WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Closed] [Resolved] Save The Information Problem

Started by brain_26 , Nov 11 2007 10:10 AM

This topic is locked

13 replies to this topic

#1 brain_26

New Member

New Member
6 posts

Posted 11 November 2007 - 10:10 AM

hi im new here and i need help please!!!

this morning i discovered a yellow flashing triangle in the bottom right corner and Live Safety Center and Online Security Guide icons on the desktop. ever since then i have been getting these pop ups saying i have spyware and that i should download anti virus software and i get sum pop ups from savetheinformation.com, system alert: trojan-spy.win32 and stuff lyk that.

i have scanned my comp with avg free, ad aware se personal, spybot search and destroy , smithfraudfix, agv anti-spyware, vundofix and it didnt do anything so, can anyone help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:56 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Vongo\Tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zxuyzkhn.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [0661235d] rundll32.exe "C:\WINDOWS\system32\flpqtyfk.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Vongo Tray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 10690 bytes

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 November 2007 - 11:04 AM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 brain_26

New Member

New Member
6 posts

Posted 11 November 2007 - 11:38 AM

Edited by brain_26, 11 November 2007 - 11:46 AM.

#4 brain_26

New Member

New Member
6 posts

Posted 11 November 2007 - 11:43 AM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

Forum God

Thank you for responding to my question. I tried the steps you gave me and I still have the same issue. Here is the following log I got from Combo Fix:

ComboFix 07-11-08.1 - brain 2007-11-11 11:21:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.369 [GMT -6:00]
Running from: C:\Documents and Settings\brain\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\brain\Desktop\Live Safety Center.lnk
C:\Documents and Settings\brain\Desktop\Online Security Guide.lnk
C:\Documents and Settings\brain\Favorites\Online Security Guide.lnk
C:\Documents and Settings\brain\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\brain\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\brain\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\zxuyzkhn.dllbox
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 11:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 09:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-11 08:33 88,128 --a------ C:\WINDOWS\system32\flpqtyfk.dll
2007-11-11 08:33 79,936 --a------ C:\WINDOWS\system32\ykhpwgbx.dll
2007-11-11 08:08 36,352 --a------ C:\WINDOWS\system32\fccdcbx.dll
2007-11-10 23:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 23:06 <DIR> d-------- C:\VundoFix Backups
2007-11-10 22:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-10 19:21 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-10 19:20 <DIR> d-------- C:\Documents and Settings\brain\.housecall6.6
2007-11-10 17:55 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-10 17:33 5,726 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-10 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 12:00 <DIR> d-------- C:\WINDOWS\pss
2007-11-10 11:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-10 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-10 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 09:32 36,352 --a------ C:\WINDOWS\system32\yayyyxx.dll
2007-11-10 09:26 85,056 --a------ C:\WINDOWS\system32\ogoqqxok.dll
2007-11-10 09:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\Temporary Internet Files
2007-11-10 09:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\History
2007-11-10 08:43 85,056 --a------ C:\WINDOWS\system32\vucilbxl.dll
2007-11-10 08:40 81,472 --a------ C:\WINDOWS\system32\rwpijxvm.dll
2007-11-10 08:34 145,780 --a------ C:\WINDOWS\system32\zxuyzkhn.dll
2007-11-10 08:34 145,780 --a------ C:\WINDOWS\system32\ncfhexgq.dll
2007-11-09 20:28 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-09 20:25 36,352 --a------ C:\WINDOWS\system32\urqpnop.dll
2007-11-09 20:25 134 --a------ C:\n.bat
2007-11-09 20:25 0 --a------ C:\z.dat
2007-11-09 20:25 0 --a------ C:\x.dat
2007-11-09 20:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 17:26 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-11 16:12 --------- d-----w C:\Documents and Settings\brain\Application Data\LimeWire
2007-11-11 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-11 05:03 --------- d-----w C:\Program Files\Viewpoint
2007-11-10 23:49 --------- d-----w C:\Program Files\LimeWire
2007-11-10 23:30 --------- d-----w C:\Program Files\music_now
2007-11-10 23:30 --------- d-----w C:\Program Files\DIGStream
2007-11-10 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2007-10-24 00:13 --------- d-----w C:\Program Files\Java
2007-10-21 21:28 --------- d-----w C:\Program Files\mv
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-01-10 18:15 839,692 ----a-w C:\WINDOWS\Fonts\Crack.exe
2007-01-10 18:15 839,691 --sh--w C:\WINDOWS\Fonts\svchost.exe
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2007-01-10 18:15:15 839,691 --sh--w C:\WINDOWS\Fonts\svchost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
2007-11-09 20:25 36352 --a------ C:\WINDOWS\system32\urqpnop.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f02f87d-934e-4f6b-a921-a1212801935b}]
2007-11-11 08:33 79936 --a------ C:\WINDOWS\system32\ykhpwgbx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-10 08:34 145780 --a------ C:\WINDOWS\system32\zxuyzkhn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\zxuyzkhn.dll [2007-11-10 08:34 145780]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 23:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 23:01]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 22:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 17:02]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 10:52]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-01-10 12:15]
"0661235d"="C:\WINDOWS\system32\flpqtyfk.dll" [2007-11-11 08:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 22:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Program Files\Vongo\Tray.exe [2006-05-09 15:09:32]

