• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Ashlee5665

Problems With Proxy Server

22 posts in this topic

Hi, I'm new here so I'm sorry if I missed any of the steps in FAQ. I tried my best.

 

Anyway, I've been having trouble with getting onto the internet, which I'm almost positive has to do with a virus or more. I have Firefox, and whenever I click on it to go onto the internet, I get this message:

 

"The Proxy Server is refusing connections

-Firefox is configured to use a proxy server that is refusing connections

--Check the proxy settings to make sure they are correct

--Contact your network administrator to make sure the proxy server is working"

 

The only way I'm able to get onto the internet is if I go to tools and check off direct connection to the internet, which can be a pain after awhile. Anything requiring the server go through the proxy server won't work on my computer, like MSN messenger.

 

Also, I have Windows XP and I tried to run an AVG scan in safemode, but it kept freezing. Should I try that again?

 

Here's my HijackThis log...and yeah, I know...bad.

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:24:09 PM, on 6/27/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\SYMNET~1\SNDMon.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM+\AIM+.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\program files\internet explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe

O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll

O2 - BHO: (no name) - {B3064E19-A3A4-D55E-D97A-8FADDABA73C3} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AnteIsoSkipName] C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\AUDIO ONLINE.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O15 - Trusted Zone: *.winantispyware.com

O15 - Trusted Zone: *.winantivirus.com

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: vtuutqq - vtuutqq.dll (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

 

 

 

Thanks, everyone :)

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

There's indeed a proxy server set here, also in your Internet Explorer, so we'll have to get rid of that as well, together with some other malware being present.

 

Perform next instructions in the right order please..

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe

O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - (no file)

O2 - BHO: (no name) - {B3064E19-A3A4-D55E-D97A-8FADDABA73C3} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AnteIsoSkipName] C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\AUDIO ONLINE.exe

O15 - Trusted Zone: *.winantispyware.com

O15 - Trusted Zone: *.winantivirus.com

O20 - Winlogon Notify: vtuutqq - vtuutqq.dll (file missing)

O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Open your Firefox > Tools > Options > connection settings > then you have to change this in the proxysettings in Firefox, remove the reference localhost:8182 there, unselect the option to use "Manual Proxy configuration" and select to Autodetect proxy or Direct connection to the internet.

 

In case, when you've modified that and you close and reopen Firefox and you still get the same error and you look under the proxysettings and you see the "localhost:8182" is present and selected again, Then look if there's a user.js file created in the C:\Documents And Settings\Owner\Application Data\Mozilla\Firefox\(identity)\ - folder

If so, delete the user.js there since this is not installed by default in Firefox anyway. Then you will be able to reset the proxysettings and it will keep the settings.

 

Then, * Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Hey, thanks for taking the time to help

 

Anyway, I followed the directions and removed everything I needed to in HijackThis and also changed the proxy settings so localhost:8182 was removed. I think the main problem was the user.js, which I also removed. The error is no longer showing up. :)

 

Finally, since I don't want to accidentally post the quarantined files I want to make sure if what I got after running Combofix was that, or the actually log because it was just simply titled log, not combofix.txt and when I looked through it I saw something mentioning quarantined files. Forgive me...I don't really know too much about this stuff so I wasn't sure, and I don't want to post the wrong thing. I'm just checking with you first to make sure if that's it before I post it.

 

 

Nonetheless, here's the Hijack This log.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:57:40 PM, on 7/2/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\SYMNET~1\SNDMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM+\AIM+.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\NOTEPAD.EXE

C:\WINNT\System32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by Ashlee5665

Share this post


Link to post
Share on other sites

Hi,

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe

O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Wasn't there a Combofix.txt created?

Please try to run Combofix again and wait until the logfile opens automatically.

Then copy and paste it in your next reply together with a new HijackThislog.

 

If that didn't work, do next instead..

* Download Deckard's System Scanner to your Desktop.

  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - main.txt
  • Post the contents of this log in your next reply. Do not post the extra.txt present in that folder. Only post this when being asked.

Share this post


Link to post
Share on other sites

I removed what I needed to from Hijack this. When I run combofix, there no combofix.txt is created. What happens is, the My Documents folder opens and a notepad file just simply titled log also opens. So, I ran Deckard's and that seemed to work fine. Here's the main.txt

 

 

 

Deckard's System Scanner v20070611.50

Run by Owner on 2007-07-03 at 13:23:48

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created a Deckard's System Scanner Restore Point.

