WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Savetheinformation infection

Started by Ramone , Nov 12 2007 01:10 PM

This topic is locked

10 replies to this topic

#1 Ramone

New Member

New Member
5 posts

Posted 12 November 2007 - 01:10 PM

Hi. Thanks for looking at my post.

I have many of the same symptoms that I have seen on other posts - annoying IE pop-ups, taskbar warnings about malware, worms, black[sic] door trojan horses, those two new desktop icons that reappear a few moments after being deleted, etc. There's also a new file folder in my program files group called Web Buying, which also reappears a few moments after I trash it. Everything is running a little slower also.

Here is a hijackthis log just to get things started:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:33 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\system32\rqtdidvs.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fsrmddmb.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [74ea7a67] rundll32.exe "C:\WINDOWS\system32\etavlqqg.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\rqtdidvs.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Thanks again for helping me out.

R-

Advertisements

Register to Remove

#2 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 12 November 2007 - 04:30 PM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please disable TeaTimer, as it may interfere with the fix. This is done in two steps:

First step: Right-click the Spybot icon in your system tray (looks like a blue and white calendar with a padlock symbol).

For version 1.5: Click once on Resident Protection, then right-click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the system tray should now be colorless.
For version 1.4: Click on Exit Spybot S&D Resident.

Second step: Open Spybot Search & Destroy.

Click Mode, choose Advanced Mode. When prompted, answer Yes.
Go to the bottom of the vertical panel to the left, click Tools.
Click Resident (a white and red shield, located in the panel to the left).
If your firewall gives you a warning, allow it.
Uncheck the box labeled Resident "Tea-Timer" (Protection of over-all system settings) active.
OK any prompts.
Go to File > Exit to close Spybot Search & Destroy.
Reboot your computer for the changes to take effect.

Note: Be sure to enable TeaTimer when you are clean!

Step 2

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.

Under the Main tab, put a check next to Select All.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
If you use the Firefox browser:
Click on Firefox at the top and put a check next to Select All. If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
If you use the Opera browser:
Click on Opera at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 3

Please download Combofix:

Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Step 4

Please download SmitfraudFix (by S!ri).

Double-click on SmitfraudFix.exe. A screen will pop up. Select Option 1 (Search) by typing 1 and hit Enter. A text file will appear, which will list the infected files. Save it to a convenient location.
The log will also be saved here: C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Step 5

Open HijackThis.

Click on the Config button.
Click on the Misc Tools button.
Click on the Open Uninstall Manager button.
Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.

Step 6

In your next reply, please post:

the Combofix log (C:\Combofix.txt)
the Smitfraudfix report (C:\rapport.txt)
the Uninstall List
a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#3 Ramone

New Member

New Member
5 posts

Posted 12 November 2007 - 07:42 PM

Simon V. - Thanks for your help. I did steps 1 through 4 with no issue, but for some reason now when I tried to save the Hijack uninstall list I wasn't given a prompt for a place to save it, and hijackthis just closes. If I am doing something wrong or if I need and updated hijackthis just let me know. Thanks again

#4 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 13 November 2007 - 05:27 AM

That sometimes happens. Let's get another Uninstall List:

Please download and install CCleaner.

Open CCleaner. In the Left Pane, click Tools.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save.
Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#5 Ramone

New Member

New Member
5 posts

Posted 14 November 2007 - 03:54 PM

Simon V. -

OK here's the logs:

ComboFix 07-11-08.1 - Dr. Becker 2007-11-12 16:23:28.1 - NTFSx86
Running from: C:\Documents and Settings\Dr. Becker\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Dr. Becker\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Dr. Becker\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Dr. Becker\Favorites\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\MSN Gaming Zone\qulac.dll
C:\Program Files\MSN Gaming Zone\qulac62.dll
C:\Program Files\MSN Gaming Zone\qulac724.dll
C:\Program Files\MSN Gaming Zone\qulac872.dll
C:\Program Files\MSN Gaming Zone\qulac93.dll
C:\Program Files\MSN Gaming Zone\rterteq.html
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\web buying
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\a1\rarndrll2.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\fsrmddmb.dllbox
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\caws83122.exe
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\r2\wr31drs.exe
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor

((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-12 16:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 14:27 89,664 --a------ C:\WINDOWS\system32\ovlatrso.dll
2007-11-12 14:26 81,472 --a------ C:\WINDOWS\system32\rideayao.dll
2007-11-12 14:22 71,232 --a------ C:\WINDOWS\system32\lderhtgi.exe
2007-11-12 10:27 81,472 --a------ C:\WINDOWS\system32\ssmjbbtw.dll
2007-11-12 10:23 71,232 --a------ C:\WINDOWS\system32\gswhdehk.exe
2007-11-10 15:02 71,232 --a------ C:\WINDOWS\system32\klabving.exe
2007-11-09 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 18:20 <DIR> d-------- C:\VundoFix Backups
2007-11-09 13:42 77,888 --a------ C:\WINDOWS\system32\decpntbb.dll
2007-11-09 13:39 145,984 --a------ C:\WINDOWS\system32\fsrmddmb.dll
2007-11-09 13:38 145,984 --a------ C:\WINDOWS\system32\qjmjuqhu.dll
2007-11-09 13:36 71,232 --a------ C:\WINDOWS\system32\rqtdidvs.exe
2007-11-08 12:50 35,840 -ra------ C:\WINDOWS\mrofinu572.exe
2007-11-08 00:48 35,328 --a------ C:\WINDOWS\system32\gebxvvt.dll
2007-11-08 00:41 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-08 00:40 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-08 00:40 <DIR> d-------- C:\Temp\mZOr
2007-11-08 00:40 <DIR> d-------- C:\Temp
2007-11-08 00:40 35,328 --a------ C:\WINDOWS\system32\ddcayax.dll
2007-10-31 15:31 <DIR> d-------- C:\Documents and Settings\All Users\SonicStage
2007-10-31 15:24 90,112 --------- C:\WINDOWS\snymsico.dll
2007-10-31 15:24 38,951 --a------ C:\WINDOWS\system32\drivers\NETMDUSB.sys
2007-10-31 15:24 36,679 --a------ C:\WINDOWS\system32\drivers\NETMD052.sys
2007-10-31 15:24 36,232 --a------ C:\WINDOWS\system32\drivers\NETMD033.sys
2007-10-31 15:24 35,319 --a------ C:\WINDOWS\system32\drivers\NETMD031.sys
2007-10-31 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2007-10-31 15:19 <DIR> d-------- C:\Program Files\Sony
2007-10-31 15:17 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2007-10-31 15:17 <DIR> d-------- C:\Documents and Settings\Dr. Becker\Application Data\Sony Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 23:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-11 00:14 --------- d-----w C:\Documents and Settings\Dr. Becker\Application Data\Corel
2007-10-03 22:16 --------- d-----w C:\Documents and Settings\Dr. Becker\Application Data\uTorrent
2007-10-01 18:45 --------- d-----w C:\Program Files\uTorrent
2007-09-23 04:41 --------- d-----w C:\Program Files\Audacity
2007-09-15 17:44 --------- d-----w C:\Program Files\Google
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2007-01-23 19:10 43,072 ----a-w C:\Documents and Settings\Dr. Becker\Application Data\GDIPFONTCACHEV1.DAT
2006-12-05 18:42 192,768 ----a-w C:\WINDOWS\inf\MA521_patch\MA521nd5.sys
2006-04-26 01:30 35,232 ----a-w C:\WINDOWS\inf\MA521_patch\ME_INST.EXE
2006-04-26 01:30 212,992 ----a-w C:\WINDOWS\inf\MA521_patch\CopyWHQLDriver.exe
2006-04-26 01:30 14,848 ----a-w C:\WINDOWS\inf\MA521_patch\INST2000.DLL
2005-06-15 22:48 43,072 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-08-18 12:00:00 94,784 --sha-w C:\WINDOWS\twain.dll
2004-08-04 08:56:48 50,688 --sha-w C:\WINDOWS\twain_32.dll
2004-08-04 08:56:44 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 08:56:44 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 08:56:44 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 08:56:44 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 08:56:46 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 08:56:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
2007-11-08 00:40 35328 --a------ C:\WINDOWS\system32\ddcayax.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B23AE4E-B5C2-4D64-43B9-7CC382C83FEC}]
2007-11-12 16:54 70144 --a------ C:\Program Files\MSN Gaming Zone\qulac.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d6d2321-7bfb-43fe-a5d0-185c9ab6c619}]
C:\WINDOWS\system32\tdmpguo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-09 13:39 145984 --a------ C:\WINDOWS\system32\fsrmddmb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B41DC5A0-8710-42D3-BE49-A9E6D49B1830}]
2007-08-02 05:43 282624 --a------ C:\Program Files\Messenger\mezojelis83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B71EC96C-64D3-43A8-B759-91A0783C0C4C}]
2007-08-02 05:43 282624 --a------ C:\Program Files\Messenger\mezojelis4444.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fsrmddmb.dll [2007-11-09 13:39 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fsrmddmb.dll [2007-11-09 13:39 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 20:14 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-06-11 20:56 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-02 13:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-02 13:47]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-07-29 12:50]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-07-16 12:23]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 06:05]
"QT4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-04-20 12:56]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2001-07-19 13:50]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 03:25]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-03-31 10:16]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 10:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 17:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"74ea7a67"="C:\WINDOWS\system32\etavlqqg.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"= C:\WINDOWS\system32\ddcayax.dll [2007-11-08 00:40 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayax]
ddcayax.dll 2007-11-08 00:40 35328 C:\WINDOWS\system32\ddcayax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsrmddmb]
fsrmddmb.dll 2007-11-09 13:39 145984 C:\WINDOWS\system32\fsrmddmb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjk.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2005-03-31 18:20:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 16:52:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 17:02:20 - machine was rebooted
.
--- E O F ---

