Please Help with Virus Removal [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Please Help with Virus Removal [RESOLVED]

Options

cervada View Member Profile	Jun 2 2008, 08:16 PM Post #1
Member Posts: 20 OS: Windows XP	Hi, I have received great help here before and thought I was safe. I've gotten a new virus that is preventing me from doing a whole heck of a lot. I am posting my Hijack This log and my SuperAniSpyware log. I would post a log from Panda Activescan & Malwarebytes' Anti-Malware, but the virus is preventing me from running both of those programs. It won't even allow me to visit geekstogo.com. I am posting this on a different PC. I've tried doing search engine searches and everytime I click on a search result it automaticaly takes me to a different site for a number of things, i.e. - www.findstuff.com. At first I thought I had the Outerinfo virus and went through the removal steps, but without any success. Also my SpywareGaurd gives me an immediate Browser Protection Alert after startup saying WARNING! A BHO has been added. I tried clicking on Remove the BHO, but it is continuously open up wihthout ever stopping. Please let me know what other details I need to post. Any help would be greatly appreciated! Thank you, David Cervantes Houston, TX Hijack This Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:48:50 PM, on 6/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\LxrJD31s.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\xwusuhzh.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\COMPAQ\CPQINET\CPQInet.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\18906.exe C:\Program Files\uTorrent\uTorrent.exe C:\WINDOWS\SYSTEM32\monitorbk.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Software by Design\Calendar.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe, O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file) O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file) O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file) O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file) O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file) O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file) O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file) O2 - BHO: (no name) - {2DAAB5C1-3664-461E-97CB-883BFA6CAA4B} - C:\WINDOWS\system32\ddcYoMDV.dll (file missing) O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file) O2 - BHO: (no name) - {2EF9D289-834A-4749-8FCC-BDB7ADF66519} - C:\WINDOWS\system32\hgGayyxV.dll (file missing) O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file) O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file) O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file) O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file) O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file) O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file) O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file) O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file) O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file) O2 - BHO: (no name) - {BE7DCE10-31BA-46CE-A454-E325EF2509F6} - C:\WINDOWS\system32\ddcApmml.dll (file missing) O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\hgGwVOig.dll O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file) O2 - BHO: {de7dab19-cf39-324a-5b24-08e40fa6b06d} - {d60b6af0-4e80-42b5-a423-93fc91bad7ed} - C:\WINDOWS\system32\lxeqeuix.dll (file missing) O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file) O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file) O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file) O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file) O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file) O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file) O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe" O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SWKSrv] C:\Program Files\SpywareKill\SWKSrv.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [5cb16573] rundll32.exe "C:\WINDOWS\system32\ysqctefm.dll",b O4 - HKLM\..\Run: [BM5f8256ef] Rundll32.exe "C:\WINDOWS\system32\ssktsfff.dll",s O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe" O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\18906.exe O4 - HKCU\..\Run: [A00FCC603.exe] C:\DOCUME~1\DCERVA~1\LOCALS~1\Temp\_A00FCC603.exe O4 - HKCU\..\Run: [A00FF1966.exe] C:\DOCUME~1\DCERVA~1\LOCALS~1\Temp\_A00FF1966.exe O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe O4 - Global Startup: Exif Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Support - {44B33957-091D-45DA-9E91-CD5224B6BA17} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409 O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kelly.kellyservices.com/iNotes.cab,...0CQu76,CT=java+ O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://kelly.kellyservices.com/,DanaInfo=....va+iNotes6W.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm200...ick/TMSetup.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} (TeleVoxAudioPlayer2.TVoxAudioPlayer) - https://www.mytelevox.com/labcalls/cabs/Tel...udioPlayer2.CAB O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://kelly.kellyservices.com/dana-cached...perSetupSP1.cab O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCo...tionControl.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: hgGwVOig - C:\WINDOWS\SYSTEM32\hgGwVOig.dll O20 - Winlogon Notify: __c00A7E71 - C:\WINDOWS\system32\__c00A7E71.dat O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 12505 bytes SUPERAntiSpyware Log SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 06/02/2008 at 08:34 PM Application Version : 4.0.1154 Core Rules Database Version : 3394 Trace Rules Database Version: 1386 Scan type : Complete Scan Total Scan Time : 01:33:05 Memory items scanned : 435 Memory threats detected : 6 Registry items scanned : 5674 Registry threats detected : 15 File items scanned : 62347 File threats detected : 16 Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\HGGAYYXV.DLL C:\WINDOWS\SYSTEM32\HGGAYYXV.DLL C:\WINDOWS\SYSTEM32\DDCYOMDV.DLL C:\WINDOWS\SYSTEM32\DDCYOMDV.DLL C:\WINDOWS\SYSTEM32\VTUONMMC.DLL C:\WINDOWS\SYSTEM32\VTUONMMC.DLL C:\WINDOWS\SYSTEM32\DDCAPMML.DLL C:\WINDOWS\SYSTEM32\DDCAPMML.DLL Trojan.Downloader-NewJuan/VM C:\WINDOWS\SYSTEM32\HPPGBMIU.DLL C:\WINDOWS\SYSTEM32\HPPGBMIU.DLL C:\WINDOWS\SYSTEM32\LXEQEUIX.DLL C:\WINDOWS\SYSTEM32\LXEQEUIX.DLL Parasite.CoolWebSearch Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22} C:\WINDOWS\OLEHELP.EXE HTMLCore Module BHO HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85} Adware.Vundo-Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38930334-E978-4493-9A5B-1C8DA8EB315C} HKCR\CLSID\{38930334-E978-4493-9A5B-1C8DA8EB315C} HKCR\CLSID\{38930334-E978-4493-9A5B-1C8DA8EB315C}\InprocServer32 HKCR\CLSID\{38930334-E978-4493-9A5B-1C8DA8EB315C}\InprocServer32#ThreadingModel CoolWebSearch Parasite Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} Adware.CoolWebSearch HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} Browser Hijacker.Tubby HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306} ClientMan BHO HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} EXPLORER32.EXE Worm C:\WINDOWS\EXPLORER32.EXE Trojan.Downloader-Gen/Win C:\WINDOWS\IEDLL.EXE C:\WINDOWS\WIN32E.EXE Trojan.IEXPLORER C:\WINDOWS\IEXPLORER.EXE Trojan.Unclassifed/Loader-Suspicious C:\WINDOWS\LOADER.EXE RUNDLL16.EXE C:\WINDOWS\RUNDLL16.EXE Worm.Rbot Variant C:\WINDOWS\SVCHOST32.EXE Trojan.Downloader-Systeem C:\WINDOWS\SYSTEEM.EXE Trojan.Downloader-SystemCritcial/Fake Alert C:\WINDOWS\SYSTEMCRITICAL.EXE

