Jump to content


Photo

Problems With Proxy Server


  • This topic is locked This topic is locked
21 replies to this topic

#1 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 June 2007 - 07:25 PM

Hi, I'm new here so I'm sorry if I missed any of the steps in FAQ. I tried my best.

Anyway, I've been having trouble with getting onto the internet, which I'm almost positive has to do with a virus or more. I have Firefox, and whenever I click on it to go onto the internet, I get this message:

"The Proxy Server is refusing connections
-Firefox is configured to use a proxy server that is refusing connections
--Check the proxy settings to make sure they are correct
--Contact your network administrator to make sure the proxy server is working"

The only way I'm able to get onto the internet is if I go to tools and check off direct connection to the internet, which can be a pain after awhile. Anything requiring the server go through the proxy server won't work on my computer, like MSN messenger.

Also, I have Windows XP and I tried to run an AVG scan in safemode, but it kept freezing. Should I try that again?

Here's my HijackThis log...and yeah, I know...bad.



Logfile of HijackThis v1.99.1
Scan saved at 8:24:09 PM, on 6/27/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM+\AIM+.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {B3064E19-A3A4-D55E-D97A-8FADDABA73C3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnteIsoSkipName] C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\AUDIO ONLINE.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: vtuutqq - vtuutqq.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Thanks, everyone :)

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 30 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 02 July 2007 - 08:52 AM

Hi,

There's indeed a proxy server set here, also in your Internet Explorer, so we'll have to get rid of that as well, together with some other malware being present.

Perform next instructions in the right order please..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - (no file)
O2 - BHO: (no name) - {B3064E19-A3A4-D55E-D97A-8FADDABA73C3} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AnteIsoSkipName] C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\AUDIO ONLINE.exe
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O20 - Winlogon Notify: vtuutqq - vtuutqq.dll (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open your Firefox > Tools > Options > connection settings > then you have to change this in the proxysettings in Firefox, remove the reference localhost:8182 there, unselect the option to use "Manual Proxy configuration" and select to Autodetect proxy or Direct connection to the internet.

In case, when you've modified that and you close and reopen Firefox and you still get the same error and you look under the proxysettings and you see the "localhost:8182" is present and selected again, Then look if there's a user.js file created in the C:\Documents And Settings\Owner\Application Data\Mozilla\Firefox\(identity)\ - folder
If so, delete the user.js there since this is not installed by default in Firefox anyway. Then you will be able to reset the proxysettings and it will keep the settings.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2007 - 07:14 PM

Hey, thanks for taking the time to help

Anyway, I followed the directions and removed everything I needed to in HijackThis and also changed the proxy settings so localhost:8182 was removed. I think the main problem was the user.js, which I also removed. The error is no longer showing up. :)

Finally, since I don't want to accidentally post the quarantined files I want to make sure if what I got after running Combofix was that, or the actually log because it was just simply titled log, not combofix.txt and when I looked through it I saw something mentioning quarantined files. Forgive me...I don't really know too much about this stuff so I wasn't sure, and I don't want to post the wrong thing. I'm just checking with you first to make sure if that's it before I post it.


Nonetheless, here's the Hijack This log.


Logfile of HijackThis v1.99.1
Scan saved at 7:57:40 PM, on 7/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM+\AIM+.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\NOTEPAD.EXE
C:\WINNT\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by Ashlee5665, 02 July 2007 - 07:15 PM.


#5 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 03 July 2007 - 12:41 AM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Wasn't there a Combofix.txt created?
Please try to run Combofix again and wait until the logfile opens automatically.
Then copy and paste it in your next reply together with a new HijackThislog.

If that didn't work, do next instead..
* Download Deckard's System Scanner to your Desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - main.txt
  • Post the contents of this log in your next reply. Do not post the extra.txt present in that folder. Only post this when being asked.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 July 2007 - 12:29 PM

I removed what I needed to from Hijack this. When I run combofix, there no combofix.txt is created. What happens is, the My Documents folder opens and a notepad file just simply titled log also opens. So, I ran Deckard's and that seemed to work fine. Here's the main.txt



Deckard's System Scanner v20070611.50
Run by Owner on 2007-07-03 at 13:23:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2007-07-03 17:23:53 UTC - RP62 - Deckard's System Scanner Restore Point
38: 2007-07-03 03:56:00 UTC - RP61 - System Checkpoint
37: 2007-07-01 22:43:23 UTC - RP60 - System Checkpoint
36: 2007-06-30 22:12:49 UTC - RP59 - System Checkpoint
35: 2007-06-29 21:43:55 UTC - RP58 - System Checkpoint


-- First Restore Point --
1: 2007-05-29 06:23:09 UTC - RP24 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:25:01 PM, on 7/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\oinvru.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\frear.exe
C:\WINNT\System32\frear.exe
C:\WINNT\System32\frear.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\NOTEPAD.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\MYDOCU~1\Unzipped\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [oyrnrs] C:\WINNT\System32\oinvru.exe reg_run
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [kvyps] C:\WINNT\System32\oinvru.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hpawx.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\MYDOCU~1\Unzipped\HIJACK~1\backups\) --------------------------------------------------------------------------------

backup-20060807-233112-133 O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
backup-20060807-233112-165 O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
backup-20060807-233112-343 O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
backup-20060807-233112-353 F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,qmlecan.exe
backup-20060807-233112-428 O20 - Winlogon Notify: Themes - C:\WINNT\system32\u2rulc991f.dll
backup-20060807-233112-432 O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
backup-20060807-233112-436 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
backup-20060807-233112-528 O4 - HKLM\..\Run: [w0023e28.dll] RUNDLL32.EXE w0023e28.dll,I2 00062c6c00023e28
backup-20060807-233112-821 O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
backup-20070315-212007-243 O4 - HKCU\..\Run: [Real Peak] C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe
backup-20070315-212007-275 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
backup-20070315-212007-310 O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20070315-212007-450 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20070315-212007-506 F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe
backup-20070315-212007-556 O4 - HKLM\..\Run: [w6de9b2f.dll] RUNDLL32.EXE w6de9b2f.dll,I2 00062c6c06de9b2f
backup-20070315-212007-562 O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308C9~1\Bar888.dll
backup-20070315-212007-673 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20070315-212007-684 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
backup-20070315-212007-719 O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SKS~1\ping.exe" -vt yazb
backup-20070315-212007-773 O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308C9~1\Bar888.dll
backup-20070315-212007-889 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
backup-20070315-212007-894 O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
backup-20070504-212823-154 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
backup-20070504-212823-184 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
backup-20070504-212823-290 F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe
backup-20070504-212823-320 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070504-212823-418 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070504-212823-425 O4 - HKLM\..\Run: [poolsv] "C:\WINNT\poolsv.exe"
backup-20070504-212823-540 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070504-212823-557 O2 - BHO: (no name) - {67ECA667-108D-6720-A53D-6BE33EE5AF9A} - C:\WINNT\System32\umxv.dll (file missing)
backup-20070504-212823-756 O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
backup-20070504-212823-999 F3 - REG:win.ini: load=??? ??? ??? ? ? ?Y???
backup-20070504-215325-465 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
backup-20070504-221146-165 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
backup-20070504-221146-198 O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
backup-20070504-221146-375 O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SKS~1\ping.exe" -vt yazb
backup-20070504-221146-561 O4 - HKCU\..\Run: [Real Peak] C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe
backup-20070504-221146-663 O23 - Service: Client IP-IPX - Unknown owner - C:\WINNT\System32\svchosts.exe" -e mc-110-12-0000140 (file missing)
backup-20070504-221146-855 O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
backup-20070504-221146-937 O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
backup-20070702-180535-110 O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - (no file)
backup-20070702-180535-239 O15 - Trusted Zone: *.winantispyware.com
backup-20070702-180535-245 O4 - HKLM\..\Run: [AnteIsoSkipName] C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\AUDIO ONLINE.exe
backup-20070702-180535-288 F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe
backup-20070702-180535-299 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
backup-20070702-180535-377 O2 - BHO: (no name) - {B3064E19-A3A4-D55E-D97A-8FADDABA73C3} - (no file)
backup-20070702-180535-382 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
backup-20070702-180535-474 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
backup-20070702-180535-576 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070702-180535-693 O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)
backup-20070702-180535-730 O20 - Winlogon Notify: vtuutqq - vtuutqq.dll (file missing)
backup-20070702-180535-993 O15 - Trusted Zone: *.winantivirus.com
backup-20070703-130235-146 F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe
backup-20070703-130235-229 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
backup-20070703-130235-926 O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - NOTEPAD.EXE %1
.cmd - cmdfile - shell\edit\command - unable to read value
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.inf - inffile - shell\open\command - unable to read value
.reg - regfile - shell\edit\command - NOTEDAD.EXE %1
.vbs - VBSFile - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 emupia (E-mu Plug-in Architecture Driver) - c:\winnt\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>

S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - c:\program files\bonjour\mdnsresponder.exe <Not Verified; Apple Computer, Inc.; Bonjour>

S2 NetDDEdsma (Network DDE DSMA) - "c:\winnt\svchost.exe" (file missing)
S2 NVIDIADriverHlp (NVIDIA Driver Helper Component) - "c:\winnt\nvsvc32.exe" (file missing)
S2 NVSvc (NVIDIA Display Driver Service) - c:\winnt\system32\nvsvc32.exe (file missing)
S4 PictureTaker - c:\fixit\pt\pctkrnt.sys (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-07-03 13:00:02 258 --ah----- C:\WINNT\Tasks\AB81D8BC95EE5740.job
2007-07-03 08:00:00 396 --ah----- C:\WINNT\Tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job
2007-06-29 20:10:11 464 --a------ C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job
2007-06-27 20:20:00 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job
2002-09-16 14:22:47 412 --a------ C:\WINNT\Tasks\Symantec NetDetect.job


-- Files created between 2007-06-03 and 2007-07-03 -----------------------------

2007-07-03 13:06:23 127488 --a------ C:\WINNT\System32\ufcad.dat
2007-07-02 19:38:04 0 d-------- C:\Avenger
2007-06-28 15:32:32 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-06-15 16:32:31 4096 --a------ C:\WINNT\d3dx.dat
2007-06-15 16:32:01 0 d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-06-15 16:31:53 0 d-------- C:\Documents and Settings\Owner\Application Data\GameHouse


-- Find3M Report ---------------------------------------------------------------

2007-07-03 13:05:13 24 --a------ C:\WINNT\System32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-03 13:05:13 24 --a------ C:\WINNT\System32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-02 21:00:05 0 d-------- C:\Program Files\Google
2007-07-02 19:28:43 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2007-07-02 15:11:21 0 d-------- C:\Program Files\AIM
2007-06-28 14:39:57 664 --a------ C:\WINNT\System32\d3d9caps.dat
2007-06-27 19:55:10 0 d-------- C:\Documents and Settings\Owner\Application Data\WayBalmCurb
2007-06-15 16:30:06 0 d-------- C:\Program Files\GameHouse
2007-05-25 22:59:14 0 d-------- C:\Program Files\SpywareBlaster
2007-05-06 14:15:19 0 d-------- C:\Program Files\REGSHAVE
2007-05-05 21:19:33 0 d-a------ C:\Documents and Settings\Owner\Application Data\yahoo!
2007-05-03 21:50:37 0 d-------- C:\Program Files\MSN Messenger
2007-04-28 21:54:21 32768 --a------ C:\setup9x.exe <Not Verified; w00t; bbbbbbbbbb565456543>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"zzzHPSETUP"="E:\\Setup.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"GWMDMMSG"="GWMDMMSG.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"oyrnrs"="C:\\WINNT\\System32\\oinvru.exe reg_run"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"kvyps"="C:\\WINNT\\System32\\oinvru.exe reg_run"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kqwm"="C:\\PROGRA~1\\COMMON~1\\kqwm\\kqwmm.exe"
"Ltho"="\"C:\\PROGRA~1\\COMMON~1\\PPATCH~1\\javaw.exe\" -vt yazr"
"Lpcwvf"="C:\\WINNT\\system32\\?dobe\\?pool32.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="??? ??? ??? ? ? ?Y???"
"hkey"="HKCU"
"command"="??? ??? ??? ? ? ?Y???"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



-- End of Deckard's System Scanner: finished at 2007-07-03 at 13:25:26 ---------

#7 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 03 July 2007 - 12:43 PM

Hi,

I already see why Combofix won't run properly.. Your Fileassociations are messed up.

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries:

    .bat
    .cmd
    .cpl
    .inf
    .reg
    .vbs


  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt.
Post the contents of that logfile with your next post.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 July 2007 - 08:35 PM

Hey

I ran daft and removed all but .cpl, which didn't show up. I saved the logfile, however it won't let me click on daft.txt to copy and paste the log. Am I doing this wrong, or is there another way to open it?

#9 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 04 July 2007 - 02:15 AM

That's ok.

Just re-run Daft and make sure it says all associations are ok, because that's what we want to achieve.

Then, try Combofix again. This time it should work properly. Then post the Combofix log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 July 2007 - 03:52 PM

Okay, I'm all set with daft.

I ran ComboFix again, but the Combofix.txt still didn't pop up on its own. For some strange reason, the My Documents folder comes up, and a document just simply stated log comes up. However, I did a search and found ComboFix.txt, which I wasn't able to do before.



"Owner" - 2007-07-04 16:30:03 - ComboFix 07-07-03.3


(((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * *

2007-07-04 16:24 127488 ufcad.dat.qoo

((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))


2007-07-04 16:33 127,488 --a------ C:\WINNT\system32\ufcad.dat
2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-03 16:00 <DIR> d-------- C:\Program Files\WayBalmCurb
2007-07-03 13:23 <DIR> d-------- C:\Deckard
2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-27 20:05 51,712 --------- C:\WINNT\system32\upnvjdy.dll
2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat
2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 20:32:34 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-04 20:32:34 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-04 20:27:10 422 ----a-w C:\WINNT\ndtdi.dll
2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google
2007-07-04 05:59:33 -------- d-----w C:\Program Files\AIM
2007-07-04 01:53:01 -------- d-----w C:\Program Files\SpywareBlaster
2007-07-03 20:00:31 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\WayBalmCurb
2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6
2007-06-28 18:39:57 664 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse
2007-05-06 18:15:19 -------- d-----w C:\Program Files\REGSHAVE
2007-05-06 01:19:33 -------- d---a-w C:\DOCUME~1\Owner\APPLIC~1\yahoo!
2007-05-04 01:50:37 -------- d-----w C:\Program Files\MSN Messenger
2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe
2007-04-29 01:54:21 32,768 ----a-w C:\setup9x.exe
2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll
2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll
2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll
2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll
2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll
2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]
"zzzHPSETUP"="E:\Setup.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []
"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"AnteIsoSkipName"="C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\MP3 DASH.exe" [2007-07-03 16:00]
"oyrnrs"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-15 21:09]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2007-02-15 21:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"Real Peak"="C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe" [2007-07-03 16:00]
"kvyps"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kqwm"=C:\PROGRA~1\COMMON~1\kqwm\kqwmm.exe
"Ltho"="C:\PROGRA~1\COMMON~1\PPATCH~1\javaw.exe" -vt yazr
"Lpcwvf"=C:\WINNT\system32\?dobe\?pool32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe, C:\WINNT\System32\frear.exe"
"Userinit"="C:\WINNT\system32\userinit.exe,qmlecan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
??? ? ? ?Y???

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

Contents of the 'Scheduled Tasks' folder
2007-07-04 20:00:01 C:\WINNT\tasks\A859A6FC912257B4.job
2007-06-28 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-30 00:10:11 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job
2007-07-04 20:00:01 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 16:33:50
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 16:35:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-04 16:35
C:\ComboFix2.txt ... 2007-07-04 16:26
C:\ComboFix3.txt ... 2007-07-03 13:07

--- E O F ---

#11 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 04 July 2007 - 04:10 PM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\System32\oinvru.exe
C:\WINNT\System32\frear.exe
C:\WINNT\System32\qmlecan.exe
C:\Documents and Settings\All users\Start Menu\Programs\Startup\hpawx.exe
C:\WINNT\Tasks\AB81D8BC95EE5740.job
C:\setup9x.exe
C:\WINNT\system32\upnvjdy.dll
C:\WINNT\system32\ufcad.dat

Folder::
C:\Program Files\WayBalmCurb
C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1
C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO

Driver::
NetDDEdsma

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnteIsoSkipName"=-
"oyrnrs"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Real Peak"=-
"kvyps"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kqwm"=-
"Ltho"=-
"Lpcwvf"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustota.../en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINNT\ndtdi.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2007 - 04:43 PM

Hey, here are the Combofix and Hijack This logs. I went to the link you gave me, but couldn't find C:\WINNT\ndtdi.dll when I browsed. I did a search and it didn't come up as well.



