Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] I Need Help Please!


  • This topic is locked This topic is locked
16 replies to this topic

#1 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 07 November 2007 - 09:01 AM

Hello,

My name is Jon and I keep getting spyware and adware on my computer. My HiJackThis Logfile is located below:


Logfile of HijackThis v1.99.1
Scan saved at 9:53:59 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\YTBSDK.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Jonafer McDonald\My Documents\My Music\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...edir.asp?Ext=rm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [2e7afc00] rundll32.exe "C:\WINDOWS\system32\cqqblblh.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

    Advertisements

Register to Remove


#2 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 07 November 2007 - 09:34 AM

Here is my combofix log:

ComboFix 07-11-07.3 - Jonafer McDonald 2007-11-07 10:08:32.2 - NTFSx86
Running from: C:\Documents and Settings\Jonafer McDonald\Temporary Internet Files\Content.IE5\UO57ORVN\ComboFix[1].exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Jonafer McDonald\Application Data\inst.exe
C:\Documents and Settings\Jonafer McDonald\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bneykkxo.exe
C:\WINDOWS\system32\egumieey.exe
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\ehkmp.bak2
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.bak2
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\fkwmpynr.dll
C:\WINDOWS\system32\hncqhjjw.exe
C:\WINDOWS\system32\igqivrqp.dll
C:\WINDOWS\system32\kvmbtgxs.ini
C:\WINDOWS\system32\lpjbptir.ini
C:\WINDOWS\system32\ltcphskg.exe
C:\WINDOWS\system32\nbtrotfq.dll
C:\WINDOWS\system32\njkaxqux.dll
C:\WINDOWS\system32\ohphnnef.dllbox
C:\WINDOWS\system32\omvrvmjq.ini
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pqrviqgi.ini
C:\WINDOWS\system32\pwrmbpfc.exe
C:\WINDOWS\system32\qftortbn.ini
C:\WINDOWS\system32\qjmvrvmo.dll
C:\WINDOWS\system32\ritpbjpl.dll
C:\WINDOWS\system32\rnypmwkf.ini
C:\WINDOWS\system32\rrdtcmlk.exe
C:\WINDOWS\system32\setmmyfr.exe
C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sxgtbmvk.dll
C:\WINDOWS\system32\vnhjtysp.exe
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xbadd.tmp
C:\WINDOWS\system32\ykuogtvf.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 10:09 79,936 --a--c--- C:\WINDOWS\system32\mwyxtiqo.dll
2007-11-07 10:08 145,984 --a--c--- C:\WINDOWS\system32\skkbybey.dll
2007-11-07 10:08 145,984 --a------ C:\WINDOWS\system32\ohphnnef.dll
2007-11-07 09:33 86,080 --a--c--- C:\WINDOWS\system32\cqqblblh.dll
2007-11-07 09:33 71,232 --a--c--- C:\WINDOWS\system32\jebayixo.exe
2007-11-02 21:20 86,080 --a--c--- C:\WINDOWS\system32\hhspgvtr.dll
2007-10-28 10:34 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2007-10-28 10:34 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2007-10-28 10:34 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2007-10-28 10:34 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2007-10-28 10:34 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2007-10-28 10:34 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-28 10:34 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-10-28 10:34 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-10-28 10:33 <DIR> d-------- C:\Program Files\Ahead
2007-10-28 10:16 <DIR> d----c--- C:\Documents and Settings\Jonafer McDonald\Application Data\DeepBurner
2007-10-28 10:14 <DIR> d-------- C:\Program Files\Astonsoft
2007-10-27 22:27 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-10-25 23:43 <DIR> d-------- C:\Program Files\CyberLink
2007-10-25 21:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-25 21:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-25 21:36 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-25 21:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 16:43 <DIR> d----c--- C:\my dvd
2007-10-25 16:41 <DIR> d-------- C:\Program Files\Easy MPEG AVI DIVX WMV RM to DVD
2007-10-25 15:27 <DIR> d----c--- C:\Documents and Settings\Jonafer McDonald\Application Data\Grisoft
2007-10-25 15:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-25 15:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-24 23:47 <DIR> d----c--- C:\Documents and Settings\Jonafer McDonald\Application Data\Nero
2007-10-24 23:39 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-24 23:39 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-24 15:11 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2007-10-24 15:07 <DIR> d-------- C:\Program Files\No‰l Danjou
2007-10-23 23:40 <DIR> d--hs---- C:\Documents and Settings\NetworkService\Temporary Internet Files
2007-10-23 23:40 <DIR> d--hs---- C:\Documents and Settings\NetworkService\History