 

 

-- Last 5 Restore Point(s) --

39: 2007-07-03 17:23:53 UTC - RP62 - Deckard's System Scanner Restore Point

38: 2007-07-03 03:56:00 UTC - RP61 - System Checkpoint

37: 2007-07-01 22:43:23 UTC - RP60 - System Checkpoint

36: 2007-06-30 22:12:49 UTC - RP59 - System Checkpoint

35: 2007-06-29 21:43:55 UTC - RP58 - System Checkpoint

 

 

-- First Restore Point --

1: 2007-05-29 06:23:09 UTC - RP24 - System Checkpoint

 

 

Backed up registry hives.

 

Performed disk cleanup.

 

 

-- HijackThis (run as Owner.exe) -----------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 1:25:01 PM, on 7/3/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\oinvru.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\frear.exe

C:\WINNT\System32\frear.exe

C:\WINNT\System32\frear.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\SYMNET~1\SNDMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM\aim.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\NOTEPAD.EXE

C:\Program Files\LimeWire\LimeWire.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Owner\Desktop\dss.exe

C:\DOCUME~1\Owner\MYDOCU~1\Unzipped\HIJACK~1\Owner.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [oyrnrs] C:\WINNT\System32\oinvru.exe reg_run

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [kvyps] C:\WINNT\System32\oinvru.exe reg_run

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: hpawx.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

 

 

-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\MYDOCU~1\Unzipped\HIJACK~1\backups\) --------------------------------------------------------------------------------

 

backup-20060807-233112-133 O4 - HKLM\..\Run: [ipNetwork] C:\Program Files\Network\ipnetwork.exe

backup-20060807-233112-165 O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a

backup-20060807-233112-343 O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

backup-20060807-233112-353 F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,qmlecan.exe

backup-20060807-233112-428 O20 - Winlogon Notify: Themes - C:\WINNT\system32\u2rulc991f.dll

backup-20060807-233112-432 O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)

backup-20060807-233112-436 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

backup-20060807-233112-528 O4 - HKLM\..\Run: [w0023e28.dll] RUNDLL32.EXE w0023e28.dll,I2 00062c6c00023e28

backup-20060807-233112-821 O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)

backup-20070315-212007-243 O4 - HKCU\..\Run: [Real Peak] C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe

backup-20070315-212007-275 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm

backup-20070315-212007-310 O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

backup-20070315-212007-450 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

backup-20070315-212007-506 F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe

backup-20070315-212007-556 O4 - HKLM\..\Run: [w6de9b2f.dll] RUNDLL32.EXE w6de9b2f.dll,I2 00062c6c06de9b2f

backup-20070315-212007-562 O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308C9~1\Bar888.dll

backup-20070315-212007-673 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

backup-20070315-212007-684 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

backup-20070315-212007-719 O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SKS~1\ping.exe" -vt yazb

backup-20070315-212007-773 O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308C9~1\Bar888.dll

backup-20070315-212007-889 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

backup-20070315-212007-894 O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll

backup-20070504-212823-154 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182

backup-20070504-212823-184 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

backup-20070504-212823-290 F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe

backup-20070504-212823-320 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

backup-20070504-212823-418 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

backup-20070504-212823-425 O4 - HKLM\..\Run: [poolsv] "C:\WINNT\poolsv.exe"

backup-20070504-212823-540 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

backup-20070504-212823-557 O2 - BHO: (no name) - {67ECA667-108D-6720-A53D-6BE33EE5AF9A} - C:\WINNT\System32\umxv.dll (file missing)

backup-20070504-212823-756 O4 - HKLM\..\Run: [updReg] C:\WINNT\UpdReg.EXE

backup-20070504-212823-999 F3 - REG:win.ini: load=?????? ??????Y???

