Jump to content


Photo

TROJANS!


  • This topic is locked This topic is locked
13 replies to this topic

#1 wittleangel124

wittleangel124

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 June 2007 - 11:17 AM

so...there are trojans exploding and spawning like crazy in my laptop and i need help removing them
if anyone can help me that would be GREATLY appreciated!! >.<

Logfile of HijackThis v1.99.1
Scan saved at 11:40:42 AM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
C:\Program Files\Common Files\AOL\1157067477\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
c:\program files\common files\aol\1157067477\ee\anotify.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1157067477\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Application Data\ipqpwngj.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ijuvxggf.dll",realset
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\STEM32~1\mmc.exe" -vt ndrv
O4 - HKCU\..\Run: [Piyzqlv] "C:\Program Files\Common Files\??crosoft.NET\l?ass.exe"
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#2 wittleangel124

wittleangel124

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 June 2007 - 11:30 PM

i continuously scan my laptop with ad-aware se and avg and i get something new everytime


these are some of the files that avg have healed:

Trojan horse Generic4.XZM
(file name) qtuyebki.dll
Trojan horse Generic4.SLB
enmkcvwn.dll
Trojan horse Downloader.Generic3.QFH
!update.exe
Trojan horse Collected.11.B
(upsidedown exclamation point)emidafr.dll
Trojan horse Downloader.Generic3.GFH
!update.exe
Trojan horse Downloader.Generic3.GFH
!update-4395[1].0000
Trojan horse Collected.11.B
glchmcar.dll
Trojan horse Collected.11.B
ftwcapwt.dll
Trojan horse Generic4.YAR
axhpwyyq.dll



i also keep getting pesky popups all the time and tracking cookies keep
respawning after i delete them with ad-aware...

please help, any help would be greatly apreciated

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 14 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 16 June 2007 - 07:52 AM

Hi,

Sorry youíve had to wait for a few days but all of the helpers here are volunteers and weíve been really busy recently.

To begin with, please download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Iíll look out for your reply :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#5 wittleangel124

wittleangel124

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 June 2007 - 11:55 AM

sorry it took me so long to respond. thanks again for helping me.

i was unable to move the incurable files (i think there were none to move)

here's the report:

!update-4395[1].0000;C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\15TB4LBG;Trojan.DownLoader.22753;Deleted.;
A0100370.dll;C:\System Volume Information\_restore{0689352A-53B8-4058-A03B-143112D4E8F0}\RP264;Adware.Crew;;
F3CJPEG.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Funweb;;
F3HISTSW.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
F3PSSAVR.SCR;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
f3PSSavr.scr;C:\WINDOWS\system32;Adware.Msearch;;
F3REPROX.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Funweb;;
F3RESTUB.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
F3SCHMON.EXE;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
F3SCRCTR.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.MWS;;
F3WPHOOK.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
jkhfe.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
jkhfe.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
M3IDLE.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.MWS;;
M3OUTLCN.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
M3PLUGIN.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
mwsbar.dll;c:\program files\mywebsearch\bar\6.bin;Adware.MWS;;
MWSBAR.DLL;C:\Program Files\MyWebSearch\bar\3.bin;Adware.MWS;;
MWSBAR.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.MWS;;
MWSBAR.DLL;C:\Program Files\MyWebSearch\bar\5.bin;Adware.MWS;;
MWSBAR.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.MWS;;
mwsoemon.exe;c:\program files\mywebsearch\bar\6.bin;Adware.Msearch;;
MWSOEMON.EXE;C:\Program Files\MyWebSearch\bar\3.bin;Adware.Msearch;;
MWSOEMON.EXE;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
MWSOESTB.DLL;C:\Program Files\MyWebSearch\bar\3.bin;Adware.MWS;;
MWSOESTB.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.MWS;;
mwssrcas.dll;c:\program files\mywebsearch\srchastt\6.bin;Adware.MWS;;
MWSSRCAS.DLL;C:\Program Files\MyWebSearch\SrchAstt\6.bin;Adware.MWS;;
NPMYWEBS.DLL;C:\Program Files\MyWebSearch\bar\6.bin;Adware.Msearch;;
rqrrrpq.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
rqrrrpq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;