2007-10-23 16:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 16:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-23 16:19 <DIR> d----c--- C:\Documents and Settings\Jonafer McDonald\Application Data\SUPERAntiSpyware.com
2007-10-23 16:19 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-22 20:29 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-10-22 20:29 34,304 --a------ C:\WINDOWS\system32\ljjjhhe.dll
2007-10-11 15:47 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-10-10 05:24 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 15:21 --------- dc----w C:\Documents and Settings\Jonafer McDonald\Application Data\Azureus
2007-10-31 00:24 --------- d-----w C:\Program Files\NetWaiting
2007-10-31 00:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 00:23 --------- d-----w C:\Program Files\CONEXANT
2007-10-31 00:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-31 00:19 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-31 00:15 --------- d-----w C:\Program Files\DivX
2007-10-28 15:34 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-26 10:31 --------- d-----w C:\Program Files\Google
2007-10-26 04:51 --------- d-----w C:\Program Files\Noël Danjou
2007-10-26 04:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-26 04:40 --------- d-----w C:\Program Files\LG Software Innovations
2007-10-26 04:34 35,744 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-26 04:23 47,360 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\pcouffin.sys
2007-10-26 04:23 --------- dc----w C:\Documents and Settings\Jonafer McDonald\Application Data\Vso
2007-10-25 04:39 --------- d-----w C:\Program Files\Nero
2007-10-24 23:57 --------- d-----w C:\Program Files\Image-Line
2007-10-24 23:50 --------- d-----w C:\Program Files\VstPlugins
2007-10-24 23:11 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-04 22:45 --------- d-----w C:\Program Files\Azureus
2007-09-24 13:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 13:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 13:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 13:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-18 14:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-10 23:23 --------- d-----w C:\Program Files\MySpace
2007-05-30 00:40 374 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb6334.dat
2007-05-30 00:39 18,432 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb41.dat
2007-05-30 00:38 538 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb8467.dat
2006-11-03 11:13 439,296 -c--a-w C:\Documents and Settings\Jonafer McDonald\remote.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08BEADB5-4BE3-46F0-82EB-B794F290E38E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{315E44A8-40DB-4D45-B56B-3BFF371436EE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60590076-C2A7-43F0-B18C-63A91F7F7A70}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96B2C3C8-F3B4-4026-9507-79D316E2A5F1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0470523-2779-4419-90B7-3A6ECA135658}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-07 10:08 145984 --a------ C:\WINDOWS\system32\ohphnnef.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d2b4a515-fe1e-47e5-af2a-f1f59d59f7b5}]
2007-11-07 10:09 79936 --a--c--- C:\WINDOWS\system32\mwyxtiqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8527957-42D6-4108-9A24-A82CF008D245}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
2007-10-22 20:29 34304 --a------ C:\WINDOWS\system32\ljjjhhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ohphnnef.dll [2007-11-07 10:08 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 13:20]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 17:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-13 18:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-24 19:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"2e7afc00"="C:\WINDOWS\system32\cqqblblh.dll" [2007-11-07 09:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\system32\ljjjhhe.dll [2007-10-22 20:29 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhhe]
ljjjhhe.dll 2007-10-22 20:29 34304 C:\WINDOWS\system32\ljjjhhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ohphnnef]
ohphnnef.dll 2007-11-07 10:08 145984 C:\WINDOWS\system32\ohphnnef.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jonafer McDonald^Start Menu^Programs^StartUp^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2e7afc00]
rundll32.exe "C:\WINDOWS\system32\nbtrotfq.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
"C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
C:\Program Files\Essentials Codec Pack\update.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTimeDesktop.exe]
"C:\Program Files\Real\RealTime\\RealTimeDesktop.exe" -NoBrowser