backup-20070504-215325-465 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)

backup-20070504-221146-165 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

backup-20070504-221146-198 O4 - HKCU\..\Run: [iESet] IExplorer.dll .dbt

backup-20070504-221146-375 O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\SKS~1\ping.exe" -vt yazb

backup-20070504-221146-561 O4 - HKCU\..\Run: [Real Peak] C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe

backup-20070504-221146-663 O23 - Service: Client IP-IPX - Unknown owner - C:\WINNT\System32\svchosts.exe" -e mc-110-12-0000140 (file missing)

backup-20070504-221146-855 O4 - HKLM\..\RunServices: [iESet] IExplorer.dll .dbt

backup-20070504-221146-937 O4 - HKLM\..\Run: [iESet] IExplorer.dll .dbt

backup-20070702-180535-110 O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - (no file)

backup-20070702-180535-239 O15 - Trusted Zone: *.winantispyware.com

backup-20070702-180535-245 O4 - HKLM\..\Run: [AnteIsoSkipName] C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\AUDIO ONLINE.exe

backup-20070702-180535-288 F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,qmlecan.exe

backup-20070702-180535-299 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182

backup-20070702-180535-377 O2 - BHO: (no name) - {B3064E19-A3A4-D55E-D97A-8FADDABA73C3} - (no file)

backup-20070702-180535-382 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

backup-20070702-180535-474 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

backup-20070702-180535-576 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

backup-20070702-180535-693 O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

backup-20070702-180535-730 O20 - Winlogon Notify: vtuutqq - vtuutqq.dll (file missing)

backup-20070702-180535-993 O15 - Trusted Zone: *.winantivirus.com

backup-20070703-130235-146 F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe

backup-20070703-130235-229 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

backup-20070703-130235-926 O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)

 

-- File Associations -----------------------------------------------------------

 

.bat - batfile - shell\edit\command - NOTEPAD.EXE %1

.cmd - cmdfile - shell\edit\command - unable to read value

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.inf - inffile - shell\open\command - unable to read value

.reg - regfile - shell\edit\command - NOTEDAD.EXE %1

.vbs - VBSFile - shell\edit\command - unable to read value

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R3 emupia (E-mu Plug-in Architecture Driver) - c:\winnt\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>

 

S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)

S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>

S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 Bonjour Service - c:\program files\bonjour\mdnsresponder.exe <Not Verified; Apple Computer, Inc.; Bonjour>

 

S2 NetDDEdsma (Network DDE DSMA) - "c:\winnt\svchost.exe" (file missing)

S2 NVIDIADriverHlp (NVIDIA Driver Helper Component) - "c:\winnt\nvsvc32.exe" (file missing)

S2 NVSvc (NVIDIA Display Driver Service) - c:\winnt\system32\nvsvc32.exe (file missing)

S4 PictureTaker - c:\fixit\pt\pctkrnt.sys (file missing)

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2007-07-03 13:00:02 258 --ah----- C:\WINNT\Tasks\AB81D8BC95EE5740.job

2007-07-03 08:00:00 396 --ah----- C:\WINNT\Tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

2007-06-29 20:10:11 464 --a------ C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job

2007-06-27 20:20:00 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job

2002-09-16 14:22:47 412 --a------ C:\WINNT\Tasks\Symantec NetDetect.job

 

 

-- Files created between 2007-06-03 and 2007-07-03 -----------------------------

 

2007-07-03 13:06:23 127488 --a------ C:\WINNT\System32\ufcad.dat

2007-07-02 19:38:04 0 d-------- C:\Avenger

2007-06-28 15:32:32 0 dr-h----- C:\Documents and Settings\Owner\Recent

2007-06-15 16:32:31 4096 --a------ C:\WINNT\d3dx.dat

2007-06-15 16:32:01 0 d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9

2007-06-15 16:31:53 0 d-------- C:\Documents and Settings\Owner\Application Data\GameHouse

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-07-03 13:05:13 24 --a------ C:\WINNT\System32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-03 13:05:13 24 --a------ C:\WINNT\System32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-02 21:00:05 0 d-------- C:\Program Files\Google

2007-07-02 19:28:43 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6

2007-07-02 15:11:21 0 d-------- C:\Program Files\AIM

2007-06-28 14:39:57 664 --a------ C:\WINNT\System32\d3d9caps.dat

2007-06-27 19:55:10 0 d-------- C:\Documents and Settings\Owner\Application Data\WayBalmCurb

2007-06-15 16:30:06 0 d-------- C:\Program Files\GameHouse

2007-05-25 22:59:14 0 d-------- C:\Program Files\SpywareBlaster

2007-05-06 14:15:19 0 d-------- C:\Program Files\REGSHAVE

2007-05-05 21:19:33 0 d-a------ C:\Documents and Settings\Owner\Application Data\yahoo!

2007-05-03 21:50:37 0 d-------- C:\Program Files\MSN Messenger

2007-04-28 21:54:21 32768 --a------ C:\setup9x.exe <Not Verified; w00t; bbbbbbbbbb565456543>

 

 

-- Registry Dump ---------------------------------------------------------------

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"zzzHPSETUP"="E:\\Setup.exe"

"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"

"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"

"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"

"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"

"GWMDMMSG"="GWMDMMSG.exe"

"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"oyrnrs"="C:\\WINNT\\System32\\oinvru.exe reg_run"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

"kvyps"="C:\\WINNT\\System32\\oinvru.exe reg_run"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"kqwm"="C:\\PROGRA~1\\COMMON~1\\kqwm\\kqwmm.exe"

"Ltho"="\"C:\\PROGRA~1\\COMMON~1\\PPATCH~1\\javaw.exe\" -vt yazr"

"Lpcwvf"="C:\\WINNT\\system32\\?dobe\\?pool32.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=dword:00000000

"NoColorChoice"=dword:00000000

"NoSizeChoice"=dword:00000000

"NoDispScrSavPage"=dword:00000000

"NoDispCPL"=dword:00000000

"NoVisualStyleChoice"=dword:00000000

"NoDispSettingsPage"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=dword:00000000

"NoThemesTab"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"

"item"="?????? ??????Y???"

"hkey"="HKCU"

"command"="?????? ??????Y???"

"inimapping"="1"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

 

 

 

-- End of Deckard's System Scanner: finished at 2007-07-03 at 13:25:26 ---------

Share this post


Link to post
Share on other sites

Hi,

 

I already see why Combofix won't run properly.. Your Fileassociations are messed up.

 

Please download DAFT and save it to your desktop:

  1. Double-click the daft.exe icon. Read the disclaimer and click OK.
  2. Click on the Scan button.
  3. Place a checkmark next to the following entries:
     
    .bat
    .cmd
    .cpl
    .inf
    .reg
    .vbs
     
     
  4. Click the Fix button.
  5. Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post.

Share this post


Link to post
Share on other sites

Hey

 

I ran daft and removed all but .cpl, which didn't show up. I saved the logfile, however it won't let me click on daft.txt to copy and paste the log. Am I doing this wrong, or is there another way to open it?

Share this post


Link to post
Share on other sites

That's ok.

 

Just re-run Daft and make sure it says all associations are ok, because that's what we want to achieve.

 

Then, try Combofix again. This time it should work properly. Then post the Combofix log in your next reply.

Share this post


Link to post
Share on other sites

Okay, I'm all set with daft.

 

I ran ComboFix again, but the Combofix.txt still didn't pop up on its own. For some strange reason, the My Documents folder comes up, and a document just simply stated log comes up. However, I did a search and found ComboFix.txt, which I wasn't able to do before.

 

 

 

"Owner" - 2007-07-04 16:30:03 - ComboFix 07-07-03.3

 

 

(((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

 

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * *

 

2007-07-04 16:24 127488 ufcad.dat.qoo

 

((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))

 

 

2007-07-04 16:33 127,488 --a------ C:\WINNT\system32\ufcad.dat

2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

2007-07-03 16:00 <DIR> d-------- C:\Program Files\WayBalmCurb

2007-07-03 13:23 <DIR> d-------- C:\Deckard

2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe

2007-06-27 20:05 51,712 --------- C:\WINNT\system32\upnvjdy.dll

2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat

2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9

2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-04 20:32:34 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-04 20:32:34 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-04 20:27:10 422 ----a-w C:\WINNT\ndtdi.dll

2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google

2007-07-04 05:59:33 -------- d-----w C:\Program Files\AIM

2007-07-04 01:53:01 -------- d-----w C:\Program Files\SpywareBlaster

2007-07-03 20:00:31 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\WayBalmCurb

2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6

2007-06-28 18:39:57 664 ----a-w C:\WINNT\system32\d3d9caps.dat

2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse

2007-05-06 18:15:19 -------- d-----w C:\Program Files\REGSHAVE

2007-05-06 01:19:33 -------- d---a-w C:\DOCUME~1\Owner\APPLIC~1\yahoo!

2007-05-04 01:50:37 -------- d-----w C:\Program Files\MSN Messenger

2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe

2007-04-29 01:54:21 32,768 ----a-w C:\setup9x.exe

2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll

2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll

2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll

2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll

2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll

2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]

"zzzHPSETUP"="E:\Setup.exe" []

"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]

"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]

"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]

"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []

"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]

"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

"AnteIsoSkipName"="C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\MP3 DASH.exe" [2007-07-03 16:00]

"oyrnrs"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-15 21:09]

"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2007-02-15 21:09]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]

"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]

"Real Peak"="C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe" [2007-07-03 16:00]

"kvyps"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"kqwm"=C:\PROGRA~1\COMMON~1\kqwm\kqwmm.exe

"Ltho"="C:\PROGRA~1\COMMON~1\PPATCH~1\javaw.exe" -vt yazr

"Lpcwvf"=C:\WINNT\system32\?dobe\?pool32.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=0 (0x0)

"NoColorChoice"=0 (0x0)

"NoSizeChoice"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispCPL"=0 (0x0)

"NoVisualStyleChoice"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=0 (0x0)

"NoThemesTab"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"="Explorer.exe, C:\WINNT\System32\frear.exe"

"Userinit"="C:\WINNT\system32\userinit.exe,qmlecan.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

??????Y???

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

 

 

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

rundll32 iesetup.dll,IEAccessUserInst

 

Contents of the 'Scheduled Tasks' folder

2007-07-04 20:00:01 C:\WINNT\tasks\A859A6FC912257B4.job

2007-06-28 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job

2007-06-30 00:10:11 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job

2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job

2007-07-04 20:00:01 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

 

**************************************************************************

 

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-04 16:33:50

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-04 16:35:31 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-07-04 16:35

C:\ComboFix2.txt ... 2007-07-04 16:26

C:\ComboFix3.txt ... 2007-07-03 13:07

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

Open notepad and copy/paste the text in the quotebox below into it:

 

File::

C:\WINNT\System32\oinvru.exe

C:\WINNT\System32\frear.exe

C:\WINNT\System32\qmlecan.exe

C:\Documents and Settings\All users\Start Menu\Programs\Startup\hpawx.exe

C:\WINNT\Tasks\AB81D8BC95EE5740.job

C:\setup9x.exe

C:\WINNT\system32\upnvjdy.dll

C:\WINNT\system32\ufcad.dat

 

Folder::

C:\Program Files\WayBalmCurb

C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1

C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO

 

Driver::

NetDDEdsma

 

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AnteIsoSkipName"=-

"oyrnrs"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Real Peak"=-

"kvyps"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"kqwm"=-

"Ltho"=-

"Lpcwvf"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"="Explorer.exe"

"Userinit"="C:\\WINNT\\system32\\userinit.exe,"

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

 

Save this as ComboFix-Do.txt

 

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

 

Combo-Do.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

Also, Go to next site:

http://www.virustotal.com/en/indexf.html

On top you'll find 'Browse'

Click the browse button and browse to next file:

 

C:\WINNT\ndtdi.dll

 

Click open.

Then click the 'Send' button next to it.

This will scan the file. Please be patient.

Once scanned, copy and paste the results in your next reply as well.

Share this post


Link to post
Share on other sites

Hey, here are the Combofix and Hijack This logs. I went to the link you gave me, but couldn't find C:\WINNT\ndtdi.dll when I browsed. I did a search and it didn't come up as well.

 

 

 

"Owner" - 2007-07-06 17:18:45 - ComboFix 07-07-03.3

Command switches used :: C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt

 

 

(((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

 

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * *

 

2007-07-04 16:24 127488 ufcad.dat.qoo

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1

C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\151F6262

C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\beepcake.exe

C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\HtmDentDead.exe

C:\DOCUME~1\Owner\APPLIC~1\WAYBAL~1\mnjzyied.exe

C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO

C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\MP3 DASH.exe

C:\Documents and Settings\All Users\Application Data\COPY DEAD ANTE ISO\tick obj owns

C:\Program Files\WayBalmCurb

C:\setup9x.exe

C:\WINNT\system32\ufcad.dat

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_NETDDEDSMA

-------\NetDDEdsma

 

 

((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))

 

 

2007-07-06 17:23 127,488 --a------ C:\WINNT\system32\ufcad.dat

2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

2007-07-03 13:23 <DIR> d-------- C:\Deckard

2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe

2007-06-27 20:05 51,712 --------- C:\WINNT\system32\upnvjdy.dll

2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat

2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9

2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-06 21:22:35 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-06 21:22:35 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-06 21:11:47 471 ----a-w C:\WINNT\ndtdi.dll

2007-07-06 19:34:12 -------- d-----w C:\Program Files\LimeWire

2007-07-06 04:38:11 -------- d-----w C:\Program Files\AIM

2007-07-04 20:54:40 -------- d-----w C:\Program Files\SpywareBlaster

2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google

2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6

2007-06-28 18:39:57 664 ----a-w C:\WINNT\system32\d3d9caps.dat

2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse

2007-05-06 18:15:19 -------- d-----w C:\Program Files\REGSHAVE

2007-05-06 01:19:33 -------- d---a-w C:\DOCUME~1\Owner\APPLIC~1\yahoo!

2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe

2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll

2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll

2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll

2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll

2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll

2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]

"zzzHPSETUP"="E:\Setup.exe" []

"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]

"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]

"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]

"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []

"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]

"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

"oyrnrs"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-15 21:09]

"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2007-02-15 21:09]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]

"AIM"="C:\Program Files\AIM+\AIM+.exe" [2002-06-10 03:15]

"kvyps"="C:\WINNT\System32\oinvru.exe" [2007-02-17 15:55]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=0 (0x0)

"NoColorChoice"=0 (0x0)

"NoSizeChoice"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispCPL"=0 (0x0)

"NoVisualStyleChoice"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=0 (0x0)

"NoThemesTab"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"="Explorer.exe, C:\WINNT\System32\frear.exe"

"Userinit"="C:\WINNT\system32\userinit.exe,qmlecan.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

 

 

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

rundll32 iesetup.dll,IEAccessUserInst

 

Contents of the 'Scheduled Tasks' folder

2007-07-06 21:00:00 C:\WINNT\tasks\A859A6FC912257B4.job

2007-07-05 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job

2007-06-30 00:10:11 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job

2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job

2007-07-06 20:00:00 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

 

**************************************************************************

 

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-06 17:23:48

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-06 17:24:43 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-07-06 17:24

C:\ComboFix2.txt ... 2007-07-04 16:35

C:\ComboFix3.txt ... 2007-07-04 16:26

 

--- E O F ---

 

 

_______________________

 

 

Logfile of HijackThis v1.99.1

Scan saved at 5:41:00 PM, on 7/6/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\GWMDMMSG.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\SYMNET~1\SNDMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM+\AIM+.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\msiexec.exe

C:\WINNT\notepad.exe

C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\frear.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,qmlecan.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Share this post


Link to post
Share on other sites

It appears that Combofix doesn't see the files, which is normal since this is a qoologic variant and this one runs stealth.

Guess this is also a newer variant as Combofix normally flags and deletes it, but not this time.

 

First of all, before fixing anything, Open notepad and copy and paste next present in the codebox in it:

 

@echo off
rem http://forums.spywareinfo.com/index.php?showtopic=101614

For %%g in (
C:\WINNT\System32\oinvru.exe
C:\WINNT\System32\frear.exe
C:\WINNT\System32\qmlecan.exe
C:\Documents and Settings\All users\Start Menu\Programs\Startup\hpawx.exe
C:\WINNT\system32\upnvjdy.dll
C:\WINNT\system32\ufcad.dat
C:\WINNT\ndtdi.dll
) do catchme -l nul -k %%g >nul

catchme -l nul -k %0 >nul
nircmd execmd move /y "~$folder.desktop$\catchme.zip" "Submit [%date:/=-% %time::=.%].zip"
echo.Please submit the file - Submit [%date:/=-% %time::=.%].zip
nircmd wait 7000
del %0

Save this as Submit.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

(In case you are unsure how to create a bat file, take a look here with screenshots.)

 

Doubleclick Submit.bat and allow it to generate a zipped file called Submit [Date Time].zip

Please submit this file to: http://www.bleepingcomputer.com/submit-malware.php?channel=8

 

 

Let's try if Qoofix sees it and can deal with it, so do next please..

 

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip

  • Unzip all files to a convenient location such as C:\Qoofix.
  • Go to the folder you unzipped all files and run Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If an infection has been found, select yes to restart your computer.

Finally post a new Hijack This log and the contents of the Qoofix logfile.

Also, rescan with Combofix after performing above instructions and post the log.

 

In case it cannot see/recognise and deal with it, we'll try some other solutions then :-)

Share this post


Link to post
Share on other sites

Thanks! I managed everything okay though, except that when the computer was restarted after I ran Qoofix, no log came up. It did say, however, the Qoologic was successfully removed. Where would I find the log?

 

Also, I sent my Submit.zip file to the site you provided.

 

Here are the Combofix and Hijack This logs.

 

 

 

"Owner" - 2007-07-09 15:25:58 - ComboFix 07-07-03.3

 

 

((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))

 

 

2007-07-08 23:43 127,488 --a------ C:\WINNT\system32\ufcad.dat

2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

2007-07-03 13:23 <DIR> d-------- C:\Deckard

2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe

2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat

2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9

2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-09 19:19:43 485 ----a-w C:\WINNT\ndtdi.dll

2007-07-09 19:15:39 -------- d-----w C:\Program Files\WB02d2se

2007-07-09 02:35:22 -------- d-----w C:\Program Files\AIM

2007-07-09 01:13:54 664 ----a-w C:\WINNT\system32\d3d9caps.dat

2007-07-07 04:46:28 -------- d-----w C:\Program Files\SymNetDrv

2007-07-06 19:34:12 -------- d-----w C:\Program Files\LimeWire

2007-07-04 20:54:40 -------- d-----w C:\Program Files\SpywareBlaster

2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google

2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6

2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse

2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe

2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll

2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll

2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll

2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll

2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll

2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]

"zzzHPSETUP"="E:\Setup.exe" []

"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]

"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]

"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]

"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []

"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]

"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2007-02-15 21:09]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]

"AIM"="C:\Program Files\AIM+\AIM+.exe" [2002-06-10 03:15]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=0 (0x0)

"NoColorChoice"=0 (0x0)

"NoSizeChoice"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispCPL"=0 (0x0)

"NoVisualStyleChoice"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=0 (0x0)

"NoThemesTab"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-07 00:23]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

 

 

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

rundll32 iesetup.dll,IEAccessUserInst

 

Contents of the 'Scheduled Tasks' folder

2007-07-09 19:00:00 C:\WINNT\tasks\A859A6FC912257B4.job

2007-07-05 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job

2007-07-07 03:25:51 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job

2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job

2007-07-09 04:00:00 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

 

**************************************************************************

 

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-09 15:30:34

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-09 15:31:27

C:\ComboFix-quarantined-files.txt ... 2007-07-09 15:31

C:\ComboFix2.txt ... 2007-07-06 17:24

C:\ComboFix3.txt ... 2007-07-04 16:35

 

--- E O F ---

 

 

___________________________________________________

 

 

Logfile of HijackThis v1.99.1

Scan saved at 3:35:04 PM, on 7/9/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\explorer.exe

C:\WINNT\NOTEPAD.EXE

C:\WINNT\System32\msiexec.exe

C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINNT\nvsvc32.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\System32\nvsvc32.exe (file missing)

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by Ashlee5665

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for the files...

Not really sure here if the infection is removed here or not... I guess so since I see some improvement since Combofix doesn't show them anymore in your run-keys... and the F2 entries from your HijackThislog are also gone.

 

The Qoofix log should be present in the Qoofix folder if I am not mistaken. So if you find it, post it in your next reply.

 

Also do next..

 

Open the Combofix-Do.txt you created previously, edit out its contents and modify it with the next contents:

 

File::

C:\WINNT\system32\ufcad.dat

C:\WINNT\ndtdi.dll

C:\WINNT\tasks\A859A6FC912257B4.job

 

Let it save the changes, so the file should still be called Combofix-Do.txt

 

Then drag the ComboFix-Do.txt into ComboFix.exe as you already did previously

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

Hey, I was unable to find the Qoofix log, but I did run it again and it said that no malicious modules were found and that no Qoologic infected files were found. I could post a new log if you need me to.

 

Here is the Combofix log.

 

"Owner" - 2007-07-10 20:42:31 - ComboFix 07-07-03.3

Command switches used :: C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINNT\ndtdi.dll

C:\WINNT\system32\ufcad.dat

C:\WINNT\tasks\A859A6FC912257B4.job

 

 

((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))

 

 

2007-07-03 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

2007-07-03 13:23 <DIR> d-------- C:\Deckard

2007-07-02 18:16 49,152 --a------ C:\WINNT\nircmd.exe

2007-06-15 16:32 4,096 --a------ C:\WINNT\d3dx.dat

2007-06-15 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9

2007-06-15 16:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\GameHouse

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-11 00:11:38 -------- d-----w C:\Program Files\AIM

2007-07-10 03:18:39 664 ----a-w C:\WINNT\system32\d3d9caps.dat

2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-09 19:22:04 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat

2007-07-09 19:15:39 -------- d-----w C:\Program Files\WB02d2se

2007-07-07 04:46:28 -------- d-----w C:\Program Files\SymNetDrv

2007-07-06 19:34:12 -------- d-----w C:\Program Files\LimeWire

2007-07-04 20:54:40 -------- d-----w C:\Program Files\SpywareBlaster

2007-07-04 20:24:37 -------- d-----w C:\Program Files\Google

2007-07-02 23:28:43 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MSN6

2007-06-15 20:30:06 -------- d-----w C:\Program Files\GameHouse

2007-04-29 23:28:12 6,006,832 ----a-w C:\Firefox Setup 2.0.0.3.exe

2001-08-18 17:00:00 94,784 --sh--w C:\WINNT\twain.dll

2001-08-18 17:00:00 46,592 --sh--w C:\WINNT\twain_32.dll

2001-08-18 17:00:00 50,688 --sh--w C:\WINNT\system32\msvcirt.dll

2001-08-18 17:00:00 401,462 --sh--w C:\WINNT\system32\msvcp60.dll

2001-08-18 17:00:00 106,496 --sh--w C:\WINNT\system32\olepro32.dll

2001-08-18 17:00:00 9,728 --sh--w C:\WINNT\system32\regsvr32.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-03 00:31]

"zzzHPSETUP"="E:\Setup.exe" []

"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]

"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]

"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]

"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []

"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 08:55 C:\WINNT\GWMDMMSG.exe]

"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 09:47]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" []

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30]

"AIM"="C:\Program Files\AIM+\AIM+.exe" [2002-06-10 03:15]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=0 (0x0)

"NoColorChoice"=0 (0x0)

"NoSizeChoice"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispCPL"=0 (0x0)

"NoVisualStyleChoice"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=0 (0x0)

"NoThemesTab"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-07 00:23]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

 

 

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

rundll32 iesetup.dll,IEAccessUserInst

 

Contents of the 'Scheduled Tasks' folder

2007-07-05 00:20:00 C:\WINNT\tasks\AppleSoftwareUpdate.job

2007-07-07 03:25:51 C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job

2002-09-16 18:22:47 C:\WINNT\tasks\Symantec NetDetect.job

2007-07-10 20:00:00 C:\WINNT\tasks\{6802FF3E-C151-4714-A3B2-A29E521767E7}_S0026868495_Owner.job

 

**************************************************************************

 

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-10 20:47:24

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-10 20:48:10

C:\ComboFix-quarantined-files.txt ... 2007-07-10 20:47

C:\ComboFix2.txt ... 2007-07-09 15:31

C:\ComboFix3.txt ... 2007-07-06 17:24

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

The infection should be gone now. I've tested your samples and Qoofix is able to deal with them just fine.

 

Let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites

Things seem to be going well so far. The internet is loading without a problem and it doesn't seem to be freezing as much. Thank you so much for your help. :)

Share this post


Link to post
Share on other sites

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Thanks for the information, I'll definately put it to good use. Once again, thanks for the help!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here

This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0