#6 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 21 June 2007 - 03:57 PM

Hi,

Thanks for posting back, that report looks good, but just to make quite sure we get everything, please download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks, I'll look out for your reply :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#7 wittleangel124

wittleangel124

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 June 2007 - 12:18 PM

everything went well! here are the logs, combofix followed by hijackthis

ComboFix 07-06-18.2 - C:\Documents and Settings\Katie\Desktop\ComboFix.exe
"Katie" - 2007-06-22 12:58:47 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fftkworv.dll
C:\WINDOWS\system32\hteoyqqh.dll
C:\WINDOWS\system32\kppxqphq.dll
C:\WINDOWS\system32\pblldats.dll
C:\WINDOWS\system32\qocqmcnt.dll
C:\WINDOWS\system32\ttqnacwa.dll
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\vrowktff.ini
C:\WINDOWS\system32\hqqyoeth.ini
C:\WINDOWS\system32\qhpqxppk.ini
C:\WINDOWS\system32\stadllbp.ini
C:\WINDOWS\system32\tncmqcoq.ini
C:\WINDOWS\system32\awcanqtt.ini
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\rqrrrpq.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\ipqpwngj.exe
C:\DOCUME~1\Katie\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\crosof~1.net\l?ass.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\windev-1708-5993.sys
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\windev-1708-5993


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


2007-06-22 12:57 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 12:57 4,628 --a------ C:\WINDOWS\system32\cyifqolp.exe
2007-06-19 20:25 <DIR> d-------- C:\DOCUME~1\Katie\DoctorWeb
2007-06-19 14:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-06-17 22:41 <DIR> d-------- C:\DOCUME~1\Katie\APPLIC~1\Google
2007-06-17 22:32 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-17 22:32 <DIR> d-------- C:\Program Files\Google
2007-06-17 22:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-17 22:19 <DIR> d-------- C:\WINDOWS\system32\mevqvvvb
2007-06-17 22:18 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-16 18:25 94,976 --a------ C:\mevqvvvb3.exe
2007-06-16 18:24 99,072 --a------ C:\mevqvvvb1.exe
2007-06-16 18:24 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-16 18:24 100,096 --a------ C:\mevqvvvb2.exe
2007-06-11 11:39 <DIR> d-------- C:\hijackthis
2007-06-07 12:19 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-03 21:36 60,928 --a------ C:\WINDOWS\system32\qmqvfv.dll
2007-06-03 21:09 <DIR> d-------- C:\Program Files\Guild Wars


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 23:56:49 -------- d-----w C:\Program Files\AOD
2007-06-19 23:11:24 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-19 19:26:24 -------- d-----w C:\Program Files\epson
2007-06-19 19:23:50 -------- d-----w C:\Program Files\AIM95
2007-06-19 18:51:30 -------- d-----w C:\Program Files\Viewpoint
2007-06-19 18:37:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-19 18:24:59 -------- d-----w C:\Program Files\The Weather Channel FW
2007-06-07 15:18:41 -------- d-----w C:\Program Files\Windows NT
2007-06-07 15:14:47 -------- d-----w C:\Program Files\Oberon Media
2007-05-18 05:04:31 -------- d-----w C:\Program Files\Advanced Grapher
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 21:12]
{367B8BAA-589D-4B32-AEF2-F50DBE4C3BAe}=C:\WINDOWS\system32\yousqqnx.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2001-08-16 17:35]
{C8096865-A1D8-DC5A-8A0C-82ADDEE327E4}=C:\WINDOWS\system32\qmqvfv.dll [2007-05-21 09:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 01:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 18:01]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 17:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 19:21]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 21:38]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-08-16 18:52]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [2002-01-31 11:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-06-24 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-26 00:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-07 20:30]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 22:44]
"HostManager"="C:\Program Files\Common Files\AOL\1182294642\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe" [2005-12-26 11:11]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Tbsa"="C:\WINDOWS\STEM32~1\mmc.exe" []
"Piyzqlv"="C:\Program Files\Common Files\??crosoft.NET\l?ass.exe" []
"SystemDoctor 2006 Free"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-17 22:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintfj32]
wintfj32.dll


Contents of the 'Scheduled Tasks' folder
2007-06-22 17:10:48 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 13:10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????????h?A??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-22 13:12:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-22 13:12