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
C:\Windows\SMINST\RecGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06e7fbac-2133-11dc-990a-0014a5f4695f}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 15:26:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 10:24:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 10:27:19 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-23 16:44
.
--- E O F ---

#3 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 11:26 AM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#4 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 07 November 2007 - 09:04 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:00:14 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\YTBSDK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jonafer McDonald\My Documents\My Music\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...edir.asp?Ext=rm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ohphnnef.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [2e7afc00] rundll32.exe "C:\WINDOWS\system32\cqqblblh.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe

#5 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 November 2007 - 05:08 AM

Hello Jon

Read my previous post carefully. I asked for an Uninstall List. :)


Disable Teatimer
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Go to http://www.virustota.../en/indexf.html
Copy the following line into the white textbox:
C:\Documents and Settings\Jonafer McDonald\remote.exe
Click Send.
Please post the results of this scan to this thread.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
C:\WINDOWS\system32\mwyxtiqo.dll 
C:\WINDOWS\system32\skkbybey.dll
C:\WINDOWS\system32\ohphnnef.dll
C:\WINDOWS\system32\cqqblblh.dll
C:\WINDOWS\system32\jebayixo.exe
C:\WINDOWS\system32\hhspgvtr.dll
C:\WINDOWS\system32\ljjjhhe.dll
C:\WINDOWS\system32\pmkhe.dll
C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb6334.dat
C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb41.dat
C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb8467.dat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08BEADB5-4BE3-46F0-82EB-B794F290E38E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{315E44A8-40DB-4D45-B56B-3BFF371436EE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60590076-C2A7-43F0-B18C-63A91F7F7A70}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96B2C3C8-F3B4-4026-9507-79D316E2A5F1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0470523-2779-4419-90B7-3A6ECA135658}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d2b4a515-fe1e-47e5-af2a-f1f59d59f7b5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8527957-42D6-4108-9A24-A82CF008D245}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2e7afc00"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhhe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ohphnnef] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2e7afc00]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#6 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 14 November 2007 - 06:03 AM

Antivirus Version Last Update Result AhnLab-V3 2007.11.14.1 2007.11.14 - AntiVir 7.6.0.34 2007.11.14 - Authentium 4.93.8 2007.11.14 - Avast 4.7.1074.0 2007.11.13 - AVG 7.5.0.503 2007.11.14 - BitDefender 7.2 2007.11.14 - CAT-QuickHeal 9.00 2007.11.14 - ClamAV 0.91.2 2007.11.14 - DrWeb 4.44.0.09170 2007.11.14 - eSafe 7.0.15.0 2007.11.13 - eTrust-Vet 31.2.5294 2007.11.14 - Ewido 4.0 2007.11.13 - FileAdvisor 1 2007.11.14 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.4.2.54 2007.11.14 - F-Secure 6.70.13030.0 2007.11.14 - Ikarus T3.1.1.12 2007.11.14 - Kaspersky 7.0.0.125 2007.11.14 - McAfee 5162 2007.11.13 - Microsoft 1.3007 2007.11.12 - NOD32v2 2657 2007.11.14 archive damaged Norman 5.80.02 2007.11.13 - Panda 9.0.0.4 2007.11.14 - Prevx1 V2 2007.11.14 - Rising 20.18.20.00 2007.11.14 - Sophos 4.23.0 2007.11.14 - Sunbelt 2.2.907.0 2007.11.14 - Symantec 10 2007.11.14 - TheHacker 6.2.9.127 2007.11.14 - VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.13 - Webwasher-Gateway 6.0.1 2007.11.14 - Additional information File size: 439296 bytes MD5: 5b7b6b4f2d7de2c47fbed1c96f91f615 SHA1: 5a57941b8f6b0c530c8a49f2a6eec0fbea26559a

#7 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 November 2007 - 08:11 AM

Hi Dont forget to do the CFScript. :thumbup:
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#8 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 14 November 2007 - 03:28 PM