C:\Documents and Settings\brain\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Documents and Settings\brain\Application Data\Microsoft\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-02-16 16:08:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 06:43:54]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-09 14:50:27]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 10:39:30]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-06 10:10:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\WINDOWS\system32\urqpnop.dll [2007-11-09 20:25 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpnop]
urqpnop.dll 2007-11-09 20:25 36352 C:\WINDOWS\system32\urqpnop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zxuyzkhn]
zxuyzkhn.dll 2007-11-10 08:34 145780 C:\WINDOWS\system32\zxuyzkhn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedc.dll

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 11:28:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????_??????Y?@?????<?@

scanning hidden files ...

C:\WINDOWS\system32\zxuyzkhn.dllbox 20640 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-11 11:31:43 - machine was rebooted
.
--- E O F ---

#5 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 November 2007 - 12:21 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\flpqtyfk.dll
C:\WINDOWS\system32\ykhpwgbx.dll
C:\WINDOWS\system32\fccdcbx.dll
C:\WINDOWS\system32\yayyyxx.dll
C:\WINDOWS\system32\ogoqqxok.dll
C:\WINDOWS\system32\vucilbxl.dll
C:\WINDOWS\system32\rwpijxvm.dll
C:\WINDOWS\system32\zxuyzkhn.dll
C:\WINDOWS\system32\ncfhexgq.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\urqpnop.dll
C:\n.bat
C:\z.dat
C:\x.dat
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\zxuyzkhn.dllbox

Folder::
C:\VundoFix Backups
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f02f87d-934e-4f6b-a921-a1212801935b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=-
"0661235d"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpnop]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zxuyzkhn]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as Save this as "CFScript"

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#6 brain_26

New Member

New Member
6 posts

Posted 11 November 2007 - 12:46 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\flpqtyfk.dll
C:\WINDOWS\system32\ykhpwgbx.dll
C:\WINDOWS\system32\fccdcbx.dll
C:\WINDOWS\system32\yayyyxx.dll
C:\WINDOWS\system32\ogoqqxok.dll
C:\WINDOWS\system32\vucilbxl.dll
C:\WINDOWS\system32\rwpijxvm.dll
C:\WINDOWS\system32\zxuyzkhn.dll
C:\WINDOWS\system32\ncfhexgq.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\urqpnop.dll
C:\n.bat
C:\z.dat
C:\x.dat
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\zxuyzkhn.dllbox

Folder::
C:\VundoFix Backups
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f02f87d-934e-4f6b-a921-a1212801935b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=-
"0661235d"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpnop]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zxuyzkhn]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as Save this as "CFScript"

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Tell me what you see in these two logs? I believe this time it work. I don't see those to original icons and no more Save the Information non sense.

Combo Fix Log:

ComboFix 07-11-08.1 - brain 2007-11-11 12:28:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.476 [GMT -6:00]
Running from: C:\Documents and Settings\brain\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
* Created a new restore point