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 13:14, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Common Files\AOL\1182294642\ee\aolsoftware.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {367B8BAA-589D-4B32-AEF2-F50DBE4C3BAe} - C:\WINDOWS\system32\yousqqnx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C8096865-A1D8-DC5A-8A0C-82ADDEE327E4} - C:\WINDOWS\system32\qmqvfv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182294642\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\STEM32~1\mmc.exe" -vt ndrv
O4 - HKCU\..\Run: [Piyzqlv] "C:\Program Files\Common Files\??crosoft.NET\l?ass.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#8 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 23 June 2007 - 07:46 AM

Hello again,

This is looking much better :D

To clean up, please go to the Add or Remove Programs feature in Control Panel and remove anything related to:

MyWebSearch

Then, having done that, please run HijackThis again and place a check next to the following entries:

O2 - BHO: (no name) - {367B8BAA-589D-4B32-AEF2-F50DBE4C3BAe} - C:\WINDOWS\system32\yousqqnx.dll (file missing)
O2 - BHO: (no name) - {C8096865-A1D8-DC5A-8A0C-82ADDEE327E4} - C:\WINDOWS\system32\qmqvfv.dll
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\STEM32~1\mmc.exe" -vt ndrv
O4 - HKCU\..\Run: [Piyzqlv] "C:\Program Files\Common Files\??crosoft.NET\l?ass.exe"
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\6.bin\MWSOEMON.EXE
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)


Now, having checked those entries, close all other open windows and browsers EXCEPT HijackThis and click on the Fix checked button.

Once you have done that, using Windows Explorer, locate and delete the following Folders and Files:

C:\PROGRAM FILES\MYWEBSEARCH <- - - This folder may also appear as MyWebSearch
C:\WINDOWS\STEM32~1
C:\Program Files\Common Files\??crosoft.NET

In the example above, the~1 means that Windows has truncated part of the file name Ė the folder you need to delete will begin with STEM32 and have some letters or numbers after it. If there is more than one or you are in any way unsure, please let me know before proceeding!

C:\WINDOWS\system32\qmqvfv.dll

Then please re-boot your computer, post a fresh HijackThis log and let me know what problems persist.

Iíll look out for your reply.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#9 wittleangel124

wittleangel124

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 June 2007 - 12:12 PM

When I went to add/remove programs, Mywebsearch wasn't there. I believe I did that a couple weeks ago.

There are some files I couldn't find to delete:
C:\WINDOWS\STEM32~1 all I have is system, and system32
C:\Program Files\Common Files\??crosoft.NET
C:\WINDOWS\system32\qmqvfv.dll

I'll rebot now and send the hijackthis in my next reply

#10 wittleangel124

wittleangel124

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 June 2007 - 12:17 PM

Logfile of HijackThis v1.99.1
Scan saved at 13:15, on 6/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1182294642\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182294642\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#11 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 23 June 2007 - 02:20 PM

Hello,

Not to worry about those folders not being there - You certainly don't want to delete either System or System32!

Your log looks clean - can you tell me how your computer is running?

:D

Edited by Chancellor, 23 June 2007 - 02:22 PM.

Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#12 wittleangel124

wittleangel124

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 June 2007 - 10:33 AM

it's running much much better. it's like new again! thank u very very much!!! :D

#13 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 24 June 2007 - 10:56 AM

Hello,

That's really excellent news :hyper:

Before we finish though, as your system is clean, we need to keep it that way. There are a few simple steps which if you take a few moments to follow, can prevent you having any further problems with malware.

Firstly, run Disk Cleanup
  • Go to Start > Run and type the command Cleanmgr > then click OK
  • If you have more than one hard drive, select the drive Windows is installed on and click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
  • Then in the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • Finally, in the confirmation window, select Yes (Disk Cleanup will then close).
Next, create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Choose Create a Restore Point and then click Next.
  • In the box for Restore point description, enter a descriptive name and click Create
  • When the Restore Point Created window appears, click Close
Also, there are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is the MVPS HOSTS File, available from http://www.mvps.org/...p2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Explorerís Restricted Zone and you can download that at http://www.spywarewa...uc/resource.htm.

SpywareBlaster by JavaCool is a free non-resident utility to prevent the installation of ActiveX-based malware. For real-time protection, there is SpywareGuard. Both are available from http://www.javacools...m/products.html.

In conclusion, you should also read the article So how did I get infected in the first place?

Once you've taken these precautions, if you find that you have any lingering problems or if you've experienced any difficulties since the fix, please let me know and post a fresh log for me to have a look at!

With best wishes for the future,

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#14 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 01 July 2007 - 08:15 AM

Since this issue appears to be resolved, this topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button