"Owner" - 2007-07-06 17:18:45 - ComboFix 07-07-03.3
Command switches used :: C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt


(((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * *

2007-07-04 16:24 127488 ufcad.dat.qoo

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1
C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\151F6262
C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe
C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\HtmDentDead.exe
C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\mnjzyied.exe
C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO
C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\MP3 DASH.exe
C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\tick obj owns
C:\Program Files\WayBalmCurb
C:\setup9x.exe
C:\WINNT\system32\ufcad.dat


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETDDEDSMA
-------\NetDDEdsma


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-06 17:23 127,488 --a------ C:\WINNT\system32\ufcad.dat
2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-03 13:23 <DIR> d-------- C:\Deckard
2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-27 20:05 51,712 --------- C:\WINNT\system32\upnvjdy.dll
2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat
2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 21:22:35 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-06 21:22:35 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-06 21:11:47 471 ----a-w C:\WINNT\ndtdi.dll
2007-07-06 19:34:12 -------- d-----w C:\Program Files\LimeWire
2007-07-06 04:38:11 -------- d-----w C:\Program Files\AIM
2007-07-04 20:54:40 -------- d-----w C:\Program Files\SpywareBlaster
2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google
2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6
2007-06-28 18:39:57 664 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse
2007-05-06 18:15:19 -------- d-----w C:\Program Files\REGSHAVE
2007-05-06 01:19:33 -------- d---a-w C:\DOCUME~1\Owner\APPLIC~1\yahoo!
2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe
2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll
2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll
2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll
2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll
2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll
2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]
"zzzHPSETUP"="E:\Setup.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []
"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"oyrnrs"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-15 21:09]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2007-02-15 21:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]
"AIM"="C:\Program Files\AIM+\AIM+.exe" [2002-06-10 03:15]
"kvyps"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe, C:\WINNT\System32\frear.exe"
"Userinit"="C:\WINNT\system32\userinit.exe,qmlecan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

Contents of the 'Scheduled Tasks' folder
2007-07-06 21:00:00 C:\WINNT\tasks\A859A6FC912257B4.job
2007-07-05 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-30 00:10:11 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job
2007-07-06 20:00:00 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 17:23:48
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 17:24:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-06 17:24
C:\ComboFix2.txt ... 2007-07-04 16:35
C:\ComboFix3.txt ... 2007-07-04 16:26

--- E O F ---


_______________________


Logfile of HijackThis v1.99.1
Scan saved at 5:41:00 PM, on 7/6/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM+\AIM+.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\notepad.exe
C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#13 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 06 July 2007 - 05:22 PM

It appears that Combofix doesn't see the files, which is normal since this is a qoologic variant and this one runs stealth.
Guess this is also a newer variant as Combofix normally flags and deletes it, but not this time.

First of all, before fixing anything, Open notepad and copy and paste next present in the codebox in it:

@echo off
rem http://forums.spywareinfo.com/index.php?showtopic=101614

For %%g in (
C:\WINNT\System32\oinvru.exe
C:\WINNT\System32\frear.exe
C:\WINNT\System32\qmlecan.exe
C:\Documents and Settings\All users\Start Menu\Programs\Startup\hpawx.exe
C:\WINNT\system32\upnvjdy.dll
C:\WINNT\system32\ufcad.dat
C:\WINNT\ndtdi.dll
) do catchme -l nul -k %%g >nul

catchme -l nul -k %0 >nul
nircmd execmd move /y "~$folder.desktop$\catchme.zip" "Submit [%date:/=-% %time::=.%].zip"
echo.Please submit the file - Submit [%date:/=-% %time::=.%].zip
nircmd wait 7000
del %0
Save this as Submit.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
(In case you are unsure how to create a bat file, take a look here with screenshots.)

Doubleclick Submit.bat and allow it to generate a zipped file called Submit [Date Time].zip
Please submit this file to: http://www.bleepingc...e.php?channel=8


Let's try if Qoofix sees it and can deal with it, so do next please..

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip
  • Unzip all files to a convenient location such as C:\Qoofix.
  • Go to the folder you unzipped all files and run Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If an infection has been found, select yes to restart your computer.
Finally post a new Hijack This log and the contents of the Qoofix logfile.
Also, rescan with Combofix after performing above instructions and post the log.

In case it cannot see/recognise and deal with it, we'll try some other solutions then :-)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#14 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 July 2007 - 02:36 PM

Thanks! I managed everything okay though, except that when the computer was restarted after I ran Qoofix, no log came up. It did say, however, the Qoologic was successfully removed. Where would I find the log?

Also, I sent my Submit.zip file to the site you provided.

Here are the Combofix and Hijack This logs.