loophole View Member Profile	Jun 2 2008, 10:00 PM Post #2
Geek Mod Posts: 9,798 From: Indiana U.S. A. OS: 2000, xp, xp pro, Vista Home Premium	Hi Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

cervada View Member Profile	Jun 7 2008, 08:52 AM Post #3
Member Posts: 20 OS: Windows XP	I've tried over and over to run the ComboFix Exec file, but everytime I double click on it nothing happens. My infected laptop will not allow me to even access the websites listed to download ComboFix. I had to save the file on to my flash drive using my other PC. That didn't work. I even tried emailing to myself because I can still access my email online on my infected laptop. That did not work either. I had this same problem trying to install and run Malwarebytes' Anti-Malware. Please let me know if there is anything I can do! Thanks! David Cervantes

loophole View Member Profile	Jun 7 2008, 06:06 PM Post #4
Geek Mod Posts: 9,798 From: Indiana U.S. A. OS: 2000, xp, xp pro, Vista Home Premium	Try renaming combo fix per these instructions, an please delete your current version of combofix. Let me know Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall

cervada View Member Profile	Jun 8 2008, 11:10 AM Post #5
Member Posts: 20 OS: Windows XP	Hi, I changed the name as instructed. After clicking on Combo-Fix.exe I am receiving the following error message: "You cannot rename ComboFix as Combo-Fix. Please use another name, preferably made up of alphanumeric characters"

loophole View Member Profile	Jun 8 2008, 07:18 PM Post #6
Geek Mod Posts: 9,798 From: Indiana U.S. A. OS: 2000, xp, xp pro, Vista Home Premium	please do that then

