-03 07:12 --------- d-------- C:\Program Files\Common Files\Scanner
2007-08-03 07:04 --------- d-------- C:\Program Files\Yahoo!
2007-08-02 09:02 --------- dr-h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-27 13:16 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\Yahoo!
2007-07-24 17:14 --------- d-------- C:\Program Files\desktop weather
2007-07-14 08:56 --------- d-------- C:\Program Files\Webshots
2007-07-14 08:55 --------- d-------- C:\DOCUME~1\DEANBU~1\APPLIC~1\Webshots
2007-07-12 19:55 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-07-12 19:52 --------- d-------- C:\Program Files\Real
2007-07-12 19:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-07-12 19:46 --------- d-------- C:\Program Files\MSN Messenger
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-07-02 07:05 61440 --a------ C:\WINDOWS\uninstall.exe
2007-07-02 07:05 52 --a------ C:\mem.bin


((((((((((((((((((((((((((((( snapshot_2007-09-06_163712.85 )))))))))))))))))))))))))))))))))))))))))

----a-r 1,038,336 2007-09-08 15:58:39 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
----a-r 178,688 2007-09-08 15:58:39 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\spmsg.dll
----a-w 213,216 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\spuninst.exe
----a-w 22,752 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\spcustom.dll
----a-w 716,000 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\update.exe
----a-w 371,424 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\updspapi.dll
----a-w 135,168 2007-07-12 06:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 06:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 07:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 7,680 2007-04-13 20:19:52 C:\WINDOWS\system32\lsdelete.exe
----a-w 16,789,464 2007-08-03 02:34:12 C:\WINDOWS\system32\MRT.exe
-c--a-w 92,504 2007-07-31 00:19:20 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 53,080 2007-07-31 00:19:16 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,712,984 2007-07-31 00:19:42 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 325,976 2007-07-31 00:19:32 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 203,096 2007-07-31 00:19:46 C:\WINDOWS\system32\dllcache\wuweb.dll
----a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.0.6000.381\wuapi.dll
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll

----a-w 135,168 2007-03-14 07:31:24 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-03-14 07:31:28 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-03-14 09:04:46 C:\WINDOWS\system32\javaws.exe
----a-w 14,970,328 2007-04-27 20:45:14 C:\WINDOWS\system32\MRT.exe
-c--a-w 75,544 2005-05-26 11:16:24 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 465,176 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuapi.dll
-c--a-w 124,184 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuauclt.exe
-c--a-w 1,343,768 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wuaueng.dll
-c--a-w 127,256 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wucltui.dll
-c--a-w 41,240 2005-05-26 11:16:30 C:\WINDOWS\system32\dllcache\wups.dll
-c--a-w 173,536 2005-05-26 11:19:32 C:\WINDOWS\system32\dllcache\wuweb.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 15:59 1379352 --a------ C:\Program Files\Wisdom-soft\tbWisd.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= C:\Program Files\Wisdom-soft\tbWisd.dll [2007-07-17 15:59 1379352]

[HKEY_CLASSES_ROOT\CLSID\{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24]
"Bart Station"="C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe" [2007-03-12 18:04]
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-05-19 20:57]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 12:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-10-26 21:07]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-10-26 21:08]
"PPScheduler"="C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" []
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2007-04-27 15:43]
"CTFMon"="C:\WINDOWS\system32\CTF\ctfmon.exe" []
"LtMoh"="C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe" [2003-03-19 18:39]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 08:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-27 09:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50]

C:\DOCUME~1\DEANBU~1\STARTM~1\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-07-14 08:55:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchpad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchpad.lnk
backup=C:\WINDOWS\pss\Launchpad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DEAN BUTLER^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DEAN BUTLER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderView]
rundll32.exe "C:\WINDOWS\system32\sflehdnt.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\WINDOWS\system32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R3 DCamUSBUVT;ICM532A;C:\WINDOWS\system32\Drivers\usbuvt.sys
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys


Contents of the 'Scheduled Tasks' folder
"2007-09-09 21:11:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-09-07 22:46:28 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 16:37:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-09 16:41:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 16:41
C:\ComboFix2.txt ... 2007-09-09 13:40
C:\ComboFix3.txt ... 2007-09-09 12:22

--- E O F ---

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 September 2007 - 04:07 PM

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 DIVA69VAMPED

DIVA69VAMPED

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 09 September 2007 - 04:26 PM



BEFORE THE LAST LOG I SENT TO YOU MY COMPUTER WOULD NOT CONNECT TO THE INTERNET I KEPT TRYING AND WHEN I WOULD GET TO THE WEBPAGE IT WOULD NOT LOAD AND THE BYTES SENT WOULD STAY AT 399.SINCE THEN I HAVEN'T BEEN ONLINE LONG ENOUGH TO SEE IF THE POPUPS STILL CAME UPBUT THE KEYBOARD IS WORKING FINE NOW I ALSO KEEP GETTING WMS IDLE WHEN I REBOOT THE COMPUTER MAKING ME PUSH END PROGRAM BEFORE I CAN REBOOT OK HERE IS THE HIJACKTHIS NEW LOG FILE TY

Logfile of HijackThis v1.99.1
Scan saved at 5:13:40 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\PeoplePC\ISP6530\Browser\PPShared.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HIJACKTHIS\Spyware.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O3 - Toolbar: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\system32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Documents and Settings\DEAN BUTLER\Desktop\MODEMSITE\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\DEAN BUTLER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189277119218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189276897375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 September 2007 - 04:34 PM

You can get rid of either Ad-Aware 2007 or AVG Anti-Spyware 7.5. You don't need both.

If you decide to uninstall AVG Anti-Spyware 7.5, make sure you don't uninstall the Grisoft\AVG7 anti-VIRUS program.

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove either:
Ad-Aware 2007 or AVG Anti-Spyware 7.5

Also remove Combofix folders / files.

Reboot and see if that helps

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 DIVA69VAMPED

DIVA69VAMPED

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 09 September 2007 - 06:21 PM



TY I BELIEVE THAT WHATEVER YOU DID WORKED,DID I HAVE SOME KIND OF VIRUS OR SOMETHING?? I HAVE BEEN SURFING THE NET FOR AWHILE NOW AND I HAVE SEEN NO POPUPS KEEPING MY FINGERS CROSSED LOL PLEASE LET ME KNOW WHAT WAS WRONG WITH MY COMPUTER THANK YOU SO VERY MUCH....MELINDA

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 September 2007 - 06:25 PM

Looks like you had a Vundo Infection.

You need to delete Combofix / files and folders.

Here's my usual all clean post

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
    You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Download and install Ad-Aware.
    You should also scan your computer with this program on a regular basis
    just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.
Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 September 2007 - 07:41 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users