"Owner" - 2007-07-09 15:25:58 - ComboFix 07-07-03.3


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-08 23:43 127,488 --a------ C:\WINNT\system32\ufcad.dat
2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-03 13:23 <DIR> d-------- C:\Deckard
2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat
2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-09 19:19:43 485 ----a-w C:\WINNT\ndtdi.dll
2007-07-09 19:15:39 -------- d-----w C:\Program Files\WB02d2se
2007-07-09 02:35:22 -------- d-----w C:\Program Files\AIM
2007-07-09 01:13:54 664 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-07-07 04:46:28 -------- d-----w C:\Program Files\SymNetDrv
2007-07-06 19:34:12 -------- d-----w C:\Program Files\LimeWire
2007-07-04 20:54:40 -------- d-----w C:\Program Files\SpywareBlaster
2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google
2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6
2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse
2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe
2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll
2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll
2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll
2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll
2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll
2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]
"zzzHPSETUP"="E:\Setup.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []
"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2007-02-15 21:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]
"AIM"="C:\Program Files\AIM+\AIM+.exe" [2002-06-10 03:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-07 00:23]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

Contents of the 'Scheduled Tasks' folder
2007-07-09 19:00:00 C:\WINNT\tasks\A859A6FC912257B4.job
2007-07-05 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-07-07 03:25:51 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job
2007-07-09 04:00:00 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 15:30:34
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 15:31:27
C:\ComboFix-quarantined-files.txt ... 2007-07-09 15:31
C:\ComboFix2.txt ... 2007-07-06 17:24
C:\ComboFix3.txt ... 2007-07-04 16:35

--- E O F ---


___________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 3:35:04 PM, on 7/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\WINNT\NOTEPAD.EXE
C:\WINNT\System32\msiexec.exe
C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by Ashlee5665, 09 July 2007 - 02:37 PM.


#15 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 09 July 2007 - 02:45 PM

Hi,

Thanks for the files...
Not really sure here if the infection is removed here or not... I guess so since I see some improvement since Combofix doesn't show them anymore in your run-keys... and the F2 entries from your HijackThislog are also gone.

The Qoofix log should be present in the Qoofix folder if I am not mistaken. So if you find it, post it in your next reply.

Also do next..

Open the Combofix-Do.txt you created previously, edit out its contents and modify it with the next contents:

File::
C:\WINNT\system32\ufcad.dat
C:\WINNT\ndtdi.dll
C:\WINNT\tasks\A859A6FC912257B4.job


Let it save the changes, so the file should still be called Combofix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you already did previously

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#16 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 10 July 2007 - 07:54 PM

Hey, I was unable to find the Qoofix log, but I did run it again and it said that no malicious modules were found and that no Qoologic infected files were found. I could post a new log if you need me to.

Here is the Combofix log.

"Owner" - 2007-07-10 20:42:31 - ComboFix 07-07-03.3
Command switches used :: C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\ndtdi.dll
C:\WINNT\system32\ufcad.dat
C:\WINNT\tasks\A859A6FC912257B4.job


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-03 13:23 <DIR> d-------- C:\Deckard
2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat
2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 00:11:38 -------- d-----w C:\Program Files\AIM
2007-07-10 03:18:39 664 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-09 19:15:39 -------- d-----w C:\Program Files\WB02d2se
2007-07-07 04:46:28 -------- d-----w C:\Program Files\SymNetDrv
2007-07-06 19:34:12 -------- d-----w C:\Program Files\LimeWire
2007-07-04 20:54:40 -------- d-----w C:\Program Files\SpywareBlaster
2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google
2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6
2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse
2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe
2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll
2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll
2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll
2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll
2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll
2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]
"zzzHPSETUP"="E:\Setup.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []
"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]
"AIM"="C:\Program Files\AIM+\AIM+.exe" [2002-06-10 03:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-07 00:23]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

Contents of the 'Scheduled Tasks' folder
2007-07-05 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-07-07 03:25:51 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job
2007-07-10 20:00:00 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 20:47:24
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-10 20:48:10
C:\ComboFix-quarantined-files.txt ... 2007-07-10 20:47
C:\ComboFix2.txt ... 2007-07-09 15:31
C:\ComboFix3.txt ... 2007-07-06 17:24

--- E O F ---

#17 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 July 2007 - 02:45 AM

Hi,

The infection should be gone now. I've tested your samples and Qoofix is able to deal with them just fine.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#18 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 11 July 2007 - 07:52 PM

Things seem to be going well so far. The internet is loading without a problem and it doesn't seem to be freezing as much. Thank you so much for your help. :)

#19 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 12 July 2007 - 12:10 AM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#20 Ashlee5665

Ashlee5665

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 13 July 2007 - 09:15 PM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

Thanks for the information, I'll definately put it to good use. Once again, thanks for the help!

#21 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2007 - 12:11 AM

You're most welcome :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#22 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 July 2007 - 01:35 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button