cervada View Member Profile	Jun 11 2008, 07:38 AM Post #7
Member Posts: 20 OS: Windows XP	Success! Thank you for your help. I was able to finally run Combo-Fix. Below are the report details. Also, thanks for your patience as I slowly follow through on your instructions! David Cervantes Houston, TX ComboFix 08-06-10.1 - DCervantes 2008-06-10 19:44:30.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.235 [GMT -5:00] Running from: C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\17624.dll C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\18906.exe C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\19696.dll C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\32321.dll C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\id C:\kmd.exe C:\Program Files\Common Files\ppatch~1 C:\Program Files\Temporary C:\WINDOWS\accesss.exe C:\WINDOWS\astctl32.ocx C:\WINDOWS\avpcc.dll C:\WINDOWS\BM5f8256ef.xml C:\WINDOWS\clrssn.exe C:\WINDOWS\cookies.ini C:\WINDOWS\cpan.dll C:\WINDOWS\ctfmon32.exe C:\WINDOWS\ctrlpan.dll C:\WINDOWS\default.htm C:\WINDOWS\directx32.exe C:\WINDOWS\dnsrelay.dll C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\editpad.exe C:\WINDOWS\explore.exe C:\WINDOWS\explorer32.exe C:\WINDOWS\funniest.exe C:\WINDOWS\funny.exe C:\WINDOWS\gfmnaaa.dll C:\WINDOWS\helpcvs.exe C:\WINDOWS\iedll.exe C:\WINDOWS\iexplorer.exe C:\WINDOWS\inetinf.exe C:\WINDOWS\internet.exe C:\WINDOWS\loader.exe C:\WINDOWS\msconfd.dll C:\WINDOWS\msspi.dll C:\WINDOWS\mssys.exe C:\WINDOWS\msupdate.exe C:\WINDOWS\mswsc10.dll C:\WINDOWS\mswsc20.dll C:\WINDOWS\mtwirl32.dll C:\WINDOWS\notepad32.exe C:\WINDOWS\olehelp.exe C:\WINDOWS\pskt.ini C:\WINDOWS\qttasks.exe C:\WINDOWS\quicken.exe C:\WINDOWS\rundll16.exe C:\WINDOWS\rundll32.vbe C:\WINDOWS\searchword.dll C:\WINDOWS\sistem.exe C:\WINDOWS\svchost32.exe C:\WINDOWS\svcinit.exe C:\WINDOWS\systeem.exe C:\WINDOWS\SYSTEM32\000060.exe C:\WINDOWS\SYSTEM32\000090.exe C:\WINDOWS\system32\aaaadjls.dll C:\WINDOWS\system32\acrbsokj.dll C:\WINDOWS\system32\afivjesa.exe C:\WINDOWS\system32\anicsxvj.dll C:\WINDOWS\system32\aoldralb.dll C:\WINDOWS\system32\awhcmvym.ini C:\WINDOWS\system32\axuvnell.dll C:\WINDOWS\system32\aybwevsu.exe C:\WINDOWS\system32\baejemnc.dll C:\WINDOWS\system32\bmwwkryd.dll C:\WINDOWS\system32\clbdll.dll C:\WINDOWS\system32\clbinit.dll C:\WINDOWS\SYSTEM32\CMmnoUtv.ini C:\WINDOWS\SYSTEM32\CMmnoUtv.ini2 C:\WINDOWS\system32\crlysrin.dll C:\WINDOWS\system32\ctxiqhjx.dll C:\WINDOWS\system32\dagcqgqv.exe C:\WINDOWS\system32\drivers\clbdriver.sys C:\WINDOWS\system32\dutdwadi.dll C:\WINDOWS\system32\efsxjbfn.dll C:\WINDOWS\system32\egxrhkod.ini C:\WINDOWS\system32\emmahbgx.exe C:\WINDOWS\system32\enaeapqn.dll C:\WINDOWS\system32\fakvygww.dll C:\WINDOWS\system32\fdqcwwrk.dll C:\WINDOWS\SYSTEM32\fejlwxio.ini C:\WINDOWS\SYSTEM32\FNUxwyay.ini C:\WINDOWS\SYSTEM32\FNUxwyay.ini2 C:\WINDOWS\system32\fpjhcicg.ini C:\WINDOWS\system32\fqcjmsfg.exe C:\WINDOWS\system32\gesnjplr.dll C:\WINDOWS\system32\glvcanaa.dll C:\WINDOWS\system32\hgGwVOig.dll C:\WINDOWS\system32\hljwugsf.bin C:\WINDOWS\system32\hltmjdyr.dll C:\WINDOWS\system32\iafbdpgf.exe C:\WINDOWS\system32\ibvkcvlm.ini C:\WINDOWS\system32\ifpxstwm.dll C:\WINDOWS\system32\iplsypeq.dll C:\WINDOWS\system32\iulunwif.dll C:\WINDOWS\system32\iwbsqayu.exe C:\WINDOWS\system32\jkosbrca.ini C:\WINDOWS\SYSTEM32\jsuokyeb.ini C:\WINDOWS\system32\kcktybab.dll C:\WINDOWS\system32\khfCsrpq.dll C:\WINDOWS\system32\kmd.exe C:\WINDOWS\system32\ktcnuuii.dll C:\WINDOWS\system32\kwmxnncb.dll C:\WINDOWS\system32\lmbabllc.dll C:\WINDOWS\SYSTEM32\lmmpAcdd.ini C:\WINDOWS\SYSTEM32\lmmpAcdd.ini2 C:\WINDOWS\system32\mfetcqsy.ini C:\WINDOWS\system32\mlvampok.ini C:\WINDOWS\system32\mlvckvbi.dll C:\WINDOWS\system32\mmvcetaj.ini C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\nnnoOiIY.dll C:\WINDOWS\system32\oixwljef.dll C:\WINDOWS\system32\opnonkHY.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\pmcdsmly.ini C:\WINDOWS\system32\prhmssxu.dll C:\WINDOWS\system32\qibjsabf.dll C:\WINDOWS\system32\qoovofkt.exe C:\WINDOWS\SYSTEM32\qprsCfhk.ini C:\WINDOWS\SYSTEM32\qprsCfhk.ini2 C:\WINDOWS\system32\qrwuslvf.ini C:\WINDOWS\system32\qtwsxkmg.exe C:\WINDOWS\system32\rdwrrymg.ini C:\WINDOWS\system32\ssktsfff.dll C:\WINDOWS\system32\teyshbyv.dll C:\WINDOWS\system32\tgcgeblo.dll C:\WINDOWS\SYSTEM32\tlyqmlxm.ini C:\WINDOWS\system32\tuemoekq.dll C:\WINDOWS\system32\ubcleusa.exe C:\WINDOWS\system32\unpduwet.dll C:\WINDOWS\system32\upcutxan.exe C:\WINDOWS\SYSTEM32\VDMoYcdd.ini C:\WINDOWS\SYSTEM32\VDMoYcdd.ini2 C:\WINDOWS\system32\volgxybe.exe C:\WINDOWS\SYSTEM32\VxyyaGgh.ini C:\WINDOWS\SYSTEM32\VxyyaGgh.ini2 C:\WINDOWS\system32\wihlybhl.ini C:\WINDOWS\system32\wmixpqjv.dll C:\WINDOWS\system32\wxcjmfql.dll C:\WINDOWS\system32\xjdngvej.dll C:\WINDOWS\system32\yaywxUNF.dll C:\WINDOWS\system32\YHknonpo.ini C:\WINDOWS\SYSTEM32\YHknonpo.ini2 C:\WINDOWS\SYSTEM32\YIiOonnn.ini C:\WINDOWS\SYSTEM32\YIiOonnn.ini2 C:\WINDOWS\system32\yngeiscm.ini C:\WINDOWS\systemcritical.exe C:\WINDOWS\time.exe C:\WINDOWS\users32.exe C:\WINDOWS\waol.exe C:\WINDOWS\win32e.exe C:\WINDOWS\win64.exe C:\WINDOWS\winajbm.dll C:\WINDOWS\window.exe C:\WINDOWS\winmgnt.exe C:\WINDOWS\x.exe C:\WINDOWS\xplugin.dll C:\WINDOWS\xxxvideo.hta C:\WINDOWS\y.exe C:\xcrashdump.dat ----- BITS: Possible infected sites ----- hxxp://80.93.48.74 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CLBDRIVER ((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 ))))))))))))))))))))))))))))))) . 2008-06-10 19:24 . 2008-06-10 19:24 37,888 --a------ C:\WINDOWS\SYSTEM32\phhdyvck.exe 2008-06-10 19:24 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0087895.dat 2008-06-08 17:20 . 2008-06-08 17:20 37,888 --a------ C:\WINDOWS\SYSTEM32\svefolwu.exe 2008-06-08 17:20 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00202CA.dat 2008-06-08 12:02 . 2008-06-08 12:02 37,888 --a------ C:\WINDOWS\SYSTEM32\apquolmf.exe 2008-06-08 12:02 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c001D66A.dat 2008-06-08 11:35 . 2008-06-08 11:37 <DIR> d-------- C:\Combo-Fix 2008-06-07 09:39 . 2008-06-10 21:04 <DIR> d-------- C:\Documents and Settings\DCervantes\Application Data\uTorrent 2008-06-05 21:35 . 2008-06-05 21:35 37,888 --a------ C:\WINDOWS\SYSTEM32\svfnceaq.exe 2008-06-05 21:35 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0033498.dat 2008-06-05 21:21 . 2008-06-05 21:21 37,888 --a------ C:\WINDOWS\SYSTEM32\gimbdeck.exe 2008-06-05 21:21 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0085117.dat 2008-06-05 13:09 . 2008-06-05 13:09 37,888 --a------ C:\WINDOWS\SYSTEM32\pgtbvete.exe 2008-06-05 13:09 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00B3537.dat 2008-06-05 12:37 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0089865.dat 2008-06-05 12:36 . 2008-06-05 12:36 37,888 --a------ C:\WINDOWS\SYSTEM32\pokefeqj.exe 2008-06-05 12:14 . 2008-06-05 12:14 <DIR> d-------- C:\Program Files\Coupons 2008-06-02 21:10 . 2008-06-02 21:10 37,888 --a------ C:\WINDOWS\SYSTEM32\mstuevxu.exe 2008-06-02 21:10 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00A844.dat 2008-06-02 18:58 . 2008-06-02 18:58 37,888 --a------ C:\WINDOWS\SYSTEM32\ongttnlg.exe 2008-06-02 18:58 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0029B84.dat 2008-06-02 18:35 . 2008-06-02 18:35 37,888 --a------ C:\WINDOWS\SYSTEM32\emufgiox.exe 2008-06-02 18:35 . 2008-06-08 11:45 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00A7E71.dat 2008-05-28 21:14 . 2008-05-28 21:15 <DIR> d-------- C:\Program Files\uTorrent 2008-05-18 23:08 . 2008-05-18 23:08 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico 2008-05-18 23:08 . 2008-05-18 23:08 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico 2008-05-18 21:59 . 2008-05-18 23:09 <DIR> d-------- C:\Program Files\Vcsron 2008-05-18 19:12 . 2008-05-18 22:58 474 --ahs---- C:\WINDOWS\SYSTEM32\lffetevp.ini 2008-05-18 19:03 . 2001-08-18 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys 2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\logXv06 2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\temp\dmpxp32 2008-05-18 19:01 . 2008-05-18 19:01 87,513 --a------ C:\WINDOWS\SYSTEM32\xwusuhzh.exe 2008-05-18 19:01 . 2008-05-18 19:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-18 19:01 . 2008-05-18 19:01 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-11 01:50 30,208 ----a-w C:\WINDOWS\winmgnt.exe 2008-06-11 01:50 21,760 ----a-w C:\WINDOWS\window.exe 2008-06-11 01:50 21,760 ----a-w C:\WINDOWS\waol.exe 2008-06-11 01:50 17,152 ----a-w C:\WINDOWS\winajbm.dll 2008-06-11 01:50 14,336 ----a-w C:\WINDOWS\win64.exe 2008-06-11 01:48 31,232 ----a-w C:\WINDOWS\mtwirl32.dll 2008-06-11 01:48 30,720 ----a-w C:\WINDOWS\notepad32.exe 2008-06-11 01:48 30,720 ----a-w C:\WINDOWS\mssys.exe 2008-06-11 01:48 17,920 ----a-w C:\WINDOWS\msupdate.exe 2008-06-11 01:48 17,408 ----a-w C:\WINDOWS\mswsc20.dll 2008-06-11 01:48 14,592 ----a-w C:\WINDOWS\users32.exe 2008-06-11 01:48 13,824 ----a-w C:\WINDOWS\msspi.dll 2008-06-11 01:48 11,776 ----a-w C:\WINDOWS\mswsc10.dll 2008-06-11 01:47 20,480 ----a-w C:\WINDOWS\msconfd.dll 2008-06-11 01:46 9,216 ----a-w C:\WINDOWS\helpcvs.exe 2008-06-11 01:46 8,704 ----a-w C:\WINDOWS\inetinf.exe 2008-06-11 01:46 31,488 ----a-w C:\WINDOWS\internet.exe 2008-06-11 01:46 25,600 ----a-w C:\WINDOWS\editpad.exe 2008-06-11 01:46 16,128 ----a-w C:\WINDOWS\gfmnaaa.dll 2008-06-11 01:46 12,800 ----a-w C:\WINDOWS\funniest.exe 2008-06-11 01:46 11,008 ----a-w C:\WINDOWS\funny.exe 2008-06-11 01:44 8,704 ----a-w C:\WINDOWS\ctrlpan.dll 2008-06-11 01:44 32,000 ----a-w C:\WINDOWS\x.exe 2008-06-11 01:44 29,184 ----a-w C:\WINDOWS\cpan.dll 2008-06-11 01:44 27,136 ----a-w C:\WINDOWS\directx32.exe 2008-06-11 01:44 26,368 ----a-w C:\WINDOWS\clrssn.exe 2008-06-11 01:44 25,088 ----a-w C:\WINDOWS\y.exe 2008-06-11 01:44 20,736 ----a-w C:\WINDOWS\ctfmon32.exe 2008-06-11 01:44 11,008 ----a-w C:\WINDOWS\dnsrelay.dll 2008-06-11 01:43 9,984 ----a-w C:\WINDOWS\avpcc.dll 2008-06-11 01:43 26,368 ----a-w C:\WINDOWS\accesss.exe 2008-06-11 01:42 32,256 ----a-w C:\WINDOWS\searchword.dll 2008-06-11 01:42 30,976 ----a-w C:\WINDOWS\xplugin.dll 2008-06-11 01:42 29,952 ----a-w C:\WINDOWS\svcinit.exe 2008-06-11 01:42 28,928 ----a-w C:\WINDOWS\rundll32.vbe 2008-06-11 01:42 28,416 ----a-w C:\WINDOWS\sistem.exe 2008-06-11 01:42 11,776 ----a-w C:\WINDOWS\time.exe 2008-06-11 01:41 31,744 ----a-w C:\WINDOWS\quicken.exe 2008-06-11 01:41 10,752 ----a-w C:\WINDOWS\qttasks.exe 2008-06-11 01:39 11,008 ----a-w C:\WINDOWS\explore.exe 2008-06-07 14:46 --------- d-----w C:\Program Files\ReGetDx 2008-05-19 01:35 --------- d-----w C:\Program Files\HD Tune 2008-05-11 22:17 --------- d-----w C:\Program Files\Yahoo! 2008-05-08 02:39 --------- d-----w C:\Program Files\ACAD2000 2008-04-24 23:28 --------- d-----w C:\Program Files\SpywareGuard 2008-04-19 15:09 --------- d-----w C:\Program Files\TagScanner 2008-04-12 00:52 --------- d-----w C:\Documents and Settings\DCervantes\Application Data\CDBurnerXP_Soft 2008-04-12 00:51 --------- d-----w C:\Program Files\CDBurnerXP 2008-03-16 01:10 8 ----a-w C:\Documents and Settings\DCervantes\Application Data\usb.dat.bin 2008-02-06 03:39 9,143 -c--a-w C:\Program Files\hijackthis.log 2008-01-30 04:32 10,294 -c--a-w C:\Program Files\startuplist.txt 2008-01-24 04:13 63,896 -c--a-w C:\Documents and Settings\DCervantes\Application Data\GDIPFONTCACHEV1.DAT 2005-06-16 03:16 10,856 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DAAB5C1-3664-461E-97CB-883BFA6CAA4B}] C:\WINDOWS\system32\ddcYoMDV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF9D289-834A-4749-8FCC-BDB7ADF66519}] C:\WINDOWS\system32\hgGayyxV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7DCE10-31BA-46CE-A454-E325EF2509F6}] C:\WINDOWS\system32\ddcApmml.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-07 20:01 1481968] "QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-10-10 17:14 28672] "ATIModeChange"="Ati2mdxx.exe" [2002-08-28 15:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe] "WorksFUD"="" [] "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00 28739] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-07-27 14:18 94208] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-07-27 14:17 282624] "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00 90182] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 05:00 139347] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-16 20:53 98304] "SWKSrv"="C:\Program Files\SpywareKill\SWKSrv.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] C:\Documents and Settings\DCervantes\Start Menu\Programs\Startup\ Calendar 2000.lnk - C:\Program Files\Software by Design\Calendar.exe [2004-04-08 19:54:38 253952] SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-28 20:21:51 113664] Belkin PCMCIA WLAN Monitor.lnk - C:\WINDOWS\SYSTEM32\monitorbk.exe [2003-10-21 21:37:57 462848] Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-01-27 16:02:53 200704] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 14:00:00 24633] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 0 (0x0) "Btn_Search"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\xwusuhzh.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-07 20:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A7E71] C:\WINDOWS\system32\__c00A7E71.dat 2008-06-08 11:45 24576 C:\WINDOWS\SYSTEM32\__c00A7E71.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll "vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll "VIDC.NTN1"= NUVision.ax [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a--c--- 2000-07-13 14:00 311350 C:\Program Files\Microsoft Works\WksSb.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\uTorrent.exe"= R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20] S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS [] S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18:42] S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 16:34] S3 PCMCIABKPCMXP;Belkin 11Mbps Wireless Notebook Network Adapter;C:\WINDOWS\system32\DRIVERS\bkpcmxp.sys [2002-08-29 15:36] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-10 21:11:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 15 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\__c00A7E71.dat . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\SYSTEM32\xwusuhzh.exe C:\WINDOWS\SYSTEM32\ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\SYSTEM32\LxrJD31s.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe C:\WINDOWS\SYSTEM32\wscntfy.exe C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe C:\Compaq\CPQInet\CPQInet.exe C:\Compaq\EAKDRV\EAUSBKBD.exe C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe . ************************************************************************ . Completion time: 2008-06-10 21:20:41 - machine was rebooted [DCervantes] ComboFix-quarantined-files.txt 2008-06-11 02:20:23 Pre-Run: 1,537,043,456 bytes free Post-Run: 1,674,279,424 bytes free 406 --- E O F --- 2008-05-18 04:13:30

loophole View Member Profile	Jun 13 2008, 03:08 PM Post #8
Geek Mod Posts: 9,798 From: Indiana U.S. A. OS: 2000, xp, xp pro, Vista Home Premium	I'm sorry for the delay. Please re run combofix and post the log. We have a lot of cleanup to do

cervada View Member Profile	Jun 13 2008, 06:18 PM Post #9
Member Posts: 20 OS: Windows XP	No need to apologize! I know how busy we all are. I really appreciate the help. Below is the log for ComboFix. I am ready to clean up everything I need to. Thanks again! David C ComboFix 08-06-10.1 - DCervantes 2008-06-13 18:46:08.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.279 [GMT -5:00] Running from: C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\accesss.exe C:\WINDOWS\astctl32.ocx C:\WINDOWS\avpcc.dll C:\WINDOWS\clrssn.exe C:\WINDOWS\cpan.dll C:\WINDOWS\ctfmon32.exe C:\WINDOWS\ctrlpan.dll C:\WINDOWS\default.htm C:\WINDOWS\directx32.exe C:\WINDOWS\dnsrelay.dll C:\WINDOWS\editpad.exe C:\WINDOWS\explore.exe C:\WINDOWS\explorer32.exe C:\WINDOWS\funniest.exe C:\WINDOWS\funny.exe C:\WINDOWS\gfmnaaa.dll C:\WINDOWS\helpcvs.exe C:\WINDOWS\iedll.exe C:\WINDOWS\iexplorer.exe C:\WINDOWS\inetinf.exe C:\WINDOWS\internet.exe C:\WINDOWS\loader.exe C:\WINDOWS\msconfd.dll C:\WINDOWS\msspi.dll C:\WINDOWS\mssys.exe C:\WINDOWS\msupdate.exe C:\WINDOWS\mswsc10.dll C:\WINDOWS\mswsc20.dll C:\WINDOWS\mtwirl32.dll C:\WINDOWS\notepad32.exe C:\WINDOWS\olehelp.exe C:\WINDOWS\qttasks.exe C:\WINDOWS\quicken.exe C:\WINDOWS\rundll16.exe C:\WINDOWS\rundll32.vbe C:\WINDOWS\searchword.dll C:\WINDOWS\sistem.exe C:\WINDOWS\svchost32.exe C:\WINDOWS\svcinit.exe C:\WINDOWS\systeem.exe C:\WINDOWS\system32\__c001D66A.dat C:\WINDOWS\system32\__c00202CA.dat C:\WINDOWS\system32\__c0029B84.dat C:\WINDOWS\system32\__c0033498.dat C:\WINDOWS\system32\__c0085117.dat C:\WINDOWS\system32\__c0087895.dat C:\WINDOWS\system32\__c0089865.dat C:\WINDOWS\system32\__c00A7E71.dat C:\WINDOWS\system32\__c00A844.dat C:\WINDOWS\system32\__c00B3537.dat C:\WINDOWS\systemcritical.exe C:\WINDOWS\time.exe C:\WINDOWS\users32.exe C:\WINDOWS\waol.exe C:\WINDOWS\win32e.exe C:\WINDOWS\win64.exe C:\WINDOWS\winajbm.dll C:\WINDOWS\window.exe C:\WINDOWS\winmgnt.exe C:\WINDOWS\x.exe C:\WINDOWS\xplugin.dll C:\WINDOWS\xxxvideo.hta C:\WINDOWS\y.exe . ((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 ))))))))))))))))))))))))))))))) . 2008-06-10 19:24 . 2008-06-10 19:24 37,888 --a------ C:\WINDOWS\SYSTEM32\phhdyvck.exe 2008-06-08 17:20 . 2008-06-08 17:20 37,888 --a------ C:\WINDOWS\SYSTEM32\svefolwu.exe 2008-06-08 12:02 . 2008-06-08 12:02 37,888 --a------ C:\WINDOWS\SYSTEM32\apquolmf.exe 2008-06-08 11:35 . 2008-06-08 11:37 <DIR> d-------- C:\Combo-Fix 2008-06-07 09:39 . 2008-06-10 21:04 <DIR> d-------- C:\Documents and Settings\DCervantes\Application Data\uTorrent 2008-06-05 21:35 . 2008-06-05 21:35 37,888 --a------ C:\WINDOWS\SYSTEM32\svfnceaq.exe 2008-06-05 21:21 . 2008-06-05 21:21 37,888 --a------ C:\WINDOWS\SYSTEM32\gimbdeck.exe 2008-06-05 13:09 . 2008-06-05 13:09 37,888 --a------ C:\WINDOWS\SYSTEM32\pgtbvete.exe 2008-06-05 12:36 . 2008-06-05 12:36 37,888 --a------ C:\WINDOWS\SYSTEM32\pokefeqj.exe 2008-06-05 12:14 . 2008-06-05 12:14 <DIR> d-------- C:\Program Files\Coupons 2008-06-02 21:10 . 2008-06-02 21:10 37,888 --a------ C:\WINDOWS\SYSTEM32\mstuevxu.exe 2008-06-02 18:58 . 2008-06-02 18:58 37,888 --a------ C:\WINDOWS\SYSTEM32\ongttnlg.exe 2008-06-02 18:35 . 2008-06-02 18:35 37,888 --a------ C:\WINDOWS\SYSTEM32\emufgiox.exe 2008-05-28 21:14 . 2008-05-28 21:15 <DIR> d-------- C:\Program Files\uTorrent 2008-05-18 23:08 . 2008-05-18 23:08 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico 2008-05-18 23:08 . 2008-05-18 23:08 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico 2008-05-18 21:59 . 2008-05-18 23:09 <DIR> d-------- C:\Program Files\Vcsron 2008-05-18 19:12 . 2008-05-18 22:58 474 --ahs---- C:\WINDOWS\SYSTEM32\lffetevp.ini 2008-05-18 19:03 . 2001-08-18 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys 2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\logXv06 2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\temp\dmpxp32 2008-05-18 19:01 . 2008-05-18 19:01 87,513 --a------ C:\WINDOWS\SYSTEM32\xwusuhzh.exe 2008-05-18 19:01 . 2008-05-18 19:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-18 19:01 . 2008-05-18 19:01 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-07 14:46 --------- d-----w C:\Program Files\ReGetDx 2008-05-19 01:35 --------- d-----w C:\Program Files\HD Tune 2008-05-11 22:17 --------- d-----w C:\Program Files\Yahoo! 2008-05-08 02:39 --------- d-----w C:\Program Files\ACAD2000 2008-04-24 23:28 --------- d-----w C:\Program Files\SpywareGuard 2008-04-19 15:09 --------- d-----w C:\Program Files\TagScanner 2008-03-16 01:10 8 ----a-w C:\Documents and Settings\DCervantes\Application Data\usb.dat.bin 2008-02-06 03:39 9,143 -c--a-w C:\Program Files\hijackthis.log 2008-01-30 04:32 10,294 -c--a-w C:\Program Files\startuplist.txt 2008-01-24 04:13 63,896 -c--a-w C:\Documents and Settings\DCervantes\Application Data\GDIPFONTCACHEV1.DAT 2005-06-16 03:16 10,856 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-10_21.19.13.48 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-11 02:08:00 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT + 2008-06-13 23:53:01 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DAAB5C1-3664-461E-97CB-883BFA6CAA4B}] C:\WINDOWS\system32\ddcYoMDV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF9D289-834A-4749-8FCC-BDB7ADF66519}] C:\WINDOWS\system32\hgGayyxV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7DCE10-31BA-46CE-A454-E325EF2509F6}] C:\WINDOWS\system32\ddcApmml.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-07 20:01 1481968] "QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-10-10 17:14 28672] "ATIModeChange"="Ati2mdxx.exe" [2002-08-28 15:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe] "WorksFUD"="" [] "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00 28739] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-07-27 14:18 94208] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-07-27 14:17 282624] "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00 90182] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 05:00 139347] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-16 20:53 98304] "SWKSrv"="C:\Program Files\SpywareKill\SWKSrv.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] C:\Documents and Settings\DCervantes\Start Menu\Programs\Startup\ Calendar 2000.lnk - C:\Program Files\Software by Design\Calendar.exe [2004-04-08 19:54:38 253952] SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-28 20:21:51 113664] Belkin PCMCIA WLAN Monitor.lnk - C:\WINDOWS\SYSTEM32\monitorbk.exe [2003-10-21 21:37:57 462848] Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-01-27 16:02:53 200704] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 14:00:00 24633] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 0 (0x0) "Btn_Search"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-07 20:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A7E71] C:\WINDOWS\system32\__c00A7E71.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll "vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll "VIDC.NTN1"= NUVision.ax [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a--c--- 2000-07-13 14:00 311350 C:\Program Files\Microsoft Works\WksSb.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\uTorrent.exe"= R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20] S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS [] S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18:42] S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 16:34] S3 PCMCIABKPCMXP;Belkin 11Mbps Wireless Notebook Network Adapter;C:\WINDOWS\system32\DRIVERS\bkpcmxp.sys [2002-08-29 15:36] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-13 18:56:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\SYSTEM32\ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\SYSTEM32\LxrJD31s.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe C:\Compaq\CPQInet\CPQInet.exe C:\Compaq\EAKDRV\EAUSBKBD.exe C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe . ************************************************************************ . Completion time: 2008-06-13 19:06:36 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-14 00:06:29 ComboFix2.txt 2008-06-11 02:20:42 Pre-Run: 1,726,950,912 bytes free Post-Run: 1,712,950,784 bytes free 218 --- E O F --- 2008-05-18 04:13:30