ComboFix 07-10-23.1 - Jonafer McDonald 2007-10-23 17:26:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -4:00]
Running from: C:\Documents and Settings\Jonafer McDonald\Temporary Internet Files\Content.IE5\N8O0EIEY\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jonafer McDonald\Application Data\ICROSO~1.NET
C:\Documents and Settings\Jonafer McDonald\Application Data\ICROSO~1.NET\?icrosoft.NET\
C:\Documents and Settings\Jonafer McDonald\Application Data\ICROSO~1.NET\smss.exe
C:\Documents and Settings\Jonafer McDonald\Application Data\inst.exe
C:\Documents and Settings\Jonafer McDonald\Application Data\macromedia\Flash Player\#SharedObjects\MN9ADYWJ\www.broadcaster.com
C:\Documents and Settings\Jonafer McDonald\Application Data\macromedia\Flash Player\#SharedObjects\MN9ADYWJ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Jonafer McDonald\Application Data\macromedia\Flash Player\#SharedObjects\MN9ADYWJ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Jonafer McDonald\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Jonafer McDonald\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Jonafer McDonald\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Jonafer McDonald\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Jonafer McDonald\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1848OinAdmin.exe
C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
C:\WINDOWS\retadpu1000520.exe
C:\WINDOWS\sstem~1
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\glhlnmfb.dll
C:\WINDOWS\system32\gubhsemj.exe
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\wapisvcc.exe
C:\WINDOWS\tsitra1044.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-23 17:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 17:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-23 17:19 <DIR> d----c--- C:\Documents and Settings\Jonafer McDonald\Application Data\SUPERAntiSpyware.com
2007-10-23 17:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 09:50 84,544 --a--c--- C:\WINDOWS\system32\jkxqmmjv.dll
2007-10-22 21:29 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-10-22 21:29 34,304 --a------ C:\WINDOWS\system32\ljjjhhe.dll
2007-10-10 06:24 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 19:45 --------- dc----w C:\Documents and Settings\Jonafer McDonald\Application Data\Azureus
2007-10-04 22:45 --------- d-----w C:\Program Files\Azureus
2007-09-25 17:58 --------- d-----w C:\Program Files\DivX
2007-09-18 14:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-10 23:23 --------- d-----w C:\Program Files\MySpace
2007-09-02 19:11 --------- dc----w C:\Documents and Settings\Jonafer McDonald\Application Data\Apple Computer
2007-08-25 00:53 --------- d-----w C:\Program Files\Real
2007-08-25 00:53 --------- d-----w C:\Program Files\Common Files\xing shared
2007-08-25 00:53 --------- d-----w C:\Program Files\Common Files\Real
2007-08-20 21:11 47,360 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\pcouffin.sys
2007-05-30 00:40 374 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb6334.dat
2007-05-30 00:39 18,432 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb41.dat
2007-05-30 00:38 538 -c--a-w C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb8467.dat
2006-11-03 11:13 439,296 -c--a-w C:\Documents and Settings\Jonafer McDonald\remote.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
2007-10-22 21:29 34304 --a------ C:\WINDOWS\system32\ljjjhhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 01:58]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 18:21]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 14:20]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 01:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-13 19:04]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-24 20:52]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59]
"2e7afc00"="C:\WINDOWS\system32\jkxqmmjv.dll" [2007-10-23 09:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"Tbsa"="C:\DOCUME~1\JONAFE~1\APPLIC~1\ICROSO~1.NET\smss.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\system32\ljjjhhe.dll [2007-10-22 21:29 34304]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhhe]
ljjjhhe.dll 2007-10-22 21:29 34304 C:\WINDOWS\system32\ljjjhhe.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jonafer McDonald^Start Menu^Programs^StartUp^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Jonafer McDonald\Start Menu\Programs\StartUp\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTimeDesktop.exe]
"C:\Program Files\Real\RealTime\\RealTimeDesktop.exe" -NoBrowser

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06e7fbac-2133-11dc-990a-0014a5f4695f}]
AutoRun\command - H:\LaunchU3.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{111E3A1D-D3B4-DFFB-0507-010707000200}]
C:\WINDOWS\system32\lssas.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 20:23:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 17:43:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 17:44:38 - machine was rebooted
.
--- E O F ---

#9 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 14 November 2007 - 03:29 PM

CFScript is below: File:: C:\WINDOWS\system32\mwyxtiqo.dll C:\WINDOWS\system32\skkbybey.dll C:\WINDOWS\system32\ohphnnef.dll C:\WINDOWS\system32\cqqblblh.dll C:\WINDOWS\system32\jebayixo.exe C:\WINDOWS\system32\hhspgvtr.dll C:\WINDOWS\system32\ljjjhhe.dll C:\WINDOWS\system32\pmkhe.dll C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb6334.dat C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb41.dat C:\Documents and Settings\Jonafer McDonald\Application Data\internaldb8467.dat Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08BEADB5-4BE3-46F0-82EB-B794F290E38E}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{315E44A8-40DB-4D45-B56B-3BFF371436EE}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60590076-C2A7-43F0-B18C-63A91F7F7A70}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96B2C3C8-F3B4-4026-9507-79D316E2A5F1}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0470523-2779-4419-90B7-3A6ECA135658}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d2b4a515-fe1e-47e5-af2a-f1f59d59f7b5}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8527957-42D6-4108-9A24-A82CF008D245}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=- [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "2e7afc00"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhhe] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ohphnnef] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2e7afc00]

#10 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 November 2007 - 05:22 PM

Hi


I'm afraid I have unpleasant news for you. You have a Dangerous infection on this machine.
The infection is delivered by a Backdoor Trojan.
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

    Advertisements

Register to Remove


#11 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 15 November 2007 - 02:53 PM

I want to reformat my computer but my computer came with windows xp preinstalled?

#12 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 15 November 2007 - 02:54 PM

i have no hardcopy of windows xp. It was already installed when I bought the computer

#13 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 16 November 2007 - 06:44 AM

Hi

Go to Start>My Computer Do you see two hard drive icons under Local Drives? Is one of them named Recovery Console or similar?
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#14 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 16 November 2007 - 02:25 PM

yeah

#15 seymourcake

seymourcake

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 16 November 2007 - 02:25 PM

it says recovery partition

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users