Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help with Adware/Malwear removal

Started by ckcover , Jan 15 2008 08:14 PM

  • This topic is locked This topic is locked
No replies to this topic

#1 ckcover

ckcover

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 15 January 2008 - 08:14 PM

I've recently joined the forum and have been having a number of issues with adware and malware. I've read through many of the posts and attempted to remove objectionable programs on my own. However, I believe I have some remaining problems in disinfecting my machine and need assistance.

I'm running Windows XP Pro w/SP2 installed and IE 6 (firewall enabled).


I have done the following:


1) been running SpyBot; which doesn't seem to disinfect everything (attached file prior to steps 3 & 4 below)

2) went into the System manually and from within IE (version 6) and deleted IE cookies. Although I deleted, they keep coming back (especially some objectionable URL's)!
Also using Regedit, removed some obvious bad entries.

3) ran combofix. This picked up a lot of entries that SpyBot missed. Attached is the log file.

4) Ran HijackThis and am attaching the log.



In addition I have the following questions:

1) I get a startup error: "error loading c:\windows\system32\heoimaqb.dll. The specific module could not be found. I can find no references to what this is this from a google search.

2) upon startup I still get a command prompt window that opens and closes. Not sure but could this be SpyBot and/or TeaTimer related and not an objectionable programn trying to load? Maybe the attachments will help determine this and answer my question.

3) recent startup gave the following message from SpyBot. I did not allow the change, but what does it mean?

old data
//ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm

new data
www.google.com/ie


4) what is horygwi77798.exe? The system keeps searching for it in the system32 directory but can't find it. Is it a good or bad program?

5) what is jestertb.exe? I'll get a periodic message when switching users on my machine that it did not shut down correctly. Is this a good or bad program. I can't seem to find it anywhere on my system.

Thanks for the assistance. This is a valuable resource.



----------------
SPYBOT LOG FILE (PRODUCED 01-11-2008)

Command Service: System Service (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: [SBI $552E2618] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $8791CCEF] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $23EF4E2A] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $D9E7976F] Library (File, fixed)
C:\WINDOWS\system32\atmtd.dll

Command Service: [SBI $D9E7976F] Library (File, fixed)
C:\WINDOWS\system32\atmtd.dll._

Command Service: [SBI $C53578BD] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: [SBI $F0D8CEEE] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Smitfraud-C.: [SBI $F61DC5EA] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{645FF040-5081-101B-9F08-00AA002F954E}

Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-484763869-884357618-839522115-1003\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $72423952] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService

Virtumonde: [SBI $08956178] System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService

Virtumonde: [SBI $0A4B665F] System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService

Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-484763869-884357618-839522115-1003\Software\Microsoft\aldd

Virtumonde.ddc: [SBI $6DAC5CA3] Executable (File, fixed)
C:\WINDOWS\system32\citeoren.exe

Virtumonde.ddc: [SBI $6DAC5CA3] Executable (File, fixed)
C:\WINDOWS\system32\kiolfmal.exe

Virtumonde.ddc: [SBI $6DAC5CA3] Executable (File, fixed)
C:\WINDOWS\system32\kxgnmknw.exe

Virtumonde.ddc: [SBI $6DAC5CA3] Executable (File, fixed)
C:\WINDOWS\system32\luoiprlq.exe

Virtumonde.ddc: [SBI $6DAC5CA3] Executable (File, fixed)
C:\WINDOWS\system32\narfomyf.exe

Virtumonde.ddc: [SBI $6DAC5CA3] Executable (File, fixed)
C:\WINDOWS\system32\_lxoyadlr.exe

Virtumonde.ddc: [SBI $530AFE4F] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\ImagePath

Virtumonde.ddc: [SBI $B451B415] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SYSTEM32\LXOYADLR.EXE

Virtumonde.ddc: [SBI $A1ABDBE3] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService\ImagePath

Virtumonde.ddc: [SBI $B6A8D28A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\SYSTEM32\LXOYADLR.EXE

GoClick: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


TagASaurus: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


ZQest.K8L: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


Virtumonde: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


Virtumonde: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


K2L: [SBI $61F39AC8] Tracking cookie (Internet Explorer: Kirk) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-12-23 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-12-19 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-12-19 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-12-19 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-12-19 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-12-19 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-12-19 Includes\PUPSC.sbi (*)
2007-12-19 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-12-19 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-12-19 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-12-12 Includes\Trojans.sbi (*)
2007-12-19 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
--------------------------------------------


-----------------------------
COMBOFIX QUARANTINED FILES (produced 01-12-2008)

2006-09-01 04:32 84697 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b104.exe.vir
2007-07-11 02:29 22016 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b138.exe.vir
2007-07-19 12:46 18031 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
2007-08-02 08:43 282624 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\hoke83122.dll.vir
2007-08-02 20:44 169147 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\oc9\qopre83122.exe.vir
2007-08-14 17:22 25105 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ex1\kolcidr311.exe.vir
2007-09-23 20:05 279600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2007-10-04 04:46 142 --a------ C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\profsyxy.html.vir
2007-10-10 08:53 184320 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b111.exe.vir
2007-10-19 08:26 0 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\FF\chrome.manifest.vir
2007-10-19 13:45 766 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\FF\install.rdf.vir
2007-10-27 12:09 31744 --a------ C:\Qoobox\Quarantine\C\Program Files\QdrDrive\qdrloader.exe.vir
2007-10-27 12:39 233472 --a------ C:\Qoobox\Quarantine\C\Program Files\ISM\ism.exe.vir
2007-10-27 14:37 192512 --a------ C:\Qoobox\Quarantine\C\Program Files\QdrDrive\QdrDrive8.dll.vir
2007-10-31 09:44 138 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt.vir
2007-10-31 11:30 45056 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir
2007-11-01 08:44 60928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ccjj.dll.vir
2007-11-01 08:44 60928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\syl.dll.vir
2007-11-01 08:45 230400 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Sandy\Application Data\MBOLS~1\s?chost.exe.vir
2007-11-01 08:45 230400 --a------ C:\Qoobox\Quarantine\C\Program Files\FNTS~1\??rvices.exe.vir
2007-11-08 11:41 24656 --a------ C:\Qoobox\Quarantine\C\TEMP\1cb\syscheck.log.vir
2007-11-16 02:07 117913 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\abc2\bmbrpl2.exe.vir
2007-11-30 07:33 352256 --a------ C:\Qoobox\Quarantine\C\Program Files\QdrModule\QdrModule10.exe.vir
2007-12-04 07:42 299008 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b148.exe.vir
2007-12-11 07:11 96256 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b151.exe.vir
2007-12-12 06:50 32768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ineWc01\ineWc011065.exe.vir
2007-12-15 19:47 1563 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Sandy\Start Menu\Programs\Outerinfo\Uninstall.lnk.vir
2007-12-15 19:47 39936 --a------ C:\Qoobox\Quarantine\C\WINDOWS\mrofinu72.exe.vir
2007-12-15 19:47 622 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Sandy\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk.vir
2007-12-15 19:47 658 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Sandy\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk.vir
2007-12-15 19:47 710 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Sandy\Start Menu\Programs\Outerinfo\Terms.lnk.vir
2007-12-15 19:47 72704 --a------ C:\Qoobox\Quarantine\C\Program Files\WNSXS~1\scanregw.exe.vir
2007-12-15 19:47 78122 --a------ C:\Qoobox\Quarantine\C\Program Files\QdrModule\kwd.gz.vir
2007-12-15 19:52 334848 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcya.dll.vir
2007-12-15 20:28 40448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\khfffgd.dll.vir
2007-12-15 20:29 171520 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ksyydvj.dll.vir
2007-12-15 20:29 1858 --a------ C:\Qoobox\Quarantine\C\TEMP\tpBe12\etFr.log.vir
2007-12-15 20:29 39936 --a------ C:\Qoobox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir
2007-12-15 20:29 40448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrqqqo.dll.vir
2007-12-15 20:30 70144 --a------ C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\lavuka.dll.vir
2007-12-15 20:31 39936 --a------ C:\Qoobox\Quarantine\C\WINDOWS\mrofinu572.exe.vir
2007-12-15 20:34 40448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\byxyaba.dll.vir
2007-12-15 21:39 70144 --a------ C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\lavuka637.dll.vir
2007-12-16 19:26 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2007-12-17 17:54 397312


--a------ C:\Qoobox\Quarantine\C\Program Files\QdrPack\QdrPack11.exe.vir
2007-12-17 18:38 80448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hjxmfvmg.dll.vir
2007-12-17 18:39 135168 --a------ C:\Qoobox\Quarantine\C\WINDOWS\tk58.exe.vir
2007-12-17 18:39 48640 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Faith\Application Data\WinTouch\WTUninstaller.exe.vir
2007-12-17 18:39 70144 --a------ C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\lavuka315.dll.vir
2007-12-17 18:40 181760 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Faith\Application Data\WinTouch\WinTouch.exe.vir
2007-12-17 19:19 1563 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Faith\Start Menu\Programs\Outerinfo\Uninstall.lnk.vir
2007-12-17 19:19 2 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wnscpicom32.exe.vir
2007-12-17 19:19 710 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Faith\Start Menu\Programs\Outerinfo\Terms.lnk.vir
2007-12-17 19:19 72704 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Faith\My Documents\CROSOF~1.NET\netdde.exe.vir
2007-12-17 19:22 124818 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Faith\Application Data\WinTouch\wintouch.cfg.vir
2007-12-17 19:34 10752 --a------ C:\Qoobox\Quarantine\C\Program Files\Router\UnInstall.exe.vir
2007-12-17 19:34 137728 --a------ C:\Qoobox\Quarantine\C\Program Files\Router\Router.exe.vir
2007-12-18 21:11 986933 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cdpvxjyn.ini.vir
2007-12-18 21:12 80448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\efbrotjs.dll.vir
2007-12-18 21:12 85568 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ugbjyprp.dll.vir
2007-12-19 20:13 515 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-12-19 20:16 987113 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\prpyjbgu.ini.vir
2007-12-19 21:12 80448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dgubhktj.dll.vir
2007-12-23 17:45 78912 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ixbucekb.dll.vir
2007-12-23 17:45 990690 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jlobsrco.ini.vir
2007-12-25 10:44 990870 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bqamioeh.ini.vir
2007-12-25 10:46 78400 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hgibwbyp.dll.vir
2007-12-25 10:46 87104 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mbrmslrs.dll.vir
2007-12-25 10:47 1795703 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\srlsmrbm.ini.vir
2007-12-26 13:15 1027522 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rbppikfc.ini.vir
2007-12-26 13:15 90176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_cfkippbr.dll.vir
2007-12-27 19:54 162137 --a------ C:\Qoobox\Quarantine\C\Program Files\QdrModule\dic.gz.vir
2007-12-27 19:54 162137 --a------ C:\Qoobox\Quarantine\C\Program Files\QdrPack\dicts.gz.vir
2007-12-27 19:54 32749 --a------ C:\Qoobox\Quarantine\C\Program Files\ISM\Uninstall.exe.vir
2007-12-27 19:54 6307 --a------ C:\Qoobox\Quarantine\C\Program Files\QdrPack\trgts.gz.vir
2007-12-27 19:55 81984 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\terlufmw.dll.vir
2007-12-27 20:10 90176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vscpgqst.dll.vir
2007-12-28 17:45 1031199 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tsqgpcsv.ini.vir
2007-12-28 19:57 1031139 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ctdtcmll.ini.vir
2007-12-28 19:57 90176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\llmctdtc.dll.vir
2007-12-28 19:58 77888 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kohwxcjv.dll.vir
2007-12-31 18:18 1031139 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\envpvors.ini.vir
2007-12-31 18:18 78912 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\imugaagd.dll.vir
2007-12-31 18:18 90176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\srovpvne.dll.vir
2008-01-06 22:03 90176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jhcawpgl.dll.vir
2008-01-06 22:32 1043860 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lgpwachj.ini.vir
2008-01-07 22:04 76864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tpgheawt.dll.vir
2008-01-07 22:07 1043795 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\irxijwba.ini.vir
2008-01-07 22:07 90176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\abwjixri.dll.vir
2008-01-11 00:09 79424 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\souawoxi.dll.vir
2008-01-12 22:37 70208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fofqwsbi.dll.vir
2008-01-12 22:38 76864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tqgypppj.dll.vir
2008-01-12 22:40 90176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vkwnlrrb.dll.vir
2008-01-12 22:41 1060382 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\brrlnwkv.ini.vir
2008-01-12 23:49 1004 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.dat
2008-01-12 23:49 2956 --a------ C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.dat
2008-01-12 23:49 433997 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\aycdd.ini.vir
2008-01-12 23:49 433997 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\aycdd.ini2.vir
2008-01-12 23:49 658 --a------ C:\Qoobox\Quarantine\Registry_backups\hklm_windowsNT_windows.reg.dat
2008-01-12 23:49 832 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.dat
2008-01-12 23:49 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat
2008-01-12 23:49 862 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.dat
2008-01-12 23:50 152 --a------ C:\Qoobox\Quarantine\catchme.log
2008-01-12 23:50 297091 --a------ C:\Qoobox\Quarantine\catchme2008-01-12_235404.89.zip
2008-01-12 23:51 22230 --a------ C:\Qoobox\Quarantine\C\ComboFix\errdbg.dat.vir

END FILE
----------------------------------



-------------------------------
HIJACKTHIS LOG FILE (produced 01-16-2008)


Logfile of HijackThis v1.99.1
Scan saved at 9:12:06 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\jestertb.exe
C:\Program Files\WindowsUpdate\horygywi77798.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\XP files\Spyware\hijackthis_V1.99.01\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - (no file)
O2 - BHO: (no name) - {97fc17d0-89c6-4876-a4d7-3cfe360cf31f} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {E08BA36B-62AE-625C-D827-3AE605815CE5} - (no file)
O2 - BHO: (no name) - {E1DAF06D-34A9-650C-DA27-3AE605860BE2} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4 Suite Deluxe\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmartSound Software] C:\WINDOWS\jestertb.exe
O4 - HKLM\..\Run: [horygywi] C:\Program Files\WindowsUpdate\horygywi77798.exe
O4 - HKLM\..\Run: [a8d666ff] rundll32.exe "C:\WINDOWS\system32\heoimaqb.dll",b
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8542] command /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://www.verizon....tivePreQual.cab
O20 - Winlogon Notify: jkkjgde - jkkjgde.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


---------------


Thanks

Kirk Cover

    Advertisements

Register to Remove

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·