cervada View Member Profile	Jun 18 2008, 12:09 PM Post #10
Member Posts: 20 OS: Windows XP	Thank you so much for all of you help so far! I had not seen any additional instructions since Friday and I am still receiving a Browser Protection Alert from SpywareGaurd after startup saying WARNING! A BHO has been added. I look forward to receiving instructions on how to proceed. Thanks! David C. Houston, TX

loophole View Member Profile	Jun 20 2008, 02:13 PM Post #11
Geek Mod Posts: 9,798 From: Indiana U.S. A. OS: 2000, xp, xp pro, Vista Home Premium	So sorry for the delay. Woerk has been hectic lately.I'm glad I get this weekend off Open notepad and copy/paste the text in RED below into it: File:: C:\WINDOWS\SYSTEM32\phhdyvck.exe C:\WINDOWS\SYSTEM32\svefolwu.exe C:\WINDOWS\SYSTEM32\apquolmf.exe C:\WINDOWS\SYSTEM32\svfnceaq.exe C:\WINDOWS\SYSTEM32\gimbdeck.exe C:\WINDOWS\SYSTEM32\pgtbvete.exe C:\WINDOWS\SYSTEM32\mstuevxu.exe C:\WINDOWS\SYSTEM32\ongttnlg.exe C:\WINDOWS\SYSTEM32\emufgiox.exe C:\WINDOWS\SYSTEM32\xwusuhzh.exe Folder:: C:\Program Files\Coupons Save this as CFScript.txt, in the same location as ComboFix.exe (desktop) Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt alsoplease post a new hijacklog Thanks

cervada View Member Profile	Jun 20 2008, 06:16 PM Post #12
Member Posts: 20 OS: Windows XP	Believe me, I understand things can get very busy at work! I really appreacite the help, so no complaints here. Below are the logs for combofix and hijackthis. David Cervantes Houston, TX ComboFix 08-06-10.1 - DCervantes 2008-06-20 18:48:43.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.277 [GMT -5:00] Running from: C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe Command switches used :: C:\Documents and Settings\DCervantes\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\SYSTEM32\apquolmf.exe C:\WINDOWS\SYSTEM32\emufgiox.exe C:\WINDOWS\SYSTEM32\gimbdeck.exe C:\WINDOWS\SYSTEM32\mstuevxu.exe C:\WINDOWS\SYSTEM32\ongttnlg.exe C:\WINDOWS\SYSTEM32\pgtbvete.exe C:\WINDOWS\SYSTEM32\phhdyvck.exe C:\WINDOWS\SYSTEM32\svefolwu.exe C:\WINDOWS\SYSTEM32\svfnceaq.exe C:\WINDOWS\SYSTEM32\xwusuhzh.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Coupons C:\Program Files\Coupons\Coupons.com.url C:\Program Files\Coupons\uninstall.exe C:\Program Files\Coupons\Uninstall\IRIMG1.JPG C:\Program Files\Coupons\Uninstall\IRIMG2.JPG C:\Program Files\Coupons\Uninstall\IRIMG3.JPG C:\Program Files\Coupons\Uninstall\IRIMG4.JPG C:\Program Files\Coupons\Uninstall\IRIMG5.JPG C:\Program Files\Coupons\Uninstall\IRIMG6.JPG C:\Program Files\Coupons\Uninstall\IRIMG7.JPG C:\Program Files\Coupons\Uninstall\IRIMG8.JPG C:\Program Files\Coupons\Uninstall\uninstall.dat C:\Program Files\Coupons\Uninstall\uninstall.xml C:\WINDOWS\SYSTEM32\apquolmf.exe C:\WINDOWS\SYSTEM32\emufgiox.exe C:\WINDOWS\SYSTEM32\gimbdeck.exe C:\WINDOWS\SYSTEM32\mstuevxu.exe C:\WINDOWS\SYSTEM32\ongttnlg.exe C:\WINDOWS\SYSTEM32\pgtbvete.exe C:\WINDOWS\SYSTEM32\phhdyvck.exe C:\WINDOWS\SYSTEM32\svefolwu.exe C:\WINDOWS\SYSTEM32\svfnceaq.exe C:\WINDOWS\SYSTEM32\xwusuhzh.exe . ((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 ))))))))))))))))))))))))))))))) . 2008-06-08 11:35 . 2008-06-08 11:37 <DIR> d-------- C:\Combo-Fix 2008-06-07 09:39 . 2008-06-10 21:04 <DIR> d-------- C:\Documents and Settings\DCervantes\Application Data\uTorrent 2008-06-05 12:36 . 2008-06-05 12:36 37,888 --a------ C:\WINDOWS\SYSTEM32\pokefeqj.exe 2008-05-28 21:14 . 2008-05-28 21:15 <DIR> d-------- C:\Program Files\uTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-07 14:46 --------- d-----w C:\Program Files\ReGetDx 2008-05-19 04:09 --------- d-----w C:\Program Files\Vcsron 2008-05-19 01:35 --------- d-----w C:\Program Files\HD Tune 2008-05-11 22:17 --------- d-----w C:\Program Files\Yahoo! 2008-05-08 02:39 --------- d-----w C:\Program Files\ACAD2000 2008-04-24 23:28 --------- d-----w C:\Program Files\SpywareGuard 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll 2008-03-16 01:10 8 ----a-w C:\Documents and Settings\DCervantes\Application Data\usb.dat.bin 2008-02-06 03:39 9,143 -c--a-w C:\Program Files\hijackthis.log 2008-01-30 04:32 10,294 -c--a-w C:\Program Files\startuplist.txt 2008-01-24 04:13 63,896 -c--a-w C:\Documents and Settings\DCervantes\Application Data\GDIPFONTCACHEV1.DAT 2005-06-16 03:16 10,856 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-10_21.19.13.48 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-11 02:08:00 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT + 2008-06-20 23:42:59 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DAAB5C1-3664-461E-97CB-883BFA6CAA4B}] C:\WINDOWS\system32\ddcYoMDV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF9D289-834A-4749-8FCC-BDB7ADF66519}] C:\WINDOWS\system32\hgGayyxV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7DCE10-31BA-46CE-A454-E325EF2509F6}] C:\WINDOWS\system32\ddcApmml.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-07 20:01 1481968] "QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-10-10 17:14 28672] "ATIModeChange"="Ati2mdxx.exe" [2002-08-28 15:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe] "WorksFUD"="" [] "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00 28739] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-07-27 14:18 94208] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-07-27 14:17 282624] "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00 90182] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 05:00 139347] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-16 20:53 98304] "SWKSrv"="C:\Program Files\SpywareKill\SWKSrv.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] C:\Documents and Settings\DCervantes\Start Menu\Programs\Startup\ Calendar 2000.lnk - C:\Program Files\Software by Design\Calendar.exe [2004-04-08 19:54:38 253952] SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-28 20:21:51 113664] Belkin PCMCIA WLAN Monitor.lnk - C:\WINDOWS\SYSTEM32\monitorbk.exe [2003-10-21 21:37:57 462848] Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-01-27 16:02:53 200704] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 14:00:00 24633] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 0 (0x0) "Btn_Search"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-07 20:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A7E71] C:\WINDOWS\system32\__c00A7E71.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll "vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll "VIDC.NTN1"= NUVision.ax [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a--c--- 2000-07-13 14:00 311350 C:\Program Files\Microsoft Works\WksSb.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\uTorrent.exe"= R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20] S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS [] S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18:42] S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 16:34] S3 PCMCIABKPCMXP;Belkin 11Mbps Wireless Notebook Network Adapter;C:\WINDOWS\system32\DRIVERS\bkpcmxp.sys [2002-08-29 15:36] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-20 18:53:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2008-06-20 18:57:44 ComboFix-quarantined-files.txt 2008-06-20 23:56:40 ComboFix2.txt 2008-06-14 00:06:37 ComboFix3.txt 2008-06-11 02:20:42 Pre-Run: 1,669,575,680 bytes free Post-Run: 1,651,291,136 bytes free 156 --- E O F --- 2008-05-18 04:13:30 HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:10:50 PM, on 6/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\WINDOWS\system32\LxrJD31s.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\SYSTEM32\monitorbk.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\COMPAQ\CPQINET\CPQInet.exe C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\Program Files\Software by Design\Calendar.exe C:\Program Files\SpywareGuard\sgmain.exe C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll O2 - BHO: (no name) - {2DAAB5C1-3664-461E-97CB-883BFA6CAA4B} - C:\WINDOWS\system32\ddcYoMDV.dll (file missing) O2 - BHO: (no name) - {2EF9D289-834A-4749-8FCC-BDB7ADF66519} - C:\WINDOWS\system32\hgGayyxV.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {BE7DCE10-31BA-46CE-A454-E325EF2509F6} - C:\WINDOWS\system32\ddcApmml.dll (file missing) O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe" O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SWKSrv] C:\Program Files\SpywareKill\SWKSrv.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe" O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe O4 - Global Startup: Exif Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Support - {44B33957-091D-45DA-9E91-CD5224B6BA17} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409 O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kelly.kellyservices.com/iNotes.cab,...0CQu76,CT=java+ O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://kelly.kellyservices.com/,DanaInfo=....va+iNotes6W.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm200...ick/TMSetup.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} (TeleVoxAudioPlayer2.TVoxAudioPlayer) - https://www.mytelevox.com/labcalls/cabs/Tel...udioPlayer2.CAB O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://kelly.kellyservices.com/dana-cached...perSetupSP1.cab O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCo...tionControl.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: __c00A7E71 - C:\WINDOWS\system32\__c00A7E71.dat (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 9723 bytes