SmitFraudFix v2.252

Scan done at 17:10:21.26, Mon 11/12/2007
Run from C:\Documents and Settings\Dr. Becker\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dr. Becker

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dr. Becker\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~2\DRBC11~1.BEC\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NETGEAR MA521 802.11b Wireless PC Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4AB79593-433F-4907-B665-A94765CDF2F4}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4AB79593-433F-4907-B665-A94765CDF2F4}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4AB79593-433F-4907-B665-A94765CDF2F4}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

µTorrent
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.0
ATI Display Driver
Atomic Pop
AutoUpdate
Battle.net
CCleaner (remove only)
Conexant 56K ACLink Modem
Conexant AC-Link Audio
Disc2Phone
DivX
DivX Player
e-DiagTools for Windows
eMusic Download Manager
Google Earth
HijackThis 1.99.1
HP Desktop Zoom
HP DLA
HP Notebook Utilities
HP One-Touch Buttons
HP Photo Toolkit
HP RecordNow
HP Wireless LAN
Hpsetup
Inactive HP Printer Drivers (Remove only)
InterVideo WinDVD
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_03
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
MA521 Device Driver
Macromedia Extension Manager
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office XP Professional with FrontPage
MIKSOFT Mobile 3GP converter
Mozilla Firefox (2.0.0.9)
NCH Toolbox Uninstall
Norton AntiVirus 2002
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module
OpenMG Secure Module 4.7.00
PitchPerfect Uninstall
QuickTime
Rhapsody Player Engine
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
SonicStage 4.3
SoulSeek 157 test 8
SoulSeek Client 156
Spybot - Search & Destroy
Symantec Network Drivers Update
Synaptics TouchPad
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VST Bridge 1.0
WebFldrs XP
WildTangent Web Driver
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Productivity Pack

Logfile of HijackThis v1.99.1
Scan saved at 1:52:19 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fsrmddmb.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [74ea7a67] rundll32.exe "C:\WINDOWS\system32\etavlqqg.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#6 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 15 November 2007 - 12:29 AM

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

µTorrent

Step 1

Please go to VirusTotal or Jotti and upload <file> for scanning.

For VirusTotal:

Please copy and paste C:\Program Files\TTC.dll in the text box next to the Browse... button.
Click on Send File.

For Jotti:

Please copy and paste C:\Program Files\TTC.dll in the text box next to the Browse... button.
Click on Submit.

Copy/paste the results in Notepad and save them to your desktop.

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\ovlatrso.dll
C:\WINDOWS\system32\rideayao.dll
C:\WINDOWS\system32\lderhtgi.exe
C:\WINDOWS\system32\ssmjbbtw.dll
C:\WINDOWS\system32\gswhdehk.exe
C:\WINDOWS\system32\klabving.exe
C:\WINDOWS\system32\decpntbb.dll
C:\WINDOWS\system32\fsrmddmb.dll
C:\WINDOWS\system32\qjmjuqhu.dll
C:\WINDOWS\system32\rqtdidvs.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\gebxvvt.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\ddcayax.dll
C:\Program Files\MSN Gaming Zone\qulac.dll
C:\Program Files\Messenger\mezojelis83122.dll
C:\Program Files\Messenger\mezojelis4444.dll

Folder::

C:\VundoFix Backups
C:\WINDOWS\system32\Mz02r
C:\Temp\mZOr

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B23AE4E-B5C2-4D64-43B9-7CC382C83FEC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d6d2321-7bfb-43fe-a5d0-185c9ab6c619}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B41DC5A0-8710-42D3-BE49-A9E6D49B1830}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B71EC96C-64D3-43A8-B759-91A0783C0C4C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"74ea7a67"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayax]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsrmddmb]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available, otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK.
Now under Select a Target to Scan:

Select My Computer.

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button and save the file to your desktop.

Step 4

In your next reply, please post:

the Combofix log (C:\Combofix.txt)
the Kaspersky Online Scan report
a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#7 Ramone

New Member

New Member
5 posts

Posted 16 November 2007 - 02:48 AM

Simon V. -

Thanks for the advice. I never even used utorrent, so I removed it.

Lately I've started getting a new problem. First my active desktop switches off and the taskbar at the bottom disappears. Eventually I get it back, but after a few minutes it goes again. This repeats and then it goes out all together, no taskbar, no desktop icons, no start button, etc. I have to switch off the computer and restart it everytime now.

Anyway, here's the logs:

ComboFix 07-11-08.1 - Dr. Becker 2007-11-15 14:07:26.3 - NTFSx86
Running from: C:\Documents and Settings\Dr. Becker\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Dr. Becker\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Dr. Becker\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Dr. Becker\Favorites\Online Security Guide.lnk
C:\Program Files\MSN Gaming Zone\qulac.dll
C:\Program Files\MSN Gaming Zone\qulac260.dll
C:\Program Files\MSN Gaming Zone\qulac561.dll
C:\Program Files\MSN Gaming Zone\qulac905.dll
C:\Program Files\MSN Gaming Zone\qulac99.dll
C:\Program Files\MSN Gaming Zone\rterteq.html
C:\WINDOWS\system32\fsrmddmb.dllbox
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 12:47 79,936 --a------ C:\WINDOWS\system32\yusqhtfk.dll
2007-11-15 12:45 85,056 --a------ C:\WINDOWS\system32\ygfqwwwq.dll
2007-11-15 12:38 71,232 --a------ C:\WINDOWS\system32\pnruhefb.exe
2007-11-14 13:45 <DIR> d-------- C:\Program Files\CCleaner
2007-11-12 17:10 3,446 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-12 16:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 14:27 89,664 --a------ C:\WINDOWS\system32\ovlatrso.dll
2007-11-12 14:26 81,472 --a------ C:\WINDOWS\system32\rideayao.dll
2007-11-12 14:22 71,232 --a------ C:\WINDOWS\system32\lderhtgi.exe
2007-11-12 10:27 81,472 --a------ C:\WINDOWS\system32\ssmjbbtw.dll
2007-11-12 10:23 71,232 --a------ C:\WINDOWS\system32\gswhdehk.exe
2007-11-10 15:02 71,232 --a------ C:\WINDOWS\system32\klabving.exe
2007-11-09 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 18:20 <DIR> d-------- C:\VundoFix Backups
2007-11-09 13:42 77,888 --a------ C:\WINDOWS\system32\decpntbb.dll
2007-11-09 13:39 145,984 --a------ C:\WINDOWS\system32\fsrmddmb.dll
2007-11-09 13:38 145,984 --a------ C:\WINDOWS\system32\qjmjuqhu.dll
2007-11-09 13:36 71,232 --a------ C:\WINDOWS\system32\rqtdidvs.exe
2007-11-08 12:50 35,840 -ra------ C:\WINDOWS\mrofinu572.exe
2007-11-08 00:48 35,328 --a------ C:\WINDOWS\system32\gebxvvt.dll
2007-11-08 00:41 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-08 00:40 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-08 00:40 <DIR> d-------- C:\Temp\mZOr
2007-11-08 00:40 <DIR> d-------- C:\Temp
2007-11-08 00:40 35,328 --a------ C:\WINDOWS\system32\ddcayax.dll
2007-10-31 15:31 <DIR> d-------- C:\Documents and Settings\All Users\SonicStage
2007-10-31 15:24 90,112 --------- C:\WINDOWS\snymsico.dll
2007-10-31 15:24 38,951 --a------ C:\WINDOWS\system32\drivers\NETMDUSB.sys
2007-10-31 15:24 36,679 --a------ C:\WINDOWS\system32\drivers\NETMD052.sys
2007-10-31 15:24 36,232 --a------ C:\WINDOWS\system32\drivers\NETMD033.sys
2007-10-31 15:24 35,319 --a------ C:\WINDOWS\system32\drivers\NETMD031.sys
2007-10-31 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2007-10-31 15:19 <DIR> d-------- C:\Program Files\Sony
2007-10-31 15:17 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2007-10-31 15:17 <DIR> d-------- C:\Documents and Settings\Dr. Becker\Application Data\Sony Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 23:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 00:14 --------- d-----w C:\Documents and Settings\Dr. Becker\Application Data\Corel
2007-10-03 22:16 --------- d-----w C:\Documents and Settings\Dr. Becker\Application Data\uTorrent
2007-10-01 18:45 --------- d-----w C:\Program Files\uTorrent
2007-09-23 04:41 --------- d-----w C:\Program Files\Audacity
2007-09-15 17:44 --------- d-----w C:\Program Files\Google
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-01-23 19:10 43,072 ----a-w C:\Documents and Settings\Dr. Becker\Application Data\GDIPFONTCACHEV1.DAT
2006-12-05 18:42 192,768 ----a-w C:\WINDOWS\inf\MA521_patch\MA521nd5.sys
2006-04-26 01:30 35,232 ----a-w C:\WINDOWS\inf\MA521_patch\ME_INST.EXE
2006-04-26 01:30 212,992 ----a-w C:\WINDOWS\inf\MA521_patch\CopyWHQLDriver.exe
2006-04-26 01:30 14,848 ----a-w C:\WINDOWS\inf\MA521_patch\INST2000.DLL
2005-06-15 22:48 43,072 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-08-18 12:00:00 94,784 --sha-w C:\WINDOWS\twain.dll
2004-08-04 08:56:48 50,688 --sha-w C:\WINDOWS\twain_32.dll
2004-08-04 08:56:44 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 08:56:44 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 08:56:44 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 08:56:44 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 08:56:46 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 08:56:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-12_16.58.35.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05D02035-9EB4-453C-87BB-013C3F785C18}]
2007-11-15 14:37 313952 --a------ C:\WINDOWS\system32\awtss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
2007-11-08 00:40 35328 --a------ C:\WINDOWS\system32\ddcayax.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92065620-a8c4-4dfe-a1aa-ea405709d4f7}]
2007-11-15 12:47 79936 --a------ C:\WINDOWS\system32\yusqhtfk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-09 13:39 145984 --a------ C:\WINDOWS\system32\fsrmddmb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fsrmddmb.dll [2007-11-09 13:39 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fsrmddmb.dll [2007-11-09 13:39 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 20:14 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-06-11 20:56 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-02 13:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-02 13:47]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-07-29 12:50]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-07-16 12:23]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 06:05]
"QT4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-04-20 12:56]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2001-07-19 13:50]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 03:25]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-03-31 10:16]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 10:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 17:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"= C:\WINDOWS\system32\ddcayax.dll [2007-11-08 00:40 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayax]
ddcayax.dll 2007-11-08 00:40 35328 C:\WINDOWS\system32\ddcayax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsrmddmb]
fsrmddmb.dll 2007-11-09 13:39 145984 C:\WINDOWS\system32\fsrmddmb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtss.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2005-03-31 18:20:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 14:34:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\sstwa.ini 317 bytes
C:\WINDOWS\system32\sstwa.ini2 317 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-11-15 14:42:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-12 17:02
.
--- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 16, 2007 12:12:39 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/11/2007
Kaspersky Anti-Virus database records: 460072
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 45736
Number of viruses found: 18
Number of infected objects: 108
Number of suspicious objects: 0
Duration of the scan process: 02:00:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dr. Becker\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\cert8.db Object is locked skipped
C:\Documents and Settings\Dr. Becker\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\history.dat Object is locked skipped
C:\Documents and Settings\Dr. Becker\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\key3.db Object is locked skipped
C:\Documents and Settings\Dr. Becker\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\parent.lock Object is locked skipped
C:\Documents and Settings\Dr. Becker\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Dr. Becker\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Dr. Becker\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dr. Becker\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dr. Becker\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dr. Becker\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dr. Becker\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Dr. Becker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dr. Becker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dr. Becker\Local Settings\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Dr. Becker\Local Settings\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Dr. Becker\Local Settings\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Dr. Becker\Local Settings\Application Data\Mozilla\Firefox\Profiles\vadkad0z.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Dr. Becker\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dr. Becker\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dr. Becker\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dr. Becker\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Messenger\mezojelis4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Messenger\mezojelis83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac260.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac561.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac62.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac724.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac872.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac905.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac93.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\qulac99.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\rterteq.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\qoobox\Quarantine\C\WINDOWS\IA\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\qoobox\Quarantine\C\WINDOWS\IA\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\a1\rarndrll2.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\g2\caws83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\g2\caws83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\r2\wr31drs.exe.vir Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\qoobox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP384\A0269982.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0269984.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0269984.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0269985.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0269987.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0269988.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0270002.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0270999.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0270999.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0271000.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0271004.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0271987.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0271988.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0272000.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0272002.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0272002.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0272003.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0272987.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273000.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273000.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273001.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273010.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273011.exe Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273017.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273031.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273031.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273032.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP385\A0273033.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273043.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273044.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273045.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273046.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273047.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273048.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273049.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273051.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273052.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273053.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273053.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273054.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273056.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273057.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273057.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP386\A0273064.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP387\A0274064.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0274073.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0274073.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0274074.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0275064.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0275076.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0275076.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0275077.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0276064.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0278075.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0278075.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP388\A0278076.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP391\A0278104.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP391\A0278121.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP391\A0278121.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP391\A0278122.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278159.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278160.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278161.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278162.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278163.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278164.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278165.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278165.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP392\A0278175.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{83BE25CE-CF1F-4EE7-A83E-5EE431814AD3}\RP394\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\WINDOWS\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcayax.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINDOWS\system32\fsrmddmb.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\gebxvvt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINDOWS\system32\gswhdehk.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\klabving.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\lderhtgi.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\pnruhefb.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\qjmjuqhu.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\rqtdidvs.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ygfqwwwq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 12:38:58 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fsrmddmb.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#8 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 16 November 2007 - 10:47 AM

Please follow my instructions to the letter, as they otherwise won't work. Can you post the Virustotal/Jotti results in your next reply (see my previous post for instructions)?

Step 1

Open HijackThis, perform a scan and put a check next to the following item(s) (if present):

O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx

Close all programs except HijackThis and click on Fix checked.

Step 2

Delete the CFScript you currently have, and do the following:

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\yusqhtfk.dll
C:\WINDOWS\system32\ygfqwwwq.dll
C:\WINDOWS\system32\pnruhefb.exe
C:\WINDOWS\system32\ovlatrso.dll
C:\WINDOWS\system32\rideayao.dll
C:\WINDOWS\system32\lderhtgi.exe
C:\WINDOWS\system32\ssmjbbtw.dll
C:\WINDOWS\system32\gswhdehk.exe
C:\WINDOWS\system32\klabving.exe
C:\WINDOWS\system32\decpntbb.dll
C:\WINDOWS\system32\fsrmddmb.dll
C:\WINDOWS\system32\qjmjuqhu.dll
C:\WINDOWS\system32\rqtdidvs.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\gebxvvt.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\ddcayax.dll
C:\Program Files\MSN Gaming Zone\qulac.dll
C:\Program Files\Messenger\mezojelis83122.dll
C:\Program Files\Messenger\mezojelis4444.dll

Folder::

C:\WINDOWS\system32\Mz02r
C:\VundoFix Backups
C:\Temp\mZOr

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05D02035-9EB4-453C-87BB-013C3F785C18}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92065620-a8c4-4dfe-a1aa-ea405709d4f7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayax]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsrmddmb]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

In your next reply, please post:

the Combofix log
a new HijackThis log
the Virustotal/Jotti results

Edited by Simon V., 16 November 2007 - 10:52 AM.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#9 Ramone

New Member

New Member
5 posts

Posted 17 November 2007 - 02:43 PM

Simon V. -

Things seem to be cleared up. However, when I do a Virustotal I get this:

"0 bytes size received / Se ha recibido un archivo vacio"

and when I do Jotti I get this:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

I have a virustotal log from a couple posts ago so I'll post it anyway

Virustotal:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.16.0 2007.11.15 -
AntiVir 7.6.0.34 2007.11.15 ADSPY/TTC.A.5
Authentium 4.93.8 2007.11.15 -
Avast 4.7.1074.0 2007.11.14 Win32:Adloader-KH
AVG 7.5.0.503 2007.11.15 Adware Generic2.JEG
BitDefender 7.2 2007.11.15 Adware.TTC
CAT-QuickHeal 9.00 2007.11.15 AdWare.TTC.a (Not a Virus)
ClamAV 0.91.2 2007.11.15 -
DrWeb 4.44.0.09170 2007.11.15 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5297 2007.11.15 Win32/Zquest.G
Ewido 4.0 2007.11.15 -
FileAdvisor 1 2007.11.15 Low threat detected
Fortinet 3.11.0.0 2007.10.19 Adware/TTC
F-Prot 4.4.2.54 2007.11.14 W32/Adware.WWV
F-Secure 6.70.13030.0 2007.11.15 -
Ikarus T3.1.1.12 2007.11.15 not-a-virus:AdWare.Win32.TTC.a
Kaspersky 7.0.0.125 2007.11.15 not-a-virus:AdWare.Win32.TTC.a
McAfee 5164 2007.11.15 Downloader-BEC
Microsoft 1.3007 2007.11.12 Program:Win32/TTC
NOD32v2 2661 2007.11.15 -
Norman 5.80.02 2007.11.15 W32/TTC.DX
Panda 9.0.0.4 2007.11.15 Adware/TTC
Prevx1 V2 2007.11.15 -
Rising 20.18.31.00 2007.11.15 AdWare.Win32.TTC.d
Sophos 4.23.0 2007.11.15 Troj/TTC-Gen
Sunbelt 2.2.907.0 2007.11.15 Adware.TTC
Symantec 10 2007.11.15 Downloader
TheHacker 6.2.9.129 2007.11.15 Adware/TTC.a
VBA32 3.12.2.5 2007.11.15 AdWare.Win32.TTC.a
VirusBuster 4.3.26:9 2007.11.15 -
Webwasher-Gateway 6.0.1 2007.11.15 Ad-Spyware.TTC.A.5
Additional information
File size: 282624 bytes
MD5: 0b36bd26e49f50029b240ef4c5f2f729
SHA1: 217b7851f3acac62eec1aa22fba5e282460a4d88
Bit9 info: http://fileadvisor.b...b240ef4c5f2f729

ATENTION AT

And here's the other logs:

ComboFix 07-11-08.1 - Dr. Becker 2007-11-17 12:08:25.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -8:00]Running from: C:\Documents and Settings\Dr. Becker\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dr. Becker\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Messenger\mezojelis4444.dll
C:\Program Files\Messenger\mezojelis83122.dll
C:\Program Files\MSN Gaming Zone\qulac.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\ddcayax.dll
C:\WINDOWS\system32\decpntbb.dll
C:\WINDOWS\system32\fsrmddmb.dll
C:\WINDOWS\system32\gebxvvt.dll
C:\WINDOWS\system32\gswhdehk.exe
C:\WINDOWS\system32\klabving.exe
C:\WINDOWS\system32\lderhtgi.exe
C:\WINDOWS\system32\ovlatrso.dll
C:\WINDOWS\system32\pnruhefb.exe
C:\WINDOWS\system32\qjmjuqhu.dll
C:\WINDOWS\system32\rideayao.dll
C:\WINDOWS\system32\rqtdidvs.exe
C:\WINDOWS\system32\ssmjbbtw.dll
C:\WINDOWS\system32\ygfqwwwq.dll
C:\WINDOWS\system32\yusqhtfk.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Dr. Becker\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Dr. Becker\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Dr. Becker\Favorites\Online Security Guide.lnk
C:\Program Files\Messenger\mezojelis4444.dll
C:\Program Files\Messenger\mezojelis83122.dll
C:\Temp\mZOr
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\ddcayax.dll
C:\WINDOWS\system32\decpntbb.dll
C:\WINDOWS\system32\fsrmddmb.dll
C:\WINDOWS\system32\fsrmddmb.dllbox
C:\WINDOWS\system32\gebxvvt.dll
C:\WINDOWS\system32\gswhdehk.exe
C:\WINDOWS\system32\klabving.exe
C:\WINDOWS\system32\lderhtgi.exe
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\ovlatrso.dll
C:\WINDOWS\system32\pnruhefb.exe
C:\WINDOWS\system32\qjmjuqhu.dll
C:\WINDOWS\system32\rideayao.dll
C:\WINDOWS\system32\rqtdidvs.exe
C:\WINDOWS\system32\ssmjbbtw.dll
C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.ini2
C:\WINDOWS\system32\ygfqwwwq.dll
C:\WINDOWS\system32\yusqhtfk.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-15 16:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-15 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-14 13:45 <DIR> d-------- C:\Program Files\CCleaner
2007-11-12 17:10 3,446 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-12 16:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-08 00:40 <DIR> d-------- C:\Temp
2007-10-31 15:31 <DIR> d-------- C:\Documents and Settings\All Users\SonicStage
2007-10-31 15:24 90,112 --------- C:\WINDOWS\snymsico.dll
2007-10-31 15:24 38,951 --a------ C:\WINDOWS\system32\drivers\NETMDUSB.sys
2007-10-31 15:24 36,679 --a------ C:\WINDOWS\system32\drivers\NETMD052.sys
2007-10-31 15:24 36,232 --a------ C:\WINDOWS\system32\drivers\NETMD033.sys
2007-10-31 15:24 35,319 --a------ C:\WINDOWS\system32\drivers\NETMD031.sys
2007-10-31 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2007-10-31 15:19 <DIR> d-------- C:\Program Files\Sony
2007-10-31 15:17 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2007-10-31 15:17 <DIR> d-------- C:\Documents and Settings\Dr. Becker\Application Data\Sony Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 23:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-11 00:14 --------- d-----w C:\Documents and Settings\Dr. Becker\Application Data\Corel
2007-09-23 04:41 --------- d-----w C:\Program Files\Audacity
2007-01-23 19:10 43,072 ----a-w C:\Documents and Settings\Dr. Becker\Application Data\GDIPFONTCACHEV1.DAT
2005-06-15 22:48 43,072 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-08-18 12:00:00 94,784 --sha-w C:\WINDOWS\twain.dll
2004-08-04 08:56:48 50,688 --sha-w C:\WINDOWS\twain_32.dll
2004-08-04 08:56:44 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 08:56:44 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 08:56:44 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 08:56:44 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 08:56:46 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 08:56:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 20:14 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-06-11 20:56 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-02 13:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-02 13:47]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-07-29 12:50]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-07-16 12:23]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 06:05]
"QT4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-04-20 12:56]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2001-07-19 13:50]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 03:25]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-03-31 10:16]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 10:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 17:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

R3 CALIAUD;HP ALI 3D Environmental Audio;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DP83815;National Semiconductor Corp. DP83815 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
R3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;C:\WINDOWS\system32\DRIVERS\MA521nd5.SYS
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;C:\WINDOWS\system32\DRIVERS\Express.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2005-03-31 18:20:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 12:23:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 12:27:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 14:42
C:\ComboFix3.txt ... 2007-11-12 17:02
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 12:42:49 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Hewlett-Packard\HP Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#10 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 18 November 2007 - 06:21 AM

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....

Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)
When shown the disclaimer, select 2.

Disable and Enable System Restore - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

Step 1: Turn off System Restore:

On the desktop, right-click My Computer
Click Properties
Click the System Restore tab
Check Turn off System Restore
Click Apply, and then click OK

Step 2: Reboot your computer.

Step 3: Turn on System Restore:

On the desktop, right-click My Computer
Click Properties
Click the System Restore tab
Uncheck Turn off System Restore
Click Apply, and then click OK

Note: Only do this once, NOT on a regular basis!

Make your Internet Explorer More Secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt.
Change the Download unsigned ActiveX controls to Disable.
Change the Initialise and script ActiveX controls not marked as safe to Disable.
Change the Installation of desktop items to Prompt.
Change the Launching programs and files in an IFRAME to Prompt.
Change the Navigate sub-frames across different domains to Prompt.
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Update your Anti-Virus Software - It is very imprtant that you update your anti-virus software at least once a week (even more if you wish). If you do not update your anti-virus software then it will not be able to catch any of the new variants that will come out.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Ad-Aware - Download and install Ad-Aware. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infections you had were Vundo (Virtumundo) and Smitfraud.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#11 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 21 November 2007 - 12:39 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

Body Background

skin color theme