FILE
C:\n.bat
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\fccdcbx.dll
C:\WINDOWS\system32\flpqtyfk.dll
C:\WINDOWS\system32\ncfhexgq.dll
C:\WINDOWS\system32\ogoqqxok.dll
C:\WINDOWS\system32\rwpijxvm.dll
C:\WINDOWS\system32\urqpnop.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vucilbxl.dll
C:\WINDOWS\system32\yayyyxx.dll
C:\WINDOWS\system32\ykhpwgbx.dll
C:\WINDOWS\system32\zxuyzkhn.dll
C:\WINDOWS\system32\zxuyzkhn.dllbox
C:\x.dat
C:\z.dat
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\brain\Desktop\Live Safety Center.lnk
C:\Documents and Settings\brain\Desktop\Online Security Guide.lnk
C:\Documents and Settings\brain\Favorites\Online Security Guide.lnk
C:\n.bat
C:\Program Files\Viewpoint
C:\VundoFix Backups
C:\VundoFix Backups\zxuyzkhn.dll.bad
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\fccdcbx.dll
C:\WINDOWS\system32\flpqtyfk.dll
C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\ncfhexgq.dll
C:\WINDOWS\system32\ogoqqxok.dll
C:\WINDOWS\system32\rwpijxvm.dll
C:\WINDOWS\system32\urqpnop.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vucilbxl.dll
C:\WINDOWS\system32\yayyyxx.dll
C:\WINDOWS\system32\ykhpwgbx.dll
C:\WINDOWS\system32\zxuyzkhn.dll
C:\WINDOWS\system32\zxuyzkhn.dllbox
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 12:23 36,352 --a------ C:\WINDOWS\system32\yayvvut.dll
2007-11-11 12:10 36,352 --a------ C:\WINDOWS\system32\mljihff.dll
2007-11-11 12:09 172,032 --a------ C:\winlogon.exe
2007-11-11 11:31 36,352 --a------ C:\WINDOWS\system32\xxyyvsr.dll
2007-11-11 11:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 09:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-10 23:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 22:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-10 19:21 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-10 19:20 <DIR> d-------- C:\Documents and Settings\brain\.housecall6.6
2007-11-10 17:55 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-10 17:33 5,726 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-10 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 12:00 <DIR> d-------- C:\WINDOWS\pss
2007-11-10 11:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-10 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-10 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 09:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\Temporary Internet Files
2007-11-10 09:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\History
2007-11-09 20:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 18:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-11 18:27 --------- d-----w C:\Documents and Settings\brain\Application Data\LimeWire
2007-11-11 18:15 --------- d-----w C:\Program Files\Yahoo!
2007-11-11 18:13 --------- d-----w C:\Program Files\Vongo
2007-11-11 18:13 --------- d-----w C:\Program Files\Quicken
2007-11-11 18:11 --------- d-----w C:\Program Files\mv
2007-11-11 18:01 --------- d-----w C:\Program Files\WildTangent
2007-11-11 18:00 --------- d-----w C:\Program Files\GemMaster
2007-11-11 17:49 --------- d-----w C:\Program Files\LimeWire
2007-11-10 23:30 --------- d-----w C:\Program Files\music_now
2007-10-24 00:13 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_11.30.59.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-11 16:10:39 65,704 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-11 18:25:39 65,704 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-11 16:10:39 412,352 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-11 18:25:39 412,352 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2004-09-16 16:00:00 77,824 ----a-w C:\WINDOWS\system32\UMLoader.dll
+ 2004-09-16 07:00:00 77,824 ----a-w C:\WINDOWS\system32\UMLoader.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 23:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 23:01]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 22:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 17:02]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 10:52]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 22:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

C:\Documents and Settings\brain\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Documents and Settings\brain\Application Data\Microsoft\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-02-16 16:08:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 06:43:54]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-09 14:50:27]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 10:39:30]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-06 10:10:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 12:35:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????_??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 12:37:55 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 11:31
.
--- E O F ---

Hijackthis Log::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:00 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\Spyware.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Vongo Tray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10331 bytes

#7 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 November 2007 - 12:55 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\yayvvut.dll
C:\WINDOWS\system32\mljihff.dll
C:\WINDOWS\system32\xxyyvsr.dll

Folder::
C:\Program Files\WildTangent

Save this as Save this as "CFScript"

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#8 brain_26

New Member

New Member
6 posts

Posted 11 November 2007 - 01:12 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\yayvvut.dll
C:\WINDOWS\system32\mljihff.dll
C:\WINDOWS\system32\xxyyvsr.dll

Folder::
C:\Program Files\WildTangent

Save this as Save this as "CFScript"

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Here are the results:

Combo Fix Log:

ComboFix 07-11-08.1 - brain 2007-11-11 13:01:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.490 [GMT -6:00]
Running from: C:\Documents and Settings\brain\Desktop\Anti-Virus Tools\ComboFix.exe
Command switches used :: C:\Documents and Settings\brain\Desktop\Anti-Virus Tools\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\mljihff.dll
C:\WINDOWS\system32\xxyyvsr.dll
C:\WINDOWS\system32\yayvvut.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WildTangent
C:\Program Files\WildTangent\Apps\DRM0302.dll
C:\Program Files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\103EFD47-9F2C-4490-95DD-AE6C442AFB92\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\320F055A-570F-4335-B026-16A836DB9549\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\384E0BF4-1E1F-45A6-B60E-42144A3F15CD\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\5658FB14-16A4-4DAE-946B-1457BE31572E\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\5758A0E8-A112-4A1D-82EC-EC72F7F16B88\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\5DE4D54F-AA79-43A4-9C8A-C173E7E2B025\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\6E377D95-DF37-4E67-B64B-68C314600BCB\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\7948472C-423F-4134-B68F-48D660A05D71\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\7A940E33-6993-404B-ABA6-ED62E8FBE615\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\7ED8A70C-9597-40BE-AEA0-0573182F1F51\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\9F3399B2-9ED6-4339-84A2-686432638B86\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\B0769D17-E72A-4E87-A83F-1F7A3F080008\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\C264D692-8E15-4141-96A2-5621332E5DD0\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\D2E44AA4-8665-4490-A6C9-2D0744B47B27\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\E332F38A-75F6-4EF2-88CC-246E8A1CB5D7\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\E76A7EFF-7758-49EE-B3FA-9699830A2D6B\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\E90E3AE9-73E4-4E5C-BB0F-673989A808D0\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\def.dat
C:\Program Files\WildTangent\Apps\GameChannel\Games\F2566CC2-D4C4-44ED-A838-3F8288D8D3FE\def.dat
C:\Program Files\WildTangent\Apps\icon.ico
C:\Program Files\WildTangent\Apps\WebDriverInstall.exe
C:\WINDOWS\system32\mljihff.dll
C:\WINDOWS\system32\xxyyvsr.dll
C:\WINDOWS\system32\yayvvut.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 12:50 <DIR> d-------- C:\Documents and Settings\brain\Application Data\Grisoft
2007-11-11 12:50 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-11 12:09 172,032 --a------ C:\winlogon.exe
2007-11-11 11:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 09:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-10 23:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 22:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-10 19:21 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-10 19:20 <DIR> d-------- C:\Documents and Settings\brain\.housecall6.6
2007-11-10 17:55 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-10 17:33 5,726 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-10 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 12:00 <DIR> d-------- C:\WINDOWS\pss
2007-11-10 11:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-10 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-10 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 09:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\Temporary Internet Files
2007-11-10 09:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\History
2007-11-09 20:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 19:03 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-11 18:27 --------- d-----w C:\Documents and Settings\brain\Application Data\LimeWire
2007-11-11 18:15 --------- d-----w C:\Program Files\Yahoo!
2007-11-11 18:13 --------- d-----w C:\Program Files\Vongo
2007-11-11 18:13 --------- d-----w C:\Program Files\Quicken
2007-11-11 18:11 --------- d-----w C:\Program Files\mv
2007-11-11 18:00 --------- d-----w C:\Program Files\GemMaster
2007-11-11 17:49 --------- d-----w C:\Program Files\LimeWire
2007-11-10 23:30 --------- d-----w C:\Program Files\music_now
2007-10-24 00:13 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_11.30.59.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-11 16:10:39 65,704 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-11 18:39:15 65,704 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-11 16:10:39 412,352 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-11 18:39:15 412,352 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2004-09-16 16:00:00 77,824 ----a-w C:\WINDOWS\system32\UMLoader.dll
+ 2004-09-16 07:00:00 77,824 ----a-w C:\WINDOWS\system32\UMLoader.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 23:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 23:01]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 22:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 17:02]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 11:23]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 10:52]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 22:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

C:\Documents and Settings\brain\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Documents and Settings\brain\Application Data\Microsoft\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-02-16 16:08:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 06:43:54]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-09 14:50:27]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 10:39:30]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-06 10:10:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 18:52:34 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 13:05:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????_??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 13:07:56 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 12:37
C:\ComboFix3.txt ... 2007-11-11 11:31
.
--- E O F ---

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:10 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\Spyware.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Vongo Tray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10625 bytes

What do you think?

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 November 2007 - 01:15 PM

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
If shown the disclaimer, Select "2"

Here's my usual all clean post

Log looks good

You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
You should also scan your computer with this program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Using IE-SPYAD to help block unwanted sites and activities
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#10 brain_26

New Member

New Member
6 posts

Posted 11 November 2007 - 01:40 PM

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
If shown the disclaimer, Select "2"
Here's my usual all clean post

Log looks good

You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
You should also scan your computer with this program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Using IE-SPYAD to help block unwanted sites and activities

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.
Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

Forum God:

Thanks a lot. These simple steps helped me remove this pesky thorn.

If any one else is reading this forum, Forum God's tech advise is good as gold!!!

#11 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 November 2007 - 01:42 PM

You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 November 2007 - 01:42 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 November 2007 - 02:43 PM

brain_26,
After going back over your log, will you check this file for me?

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\winlogon.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If Jotti is too busy you can try these.

http://www.kaspersky...anforvirus.html

http://www.virustota.../en/indexf.html

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 17 November 2007 - 07:14 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme