Jump to content


Photo

Adware, possible Malware


  • This topic is locked This topic is locked
27 replies to this topic

#1 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 22 December 2007 - 12:22 PM

I've recently been getting a lot of ad popups and experiencing unexplainable system slowness. When I look at my Task Manager window, there are several suspicious processes using large amounts of resources running. Something's not right here, but I'm not sure what the problem is. Could someone please take a look at it? Any help is greatly appreciated.

EDIT: Whatever's going on is getting progressively worse....my Task Manager has been disabled/locked, and my Desktop Wallpaper has been changed.

Logfile of HijackThis v1.99.1
Scan saved at 11:17:05 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1154485112\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ASEMBL~1\attrib.exe
C:\WINDOWS\?ystem\?ervices.exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcd.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: (no name) - {92A8A867-33AA-4A58-8F5F-4AE605810EC3} - C:\WINDOWS\system32\ijlnb.dll
O2 - BHO: (no name) - {9ABB7F1A-2381-46B9-A1A9-0FCDB92DD71A} - C:\WINDOWS\system32\gebcd.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.ex" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\ASEMBL~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Wwsbcn] C:\WINDOWS\?ystem\?ervices.exe
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.palt...od/wcloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...3/bin/imvid.cab
O20 - Winlogon Notify: yayvspq - C:\WINDOWS\SYSTEM32\yayvspq.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by SideshowBob311, 22 December 2007 - 02:17 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 25 December 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 26 December 2007 - 01:04 AM

Hello SideshowBob311, and welcome to SWI.

My apologies for the delay; we're all volunteers, and we've been swamped.

I could've sworn I've seen you somewhere before. :lol:


Is your antivirus up to date? You seem to be getting reinfected often.


Please download Combofix by sUBs.

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log, as well as a fresh HijackThis log, in your next reply.


Afterwards, please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm



~screen317

Edited by screen317, 26 December 2007 - 01:06 AM.

Please consider donating to help support the continued prompt and excellent services of this site.


#4 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 26 December 2007 - 07:49 PM

Thanks so much for taking the time to help. Again. :whistle: My antivirus software is all updated, unfortunately I think this nasty batch of infections came as a result of a bogus/scam website I stumbled onto while doing some Christmas shopping. I ran the programs you asked and the logfiles are below. The combofix seems to have made some progress, but there still seems to be suspicious applications running in my task manager.

ComboFix 07-12-21.4 - Owner 2007-12-26 17:33:53.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\FNTS~1
C:\Documents and Settings\Owner\Application Data\RACLE~1
C:\Documents and Settings\Owner\Application Data\SCURIT~1
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\asembl~1
C:\Program Files\asembl~1\a?sembly\
C:\Program Files\asembl~1\attrib .exe
C:\Program Files\asembl~1\attrib.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinAble\winable .exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini2
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\egmulhxk.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\nuq.dll
C:\WINDOWS\system32\qtdea.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wcpisvit32.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\yayvspq.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\ystem~1
C:\WINDOWS\ystem~1\?ervices.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 17:53 . 2007-12-26 17:53 340,480 --------- C:\WINDOWS\system32\gebcd.dll
2007-12-26 16:49 . 2007-12-26 16:49 344,064 --a------ C:\WINDOWS\system32\RCX55.tmp
2007-12-25 21:59 . 2007-12-25 21:59 344,064 --a------ C:\WINDOWS\system32\RCX54.tmp
2007-12-23 19:37 . 2007-12-26 17:53 <DIR> d-------- C:\Program Files\Router
2007-12-23 19:11 . 2007-12-23 19:11 344,064 --a------ C:\WINDOWS\system32\RCX48.tmp
2007-12-22 13:28 . 2007-12-26 17:26 18,432 --a------ C:\WINDOWS\fkwggshm.exe
2007-12-22 13:10 . 2007-12-22 13:10 344,064 --a------ C:\WINDOWS\system32\RCX47.tmp
2007-12-22 11:35 . 2007-12-22 11:35 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-22 10:55 . 2007-12-26 17:53 344,064 --a------ C:\WINDOWS\system32\gebcd.exe
2007-12-22 10:49 . 2007-12-25 21:59 385,024 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2007-12-22 10:48 . 2007-12-22 10:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-22 10:48 . 2007-12-22 10:48 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 23:40 . 2007-11-26 23:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-26 21:24 . 2007-07-09 07:09 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 23:53 --------- d-----w C:\Program Files\SymNetDrv
2007-12-26 23:53 --------- d-----w C:\Program Files\QuickTime
2007-12-26 23:53 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-26 23:53 --------- d-----w C:\Program Files\iTunes
2007-12-26 23:53 --------- d-----w C:\Program Files\AIM6
2007-12-22 16:54 --------- d-----w C:\Program Files\America Online 9.0
2007-12-14 02:01 --------- d-----w C:\Program Files\World of Warcraft
2007-12-01 18:45 --------- d-----w C:\Program Files\Diablo II
2007-11-25 17:38 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Symantec
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2002-12-19 21:48 707 ----a-w C:\Documents and Settings\Owner\BDMI.BAT
2004-06-19 16:14 2,569 --sha-w C:\WINDOWS\djxse.dat
2004-06-11 21:19 2,569 --sha-w C:\WINDOWS\rryhe.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{342A0622-6680-43D4-AF1F-004E87165460}]
2007-12-26 17:53 340480 --------- C:\WINDOWS\system32\gebcd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2007-12-26 17:34]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2007-12-26 17:34]
"Steam"="c:\progra~1\valve\steam\steam.ex -silent" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-26 17:34]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-12-26 17:34]
"Notn"="C:\PROGRA~1\ASEMBL~1\attrib.exe" []
"Wwsbcn"="C:\WINDOWS\?ystem\?ervices.exe" []
"QdrModule11"="C:\Program Files\QdrModule\QdrModule11.exe" []
"QdrPack11"="C:\Program Files\QdrPack\QdrPack11.exe" []
"AdobeUpdater "="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe" [2007-12-26 17:53]
"Router"="C:\Program Files\Router\Router.exe" [2007-12-26 17:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2007-12-26 17:53]
"KBD"="C:\HP\KBD\KBD.EXE" [2007-12-26 17:34]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2007-12-26 17:34]
"nwiz"="nwiz.exe" [2002-05-03 18:06 C:\WINDOWS\system32\nwiz.exe]
"NAV Agent"="c:\PROGRA~1\NORTON~1\navapw32.exe" [2007-12-26 17:53]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-12-26 17:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 17:53]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2007-12-26 17:34]
"HostManager"="C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe" [2007-12-26 17:35]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-26 17:53]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PORTAO~4.exe" [2007-12-26 17:53]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-26 17:53]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2007-12-26 17:53]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-26 17:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-26 17:35]
"quzeraka"="C:\Program Files\Online Services\quzeraka77798.exe" [2007-12-26 17:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2002-10-14 23:25:40]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\gebcd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\gebcd

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 00:14]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 04:02:17 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 17:54:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\gebcd.dll
.
Completion time: 2007-12-26 17:58:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-05 16:49
C:\ComboFix2.txt ... 2007-11-29 16:38
C:\ComboFix3.txt ... 2007-11-15 19:26
.
2007-12-12 03:47:27 --- E O F ---

SmitFraudFix v2.274

Scan done at 18:02:11.00, Wed 12/26/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32 .exe
C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\support.com\bin\tgcmd .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Online Services\quzeraka77798 .exe
C:\Program Files\Router\Router .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\AOL\1154485112\ee\aolsoftware.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.87.72.130
DNS Server Search Order: 68.87.77.130

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 15.243.128.51
DNS Server Search Order: 15.243.160.51

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AAD475DA-0176-4AB3-8D5B-FF8416B18953}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B4D45E84-59D1-4F57-85F6-306100609F14}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AAD475DA-0176-4AB3-8D5B-FF8416B18953}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B4D45E84-59D1-4F57-85F6-306100609F14}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AAD475DA-0176-4AB3-8D5B-FF8416B18953}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B4D45E84-59D1-4F57-85F6-306100609F14}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AAD475DA-0176-4AB3-8D5B-FF8416B18953}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B4D45E84-59D1-4F57-85F6-306100609F14}: DhcpNameServer=15.243.128.51 15.243.160.51
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130


Scanning for wininet.dll infection


End

#5 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 26 December 2007 - 07:51 PM

And lastly, a fresh Hijack This log. (Didn't want my last post to go long and get cut off)

Logfile of HijackThis v1.99.1Scan saved at 6:42:39 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32 .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\support.com\bin\tgcmd .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Router\Router .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcd.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {342A0622-6680-43D4-AF1F-004E87165460} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PORTAO~4.EXE" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [quzeraka] C:\Program Files\Online Services\quzeraka77798.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.ex" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\ASEMBL~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Wwsbcn] C:\WINDOWS\?ystem\?ervices.exe
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [AdobeUpdater ] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.palt...od/wcloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...3/bin/imvid.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 27 December 2007 - 08:06 PM

Hi SideshowBob311,


You have a nasty new infection. Let's try to eliminate it as soon as possible.


Open NOTEPAD.exe
Copy and paste the text in the codebox below into it (do not include the word "code"):

@echo off
Vfind.exe -ltf "%systemdrive%\* .exe" > Log.txt
Start notepad log.txt


Save this as check.bat Choose the Save as type to be All Files.
It should look like this: Posted Image
Double click on check.bat and allow it to run.

It shall produce a log which you must attach (do not post the log) in your next reply.


-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


#7 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 27 December 2007 - 10:29 PM

At the risk of sounding VERY stupid...how do I attatch a log to a post? All I've ever done is copy/paste logs into replies...

#8 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 27 December 2007 - 10:41 PM

No need for an attachment, but make sure you put it in a code box.

[ code ]

[ /code ]

(without the spaces)

Please consider donating to help support the continued prompt and excellent services of this site.


#9 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 27 December 2007 - 10:45 PM

Ok hopefully this is what you meant....thanks for the patience

[codebox]
----a-w 61,440 2007-12-27 22:40:28 C:\hp\KBD\KBD .EXE
----a-w 40,048 2007-12-27 22:40:48 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 50,736 2007-12-27 22:41:04 C:\Program Files\AIM6\aim6 .exe
----a-w 50,776 2007-12-27 02:50:38 C:\Program Files\America Online 9.0\aol .exe
----a-w 90,112 2007-12-27 22:40:48 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w 2,321,600 2007-12-26 23:53:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 2,321,600 2007-12-27 22:41:17 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 50,736 2007-12-27 22:58:06 C:\Program Files\Common Files\AOL\1154485112\EE\AOLSoftware .exe
----a-w 71,216 2007-12-27 22:40:43 C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
----a-w 69,632 2007-12-27 22:40:28 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
----a-w 229,952 2007-12-27 22:40:48 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2007-12-27 22:40:50 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,694,208 2007-12-27 22:40:58 C:\Program Files\Messenger\MSMSGS .EXE
----a-w 75,384 2007-12-27 22:40:33 C:\Program Files\Norton AntiVirus\navapw32 .exe
----a-w 163,840 2007-12-27 22:40:55 C:\Program Files\Online Services\quzeraka77798 .exe
----a-w 473,600 2007-12-24 01:11:01 C:\Program Files\Pure Networks\Port Magic\PortAOL .exe
----a-w 473,600 2007-12-26 03:58:56 C:\Program Files\Pure Networks\Port Magic\PORTAO~1 .EXE
----a-w 473,600 2007-12-26 23:35:03 C:\Program Files\Pure Networks\Port Magic\PORTAO~2 .EXE
----a-w 473,600 2007-12-27 22:40:29 C:\Program Files\Pure Networks\Port Magic\PORTAO~3 .EXE
----a-w 99,480 2007-12-27 22:40:46 C:\Program Files\Pure Networks\Port Magic\PORTAO~4 .EXE
----a-w 282,624 2007-12-27 22:40:37 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-27 22:40:26 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-26 23:34:55 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-26 03:58:52 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-24 01:10:58 C:\Program Files\QuickTime\qttask .exe
----a-w 137,728 2007-12-27 22:41:19 C:\Program Files\Router\Router .exe
----a-w 1,544,192 2007-12-27 22:40:40 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 95,960 2007-12-27 22:40:35 C:\Program Files\SymNetDrv\SNDMon .exe
----a-w 155,648 2007-12-27 22:40:30 C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
----a-w 1,490,944 2007-12-27 22:40:57 C:\Program Files\Yahoo!\Messenger\ypager .exe

Entries: 30 (30)
Directories: 0 Files: 30
Bytes: 15,740,048 Blocks: 30,751
[/codebox]

#10 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 27 December 2007 - 11:04 PM

Hi SideshowBob311,

Please download RenV by sUBs.

1. Save it to your Desktop.
2. Double-click RenV.exe
3. It shall produce a log for you. Please post that log in your reply.


-screen317

Edited by screen317, 28 December 2007 - 03:47 AM.

Please consider donating to help support the continued prompt and excellent services of this site.


#11 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 28 December 2007 - 03:48 AM

Please note my edited instructions above.

Please consider donating to help support the continued prompt and excellent services of this site.


#12 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 28 December 2007 - 11:15 PM

Ok here's the newest log you asked for. You weren't kidding when you said this was a nasty infection....wow.

[codebox]Ran on Fri 12/28/2007 - 22:08:53.19

----a-w 19,456 2007-12-29 03:56:16 C:\Documents and Settings\Owner\Application Data\mrfnzxgfp .exe
----a-w 61,440 2007-12-29 03:54:46 C:\hp\KBD\KBD .EXE
----a-w 40,048 2007-12-29 03:55:12 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 50,736 2007-12-29 03:55:49 C:\Program Files\AIM6\aim6 .exe
----a-w 50,776 2007-12-27 02:50:38 C:\Program Files\America Online 9.0\aol .exe
----a-w 90,112 2007-12-29 03:55:11 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w 2,321,600 2007-12-26 23:53:33 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 2,321,600 2007-12-29 03:56:09 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 50,736 2007-12-29 04:09:56 C:\Program Files\Common Files\AOL\1154485112\EE\AOLSoftware .exe
----a-w 71,216 2007-12-29 03:54:54 C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
----a-w 69,632 2007-12-29 03:54:45 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
----a-w 229,952 2007-12-29 03:54:59 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2007-12-29 03:55:15 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,694,208 2007-12-29 03:55:40 C:\Program Files\Messenger\MSMSGS .EXE
----a-w 75,384 2007-12-29 03:54:48 C:\Program Files\Norton AntiVirus\navapw32 .exe
----a-w 163,840 2007-12-29 03:55:15 C:\Program Files\Online Services\quzeraka77798 .exe
----a-w 321,088 2007-12-29 03:55:18 C:\Program Files\Pure Networks\Network Magic\nmapp .exe
----a-w 473,600 2007-12-29 03:55:45 C:\Program Files\Pure Networks\Port Magic\PO6634~1 .EXE
----a-w 99,480 2007-12-29 03:54:56 C:\Program Files\Pure Networks\Port Magic\PO6634~2 .EXE
----a-w 473,600 2007-12-24 01:11:01 C:\Program Files\Pure Networks\Port Magic\PortAOL .exe
----a-w 473,600 2007-12-26 03:58:56 C:\Program Files\Pure Networks\Port Magic\PORTAO~1 .EXE
----a-w 473,600 2007-12-26 23:35:03 C:\Program Files\Pure Networks\Port Magic\PORTAO~2 .EXE
----a-w 473,600 2007-12-27 22:40:29 C:\Program Files\Pure Networks\Port Magic\PORTAO~3 .EXE
----a-w 473,600 2007-12-28 22:59:55 C:\Program Files\Pure Networks\Port Magic\PORTAO~4 .EXE
----a-w 653,824 2007-12-29 03:55:35 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-29 03:45:57 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-28 22:59:50 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-27 22:40:26 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-26 23:34:55 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-26 03:58:52 C:\Program Files\QuickTime\qttask .exe
----a-w 653,824 2007-12-24 01:10:58 C:\Program Files\QuickTime\qttask .exe
----a-w 137,728 2007-12-29 03:56:12 C:\Program Files\Router\Router .exe
----a-w 1,544,192 2007-12-29 03:54:59 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 95,960 2007-12-29 03:54:49 C:\Program Files\SymNetDrv\SNDMon .exe
----a-w 155,648 2007-12-29 03:54:47 C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
----a-w 1,490,944 2007-12-29 03:55:24 C:\Program Files\Yahoo!\Messenger\ypager .exe

Entries: 36 (36)
Directories: 0 Files: 36
Bytes: 18,706,640 Blocks: 36,546[/codebox]

#13 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 29 December 2007 - 12:56 AM

Hi SideshowBob311,

All of those files got renamed by the infection. It added an extra space into the filename.

Example:

Original Name: "Reader_sl.exe"
Name modified by the infection: "Reader_sl .exe"



Posted Image

Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.


-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


#14 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 29 December 2007 - 01:03 AM

Immediately afterwards, please run ComboFix again, and post its log, as well as a fresh HijackThis log. Thanks.

Please consider donating to help support the continued prompt and excellent services of this site.


#15 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 29 December 2007 - 05:09 PM

Ok here are the new set of logs. I don't know if it's relevant or not, but it seems as if my system is running almost constantly at this point. Often it sounds like there's an Internet Explorer window running even when there isn't (or shouldn't be) and my cursor inexplicably turns to the hourglass icon all the time. Additionally, during the first step of your instructions, dragging the log file into the RenV program, I got a lot of "access denied" messages in the RenV window.

----a-w            19,456 2007-12-29 03:56:16  C:\Documents and Settings\Owner\Application Data\mrfnzxgfp .exe----a-w            61,440 2007-12-29 03:54:46  C:\hp\KBD\KBD .EXE----a-w            40,048 2007-12-29 03:55:12  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe----a-w            50,736 2007-12-29 03:55:49  C:\Program Files\AIM6\aim6 .exe----a-w            50,776 2007-12-27 02:50:38  C:\Program Files\America Online 9.0\aol .exe----a-w            90,112 2007-12-29 03:55:11  C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe----a-w         2,321,600 2007-12-26 23:53:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater  .exe----a-w         2,321,600 2007-12-29 03:56:09  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe----a-w            50,736 2007-12-29 04:09:56  C:\Program Files\Common Files\AOL\1154485112\EE\AOLSoftware .exe----a-w            71,216 2007-12-29 03:54:54  C:\Program Files\Common Files\AOL\ACS\AOLDial .exe----a-w            69,632 2007-12-29 03:54:45  C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe----a-w           229,952 2007-12-29 03:54:59  C:\Program Files\iTunes\iTunesHelper .exe----a-w           132,496 2007-12-29 03:55:15  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe----a-w         1,694,208 2007-12-29 03:55:40  C:\Program Files\Messenger\MSMSGS .EXE----a-w            75,384 2007-12-29 03:54:48  C:\Program Files\Norton AntiVirus\navapw32 .exe----a-w           163,840 2007-12-29 03:55:15  C:\Program Files\Online Services\quzeraka77798 .exe----a-w           321,088 2007-12-29 03:55:18  C:\Program Files\Pure Networks\Network Magic\nmapp .exe----a-w           473,600 2007-12-29 03:55:45  C:\Program Files\Pure Networks\Port Magic\PO6634~1 .EXE----a-w            99,480 2007-12-29 03:54:56  C:\Program Files\Pure Networks\Port Magic\PO6634~2 .EXE----a-w           473,600 2007-12-24 01:11:01  C:\Program Files\Pure Networks\Port Magic\PortAOL .exe----a-w           473,600 2007-12-26 03:58:56  C:\Program Files\Pure Networks\Port Magic\PORTAO~1 .EXE----a-w           473,600 2007-12-26 23:35:03  C:\Program Files\Pure Networks\Port Magic\PORTAO~2 .EXE----a-w           473,600 2007-12-27 22:40:29  C:\Program Files\Pure Networks\Port Magic\PORTAO~3 .EXE----a-w           473,600 2007-12-28 22:59:55  C:\Program Files\Pure Networks\Port Magic\PORTAO~4 .EXE----a-w           653,824 2007-12-29 03:55:35  C:\Program Files\QuickTime\qttask       .exe----a-w           653,824 2007-12-29 03:45:57  C:\Program Files\QuickTime\qttask      .exe----a-w           653,824 2007-12-28 22:59:50  C:\Program Files\QuickTime\qttask     .exe----a-w           653,824 2007-12-27 22:40:26  C:\Program Files\QuickTime\qttask    .exe----a-w           653,824 2007-12-26 23:34:55  C:\Program Files\QuickTime\qttask   .exe----a-w           653,824 2007-12-26 03:58:52  C:\Program Files\QuickTime\qttask  .exe----a-w           653,824 2007-12-24 01:10:58  C:\Program Files\QuickTime\qttask .exe----a-w           137,728 2007-12-29 03:56:12  C:\Program Files\Router\Router .exe----a-w         1,544,192 2007-12-29 03:54:59  C:\Program Files\support.com\bin\tgcmd .exe----a-w            95,960 2007-12-29 03:54:49  C:\Program Files\SymNetDrv\SNDMon .exe----a-w           155,648 2007-12-29 03:54:47  C:\Program Files\VERITAS Software\Update Manager\sgtray .exe----a-w         1,490,944 2007-12-29 03:55:24  C:\Program Files\Yahoo!\Messenger\ypager .exe Entries:               36  (36) Directories:            0  Files:            36 Bytes:         18,706,640  Blocks:       36,546

ComboFix 07-12-21.4 - Owner 2007-12-29 15:41:11.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.122 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini2
C:\WINDOWS\system32\gebcd.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 15:52 . 2007-12-29 15:51 19,456 --a------ C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm.exe
2007-12-29 15:51 . 2007-12-29 15:51 19,456 --a------ C:\Documents and Settings\Owner\Application Data\juhd .exe
2007-12-29 15:50 . 2007-12-29 15:50 340,480 --------- C:\WINDOWS\system32\gebcd.dll
2007-12-29 15:36 . 2007-12-28 21:56 19,456 --a------ C:\Documents and Settings\Owner\Application Data\mrfnzxgfp.exe
2007-12-29 14:37 . 2007-12-29 15:50 363,520 --a------ C:\Documents and Settings\Owner\Application Data\juhd.exe
2007-12-29 14:36 . 2007-12-29 14:36 19,456 --a------ C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi .exe
2007-12-29 13:31 . 2007-12-29 13:31 19,456 --a------ C:\WWJy.exe
2007-12-29 13:23 . 2004-04-05 15:33 45,208 --a------ C:\WINDOWS\system32\connwsp.dll
2007-12-29 13:22 . 2007-12-29 14:35 363,520 --a------ C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi.exe
2007-12-29 13:21 . 2007-12-29 13:21 19,456 --a------ C:\Documents and Settings\Owner\Application Data\drisc .exe
2007-12-29 13:20 . 2007-12-29 13:20 344,064 --a------ C:\WINDOWS\system32\RCX49.tmp
2007-12-28 21:56 . 2007-12-29 13:20 363,520 --a------ C:\Documents and Settings\Owner\Application Data\drisc.exe
2007-12-28 21:39 . 2007-12-29 13:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-28 21:39 . 2007-12-28 21:39 19,456 --a------ C:\PsXg.exe
2007-12-28 21:39 . 2007-12-28 21:39 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-28 18:06 . 2007-12-28 18:06 <DIR> d-------- C:\Program Files\DIFX
2007-12-28 18:06 . 2007-03-14 22:55 25,792 --a------ C:\WINDOWS\system32\drivers\pnarp.sys
2007-12-28 18:05 . 2007-12-28 18:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-28 18:05 . 2007-12-28 18:05 <DIR> d-------- C:\Program Files\Common Files\Pure Networks Shared
2007-12-28 18:05 . 2007-03-14 22:55 26,944 --a------ C:\WINDOWS\system32\drivers\purendis.sys
2007-12-28 16:59 . 2007-12-28 16:59 344,064 --a------ C:\WINDOWS\system32\RCX42.tmp
2007-12-27 16:40 . 2007-12-27 16:40 344,064 --a------ C:\WINDOWS\system32\RCX41.tmp
2007-12-26 18:02 . 2007-12-26 18:02 3,416 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-26 16:49 . 2007-12-26 16:49 344,064 --a------ C:\WINDOWS\system32\RCX55.tmp
2007-12-25 21:59 . 2007-12-25 21:59 344,064 --a------ C:\WINDOWS\system32\RCX54.tmp
2007-12-23 19:37 . 2007-12-29 15:50 <DIR> d-------- C:\Program Files\Router
2007-12-23 19:11 . 2007-12-23 19:11 344,064 --a------ C:\WINDOWS\system32\RCX48.tmp
2007-12-22 13:28 . 2007-12-26 17:26 18,432 --a------ C:\WINDOWS\fkwggshm.exe
2007-12-22 13:10 . 2007-12-22 13:10 344,064 --a------ C:\WINDOWS\system32\RCX47.tmp
2007-12-22 11:35 . 2007-12-22 11:35 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-22 10:55 . 2007-12-29 15:51 344,064 --a------ C:\WINDOWS\system32\gebcd.exe
2007-12-22 10:49 . 2007-12-25 21:59 385,024 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 21:51 --------- d-----w C:\Program Files\SymNetDrv
2007-12-29 21:51 --------- d-----w C:\Program Files\QuickTime
2007-12-29 21:51 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-29 21:51 --------- d-----w C:\Program Files\iTunes
2007-12-29 21:51 --------- d-----w C:\Program Files\AIM6
2007-12-29 21:36 --------- d-----w C:\Program Files\America Online 9.0
2007-12-29 00:05 --------- d-----w C:\Program Files\Pure Networks
2007-12-29 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-12-14 02:01 --------- d-----w C:\Program Files\World of Warcraft
2007-12-01 18:45 --------- d-----w C:\Program Files\Diablo II
2007-11-27 05:40 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-25 17:38 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Symantec
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2002-12-19 21:48 707 ----a-w C:\Documents and Settings\Owner\BDMI.BAT
2004-06-19 16:14 2,569 --sha-w C:\WINDOWS\djxse.dat
2004-06-11 21:19 2,569 --sha-w C:\WINDOWS\rryhe.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-26_17.56.30.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-29 00:06:32 27,006 ----a-r C:\WINDOWS\Installer\{371EBC04-8CED-4AEB-96F6-8184EAF340BC}\NmApp.exe
+ 2007-03-15 04:55:02 25,792 -c--a-w C:\WINDOWS\system32\DRVSTORE\pnarp_CE32619397E9E17D354203F459E8BFBBCF70F8F6\pnarp.sys
+ 2007-03-15 04:55:18 26,944 -c--a-w C:\WINDOWS\system32\DRVSTORE\purendis_FB4BB9375F46ADB40ED123AE87B2A8587C2EEB02\purendis.sys
- 2006-01-09 15:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2007-12-04 07:00:42 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4A40AC7-3D49-488B-AABC-A07AD12D0EDA}]
2007-12-29 15:50 340480 --------- C:\WINDOWS\system32\gebcd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2007-12-29 15:50]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2007-12-29 15:50]
"Steam"="c:\progra~1\valve\steam\steam.ex -silent" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-29 15:50]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-12-29 15:50]
"Notn"="C:\PROGRA~1\ASEMBL~1\attrib.exe" []
"Wwsbcn"="C:\WINDOWS\?ystem\?ervices.exe" []
"QdrModule11"="C:\Program Files\QdrModule\QdrModule11.exe" []
"QdrPack11"="C:\Program Files\QdrPack\QdrPack11.exe" []
"AdobeUpdater "="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe" [2007-12-29 15:51]
"Router"="C:\Program Files\Router\Router.exe" [2007-12-29 15:50]
"Microsft Windows Adapter 5.1.3013"="C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm.exe" [2007-12-29 15:51]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2007-12-29 15:50]
"KBD"="C:\HP\KBD\KBD.EXE" [2007-12-29 15:50]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2007-12-29 15:50]
"nwiz"="nwiz.exe" [2002-05-03 18:06 C:\WINDOWS\system32\nwiz.exe]
"NAV Agent"="c:\PROGRA~1\NORTON~1\navapw32.exe" [2007-12-29 15:51]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-12-29 15:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-29 15:51]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2007-12-29 15:51]
"HostManager"="C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe" [2007-12-29 15:41]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-29 15:51]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~4.exe" [2007-12-29 15:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-29 15:51]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2007-12-29 15:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-29 15:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-29 15:41]
"quzeraka"="C:\Program Files\Online Services\quzeraka77798.exe" [2007-12-29 15:51]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-12-29 15:41]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2002-10-14 23:25:40]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\gebcd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\gebcd

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 00:14]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 04:02:17 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 15:52:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\gebcd.dll
.
Completion time: 2007-12-29 15:57:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-05 16:49
C:\ComboFix2.txt ... 2007-12-28 22:03
C:\ComboFix3.txt ... 2007-12-26 17:58
.
2007-12-12 03:47:27 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 4:01:00 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32 .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\support.com\bin\tgcmd .exe
C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~4 .EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Online Services\quzeraka77798 .exe
C:\Program Files\Pure Networks\Network Magic\nmapp .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Router\Router .exe
C:\Documents and Settings\Owner\Application Data\juhd .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\Scanner.exe
C:\Program Files\Common Files\AOL\1154485112\ee\aolsoftware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcd.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E4A40AC7-3D49-488B-AABC-A07AD12D0EDA} - C:\WINDOWS\system32\gebcd.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~4.EXE" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [quzeraka] C:\Program Files\Online Services\quzeraka77798.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.ex" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\ASEMBL~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Wwsbcn] C:\WINDOWS\?ystem\?ervices.exe
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [AdobeUpdater ] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.palt...od/wcloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...3/bin/imvid.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#16 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 29 December 2007 - 05:47 PM

Hi SideshowBob311,


Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Now, reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, please open log.txt .

Delete the following lines from log.txt:
----a-w 19,456 2007-12-29 03:56:16 C:\Documents and Settings\Owner\Application Data\mrfnzxgfp .exe
----a-w 163,840 2007-12-29 03:55:15 C:\Program Files\Online Services\quzeraka77798 .exe

Click File --> Save.

Next, repeat the previous instructions (dragging log.txt onto RenV.exe), and see if the same Access Denied messages appear.

Afterwards, please run ComboFix, and post the resultant log.

-screen317

Edited by screen317, 30 December 2007 - 12:43 AM.

Please consider donating to help support the continued prompt and excellent services of this site.


#17 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 30 December 2007 - 12:43 AM

Please note my edited post above.

Please consider donating to help support the continued prompt and excellent services of this site.


#18 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 31 December 2007 - 03:45 PM

Ok this time instead of getting "Access Denied" messages when I ran RenV.exe, I got "File not Found" messages. Here are the logs you requested.

Ran on Mon 12/31/2007 - 14:19:12.45----a-w            19,456 2007-12-29 19:21:46  C:\Documents and Settings\Owner\Application Data\drisc .exe----a-w            19,456 2007-12-29 21:51:44  C:\Documents and Settings\Owner\Application Data\juhd .exe----a-w            19,456 2007-12-31 19:31:29  C:\Documents and Settings\Owner\Application Data\jycdg .exe----a-w            19,456 2007-12-30 18:31:21  C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm .exe----a-w            19,456 2007-12-29 20:36:52  C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi .exe----a-w           163,840 2007-12-31 19:31:06  C:\Program Files\Online Services\quzeraka77798 .exe----a-w           473,600 2007-12-31 20:09:25  C:\Program Files\Pure Networks\Port Magic\PO6634~3 .EXE----a-w            99,480 2007-12-31 19:30:59  C:\Program Files\Pure Networks\Port Magic\PO6634~4 .EXE----a-w           653,824 2007-12-31 20:09:20  C:\Program Files\QuickTime\qttask            .exe----a-w           653,824 2007-12-31 19:30:33  C:\Program Files\QuickTime\qttask           .exe----a-w           653,824 2007-12-30 18:29:56  C:\Program Files\QuickTime\qttask          .exe----a-w           653,824 2007-12-29 21:41:27  C:\Program Files\QuickTime\qttask         .exe----a-w           653,824 2007-12-29 20:35:43  C:\Program Files\QuickTime\qttask        .exe Entries:               13  (13) Directories:            0  Files:            13 Bytes:          4,103,320  Blocks:        8,015

ComboFix 07-12-30.3 - Owner 2007-12-31 14:26:43.9 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.341 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\drisc.exe
C:\Documents and Settings\Owner\Application Data\juhd.exe
C:\Documents and Settings\Owner\Application Data\jycdg.exe
C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm.exe
C:\Documents and Settings\Owner\Application Data\rlqto.exe
C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi.exe
C:\HP\KBD\KBD.EXE
c:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\America Online 9.0\AOL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Online Services\quzeraka77798.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Pure Networks\Port Magic\PO6634~3 .EXE
C:\Program Files\Pure Networks\Port Magic\PO6634~4.EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini2
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebcd.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 13:31 . 2007-12-31 13:31 19,456 --a------ C:\Documents and Settings\Owner\Application Data\jycdg .exe
2007-12-30 18:21 . 2007-12-30 18:21 19,456 --a------ C:\MQPF.exe
2007-12-30 12:55 . 2007-12-30 12:55 19,456 --a------ C:\CroI.exe
2007-12-30 12:31 . 2007-12-30 12:31 19,456 --a------ C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm .exe
2007-12-30 12:30 . 2007-12-30 12:30 344,064 --a------ C:\WINDOWS\system32\RCX4A.tmp
2007-12-29 15:51 . 2007-12-29 15:51 19,456 --a------ C:\Documents and Settings\Owner\Application Data\juhd .exe
2007-12-29 15:36 . 2007-12-28 21:56 19,456 --a------ C:\Documents and Settings\Owner\Application Data\mrfnzxgfp.exe
2007-12-29 14:36 . 2007-12-29 14:36 19,456 --a------ C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi .exe
2007-12-29 13:31 . 2007-12-29 13:31 19,456 --a------ C:\WWJy.exe
2007-12-29 13:23 . 2004-04-05 15:33 45,208 --a------ C:\WINDOWS\system32\connwsp.dll
2007-12-29 13:21 . 2007-12-29 13:21 19,456 --a------ C:\Documents and Settings\Owner\Application Data\drisc .exe
2007-12-29 13:20 . 2007-12-29 13:20 344,064 --a------ C:\WINDOWS\system32\RCX49.tmp
2007-12-28 21:39 . 2007-12-30 12:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-28 21:39 . 2007-12-28 21:39 19,456 --a------ C:\PsXg.exe
2007-12-28 21:39 . 2007-12-28 21:39 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-28 18:06 . 2007-12-28 18:06 <DIR> d-------- C:\Program Files\DIFX
2007-12-28 18:06 . 2007-03-14 22:55 25,792 --a------ C:\WINDOWS\system32\drivers\pnarp.sys
2007-12-28 18:05 . 2007-12-28 18:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-28 18:05 . 2007-12-28 18:05 <DIR> d-------- C:\Program Files\Common Files\Pure Networks Shared
2007-12-28 18:05 . 2007-03-14 22:55 26,944 --a------ C:\WINDOWS\system32\drivers\purendis.sys
2007-12-28 16:59 . 2007-12-28 16:59 344,064 --a------ C:\WINDOWS\system32\RCX42.tmp
2007-12-27 16:40 . 2007-12-27 16:40 344,064 --a------ C:\WINDOWS\system32\RCX41.tmp
2007-12-26 18:02 . 2007-12-26 18:02 3,416 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-26 16:49 . 2007-12-26 16:49 344,064 --a------ C:\WINDOWS\system32\RCX55.tmp
2007-12-25 21:59 . 2007-12-25 21:59 344,064 --a------ C:\WINDOWS\system32\RCX54.tmp
2007-12-23 19:11 . 2007-12-23 19:11 344,064 --a------ C:\WINDOWS\system32\RCX48.tmp
2007-12-22 13:28 . 2007-12-26 17:26 18,432 --a------ C:\WINDOWS\fkwggshm.exe
2007-12-22 13:10 . 2007-12-22 13:10 344,064 --a------ C:\WINDOWS\system32\RCX47.tmp
2007-12-22 11:35 . 2007-12-22 11:35 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-22 10:49 . 2007-12-25 21:59 385,024 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 23:40 . 2007-11-26 23:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-26 21:24 . 2007-07-09 07:09 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-25 11:38 . 2007-11-25 11:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Symantec
2007-11-25 10:58 . 2007-12-11 21:46 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-11-25 10:54 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-25 10:53 . 2007-11-25 10:53 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-25 10:53 . 2007-11-25 10:53 <DIR> d-------- C:\WINDOWS\peernet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 20:30 --------- d-----w C:\Program Files\QuickTime
2007-12-31 20:30 --------- d-----w C:\Program Files\America Online 9.0
2007-12-31 20:30 --------- d-----w C:\Program Files\AIM6
2007-12-31 20:29 --------- d-----w C:\Program Files\SymNetDrv
2007-12-31 20:29 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-31 20:29 --------- d-----w C:\Program Files\iTunes
2007-12-29 00:05 --------- d-----w C:\Program Files\Pure Networks
2007-12-29 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-12-14 02:01 --------- d-----w C:\Program Files\World of Warcraft
2007-12-01 18:45 --------- d-----w C:\Program Files\Diablo II
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2002-12-19 21:48 707 ----a-w C:\Documents and Settings\Owner\BDMI.BAT
2004-06-19 16:14 2,569 --sha-w C:\WINDOWS\djxse.dat
2004-06-11 21:19 2,569 --sha-w C:\WINDOWS\rryhe.dat
.
----a-w			19,456 2007-12-29 19:21:46  C:\Documents and Settings\Owner\Application Data\drisc .exe
----a-w			19,456 2007-12-29 21:51:44  C:\Documents and Settings\Owner\Application Data\juhd .exe
----a-w			19,456 2007-12-31 19:31:29  C:\Documents and Settings\Owner\Application Data\jycdg .exe
----a-w			19,456 2007-12-30 18:31:21  C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm .exe
----a-w			19,456 2007-12-29 20:36:52  C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi .exe
----a-w		   163,840 2007-12-31 19:31:06  C:\Program Files\Online Services\quzeraka77798 .exe
----a-w			99,480 2007-12-31 19:30:59  C:\Program Files\Pure Networks\Port Magic\PO6634~4 .EXE


((((((((((((((((((((((((((((( snapshot@2007-12-26_17.56.30.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 16:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-12-29 00:06:32 27,006 ----a-r C:\WINDOWS\Installer\{371EBC04-8CED-4AEB-96F6-8184EAF340BC}\NmApp.exe
+ 2007-03-15 04:55:02 25,792 -c--a-w C:\WINDOWS\system32\DRVSTORE\pnarp_CE32619397E9E17D354203F459E8BFBBCF70F8F6\pnarp.sys
+ 2007-03-15 04:55:18 26,944 -c--a-w C:\WINDOWS\system32\DRVSTORE\purendis_FB4BB9375F46ADB40ED123AE87B2A8587C2EEB02\purendis.sys
- 2007-12-14 03:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2006-01-09 15:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2007-12-04 07:00:42 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [ ]
"Steam"="c:\progra~1\valve\steam\steam.ex -silent" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
"Notn"="C:\PROGRA~1\ASEMBL~1\attrib.exe" [ ]
"Wwsbcn"="C:\WINDOWS\?ystem\?ervices.exe" [ ]
"QdrModule11"="C:\Program Files\QdrModule\QdrModule11.exe" [ ]
"QdrPack11"="C:\Program Files\QdrPack\QdrPack11.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"Microsft Windows Adapter 5.1.3013"="C:\Documents and Settings\Owner\Application Data\rlqto.exe" [ ]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [ ]
"nwiz"="nwiz.exe" [2002-05-03 18:06 364544 C:\WINDOWS\system32\nwiz.exe]
"NAV Agent"="c:\PROGRA~1\NORTON~1\navapw32.exe" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe" [ ]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~4.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"quzeraka"="C:\Program Files\Online Services\quzeraka77798.exe" [ ]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2002-10-14 23:25:40]

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 00:14]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 04:02:17 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 14:34:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 14:39:42 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 20:39:34
C:\qoobox\ComboFix2.txt 2007-12-29 21:57:26
C:\qoobox\ComboFix3.txt 2007-12-29 04:03:02
C:\qoobox\ComboFix4.txt 2007-12-26 23:58:04
.
2007-12-12 03:47:27 --- E O F ---

#19 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 31 December 2007 - 05:53 PM

Hi SideshowBob311,

This file was renamed by the infection. It added an extra space into the filename.

Example:

Original Name: "Reader_sl.exe"
Name modified by the infection: "Reader_sl .exe"

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

C:\Program Files\Pure Networks\Port Magic\PO6634~4 .EXE


Save this as Log.txt


Posted Image

Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.


Immediately after, please perform the following:


Open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

http://forums.spywareinfo.com/index.php?showtopic=110458
Collect::
C:\Documents and Settings\Owner\Application Data\jycdg .exe
C:\MQPF.exe
C:\CroI.exe
C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm .exe
C:\WINDOWS\system32\RCX4A.tmp
C:\Documents and Settings\Owner\Application Data\juhd .exe
C:\Documents and Settings\Owner\Application Data\mrfnzxgfp.exe
C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi .exe
C:\WWJy.exe
C:\WINDOWS\system32\connwsp.dll
C:\Documents and Settings\Owner\Application Data\drisc .exe
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX54.tmp
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\imsins.BAK
C:\Documents and Settings\Owner\BDMI.BAT
C:\WINDOWS\djxse.dat
C:\WINDOWS\rryhe.dat
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Notn"=-
"Wwsbcn"=-
"QdrModule11"=-
"QdrPack11"=-
"Microsft Windows Adapter 5.1.3013"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"quzeraka"=-


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Additonally, ComboFix will generate a zipped file on your desktop called

Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4



-screen317

Edited by screen317, 31 December 2007 - 05:54 PM.

Please consider donating to help support the continued prompt and excellent services of this site.


#20 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 02 January 2008 - 07:48 PM

Ok big problems now. I followed the steps and now my computer cannot connect to the internet. My local area network says "limited or no connection" and the repair connection function cannot fix the problem. A system restore did not work either. I'm hoping that last ComboFix didn't delete something essential. Any advice would be greatly appreciated.

Edited by SideshowBob311, 02 January 2008 - 09:46 PM.


#21 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 03 January 2008 - 02:01 AM

Hi SideshowBob311,


Please post the log from C:\ComboFix.txt, and we'll try to fix your Internet connection.

Please consider donating to help support the continued prompt and excellent services of this site.


#22 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 03 January 2008 - 08:04 AM

These last two posts were made via a cell phone. I have no way of posting that log that I know of at this time.

#23 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 03 January 2008 - 01:27 PM

Hi SideshowBob311,


Go to Start → Run, paste the following in the white box, and click OK:

netsh winsock reset catalog


Let me know if that restores your Internet connection. If not, reboot and check again. If still no joy, let me know.

Please consider donating to help support the continued prompt and excellent services of this site.


#24 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 04 January 2008 - 06:50 PM

First off, you have no idea how grateful I am for the help getting my internet connection/IP address issues sorted out. That was unbelievably frustrating and I was running out of options. That being said, here were the last batch of logs you requested before the little detour. I have also submitted the .zip file as requested.

Ran on Wed 01/02/2008 - 17:03:18.93----a-w            19,456 2007-12-29 19:21:46  C:\Documents and Settings\Owner\Application Data\drisc .exe----a-w            19,456 2007-12-29 21:51:44  C:\Documents and Settings\Owner\Application Data\juhd .exe----a-w            19,456 2007-12-31 19:31:29  C:\Documents and Settings\Owner\Application Data\jycdg .exe----a-w            19,456 2007-12-30 18:31:21  C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm .exe----a-w            19,456 2007-12-29 20:36:52  C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi .exe----a-w           163,840 2007-12-31 19:31:06  C:\Program Files\Online Services\quzeraka77798 .exe----a-w            99,480 2007-12-31 19:30:59  C:\Program Files\Pure Networks\Port Magic\PO6634~4 .EXE Entries:                7  (7) Directories:            0  Files:             7 Bytes:            360,600  Blocks:          705

ComboFix 08-01-02.1 - Owner 2008-01-02 17:04:51.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.251 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\CroI.exe
C:\Documents and Settings\Owner\Application Data\drisc .exe
C:\Documents and Settings\Owner\Application Data\juhd .exe
C:\Documents and Settings\Owner\Application Data\jycdg .exe
C:\Documents and Settings\Owner\Application Data\lsxywqpwzsrm .exe
C:\Documents and Settings\Owner\Application Data\mrfnzxgfp.exe
C:\Documents and Settings\Owner\Application Data\uzrzqmcvbnvi .exe
C:\Documents and Settings\Owner\BDMI.BAT
C:\MQPF.exe
C:\WINDOWS\djxse.dat
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\rryhe.dat
C:\WINDOWS\system32\connwsp.dll
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX4A.tmp
C:\WINDOWS\system32\RCX54.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WWJy.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-02 17:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-28 21:39 . 2007-12-30 12:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-28 21:39 . 2007-12-28 21:39 19,456 --a------ C:\PsXg.exe
2007-12-28 21:39 . 2007-12-28 21:39 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-28 18:06 . 2007-12-28 18:06 <DIR> d-------- C:\Program Files\DIFX
2007-12-28 18:06 . 2007-03-14 22:55 25,792 --a------ C:\WINDOWS\system32\drivers\pnarp.sys
2007-12-28 18:05 . 2007-12-28 18:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-28 18:05 . 2007-12-28 18:05 <DIR> d-------- C:\Program Files\Common Files\Pure Networks Shared
2007-12-28 18:05 . 2007-03-14 22:55 26,944 --a------ C:\WINDOWS\system32\drivers\purendis.sys
2007-12-26 18:02 . 2007-12-26 18:02 3,416 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-03 17:06 . 2007-12-03 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 20:03 --------- d-----w C:\Program Files\America Online 7.0
2008-01-01 19:56 --------- d-----w C:\Program Files\Viewpoint
2008-01-01 19:56 --------- d-----w C:\Program Files\AIM6
2008-01-01 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-01 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-31 20:30 --------- d-----w C:\Program Files\QuickTime
2007-12-31 20:30 --------- d-----w C:\Program Files\America Online 9.0
2007-12-31 20:29 --------- d-----w C:\Program Files\SymNetDrv
2007-12-31 20:29 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-31 20:29 --------- d-----w C:\Program Files\iTunes
2007-12-29 00:05 --------- d-----w C:\Program Files\Pure Networks
2007-12-29 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-12-14 02:01 --------- d-----w C:\Program Files\World of Warcraft
2007-12-01 18:45 --------- d-----w C:\Program Files\Diablo II
2007-11-27 05:40 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-25 17:38 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Symantec
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.
----a-w		   163,840 2007-12-31 19:31:06  C:\Program Files\Online Services\quzeraka77798 .exe
----a-w			99,480 2007-12-31 19:30:59  C:\Program Files\Pure Networks\Port Magic\PO6634~4 .EXE


((((((((((((((((((((((((((((( snapshot@2007-12-26_17.56.30.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-24 01:41:42 841,304 ----a-w C:\WINDOWS\Downloaded Program Files\ampAx3.0.84.2.dll
+ 2008-01-01 19:55:49 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
- 2007-03-13 16:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-12-29 00:06:32 27,006 ----a-r C:\WINDOWS\Installer\{371EBC04-8CED-4AEB-96F6-8184EAF340BC}\NmApp.exe
+ 2007-03-15 04:55:02 25,792 -c--a-w C:\WINDOWS\system32\DRVSTORE\pnarp_CE32619397E9E17D354203F459E8BFBBCF70F8F6\pnarp.sys
+ 2007-03-15 04:55:18 26,944 -c--a-w C:\WINDOWS\system32\DRVSTORE\purendis_FB4BB9375F46ADB40ED123AE87B2A8587C2EEB02\purendis.sys
- 2007-12-14 03:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2006-01-09 15:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2007-12-04 07:00:42 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [ ]
"Steam"="c:\progra~1\valve\steam\steam.ex -silent" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 13:04 50528]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [ ]
"nwiz"="nwiz.exe" [2002-05-03 18:06 364544 C:\WINDOWS\system32\nwiz.exe]
"NAV Agent"="c:\PROGRA~1\NORTON~1\navapw32.exe" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe" [ ]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~4.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2002-10-14 23:25:40]

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 00:14]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 20:01:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 17:06:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\connwsp.dll
.
Completion time: 2008-01-02 17:07:18
ComboFix-quarantined-files.txt 2008-01-02 23:06:57
ComboFix2.txt 2007-12-31 20:39:42
ComboFix3.txt 2007-12-29 21:57:26
ComboFix4.txt 2007-12-29 04:03:02
ComboFix5.txt 2007-12-26 23:58:04
.
2007-12-12 03:47:27 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 5:49:31 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~4.EXE" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.ex" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.palt...od/wcloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...3/bin/imvid.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#25 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 04 January 2008 - 10:49 PM

Hi SideshowBob311,

Glad to hear your Internet is back. :)



First, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the codebox below into notepad:

Driver::
"Viewpoint Manager Service"
File::
C:\Program Files\Online Services\quzeraka77798 .exe
Folder::
C:\Program Files\Router
C:\Program Files\Viewpoint\
RenV::
C:\Program Files\Pure Networks\Port Magic\PortAol.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Router"=-

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Let me know how things are running now.


-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


#26 SideshowBob311

SideshowBob311

    Member

  • Full Member
  • Pip
  • 90 posts

Posted 07 January 2008 - 08:11 PM

Everything seems to be running much smoother now...it's amazing how much better the system runs without all that garbage on it. Anyway, here's the latest ComboFix log. Thanks for your time and patience!

Logfile of HijackThis v1.99.1
Scan saved at 7:09:48 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154485112\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~4.EXE" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.ex" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.palt...od/wcloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...3/bin/imvid.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#27 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 07 January 2008 - 08:26 PM

Looks like you posted only a HighjackThis log. Please post the ComboFix log, found at C:\ComboFix.txt :)

Please consider donating to help support the continued prompt and excellent services of this site.


#28 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 19 January 2008 - 12:44 AM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else, please begin a New Topic.

Please consider donating to help support the continued prompt and excellent services of this site.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button