loophole View Member Profile	Jun 20 2008, 07:13 PM Post #13
Geek Mod Posts: 9,798 From: Indiana U.S. A. OS: 2000, xp, xp pro, Vista Home Premium	Thank you for your understanding That looks much better Please rescan with Hijackthis and place a check next to the following entries: O2 - BHO: (no name) - {2DAAB5C1-3664-461E-97CB-883BFA6CAA4B} - C:\WINDOWS\system32\ddcYoMDV.dll (file missing) O2 - BHO: (no name) - {2EF9D289-834A-4749-8FCC-BDB7ADF66519} - C:\WINDOWS\system32\hgGayyxV.dll (file missing) O2 - BHO: (no name) - {BE7DCE10-31BA-46CE-A454-E325EF2509F6} - C:\WINDOWS\system32\ddcApmml.dll (file missing) O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O20 - Winlogon Notify: __c00A7E71 - C:\WINDOWS\system32\__c00A7E71.dat (file missing) Now click "Fix Checked" and close Hijackthis Browse forand delete this file: C:\WINDOWS\SYSTEM32\pokefeqj.exe Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, in the menu, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Please post the log with a new Hijack log

cervada View Member Profile	Jun 20 2008, 11:59 PM Post #14
Member Posts: 20 OS: Windows XP	Here are the logs for Dr Web Cure it and for HijackThis. Dr Web Cure it 15E.tmp\data002;C:\15E.tmp;Adware.SearchAid.38;; 15E.tmp\data003;C:\15E.tmp;Adware.SearchAid.38;; 15E.tmp\data004;C:\15E.tmp;Adware.SearchAid.54;; 15E.tmp\data005;C:\15E.tmp;Adware.SearchAid.origin;; 15E.tmp;C:\;Archive contains infected objects;Moved.; Combo-2Fix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe;Probably SCRIPT.Virus;; Combo-2Fix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe;Program.PsExec.171;; Combo-2Fix.exe;C:\Documents and Settings\DCervantes\Desktop;Archive contains infected objects;Moved.; 17624.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc;Trojan.Uploader.24577;Deleted.; 18906.exe.vir;C:\QooBox\Quarantine\C\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc;Trojan.DownLoader.61691;Deleted.; afivjesa.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; aybwevsu.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; dagcqgqv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; emmahbgx.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; fqcjmsfg.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; iafbdpgf.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.882;Deleted.; iwbsqayu.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; qoovofkt.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; qtwsxkmg.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.882;Deleted.; ubcleusa.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; upcutxan.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; volgxybe.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.; xwusuhzh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Fakealert.678;Deleted.; A0107599.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Adware.MediaTicket.81;Incurable.Moved.; A0107607.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Trojan.Click.origin;Incurable.Moved.; A0107613.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Trojan.DownLoader.59887;Deleted.; A0107615.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Adware.ClickSpring - read error;; A0109751.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Trojan.MulDrop.16568;Deleted.; A0110777.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Adware.ClickSpring.origin;Incurable.Moved.; A0110778.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Trojan.PurityAd.origin;Incurable.Moved.; A0110821.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Trojan.Uploader.24578;Deleted.; A0110872.exe\data002;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536\A0110872.exe;Adware.MediaTicket.81;; A0110872.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Archive contains infected objects;Moved.; A0112884.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1537;Trojan.DownLoader.61691;Deleted.; A0114988.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1539;Trojan.Uploader.24579;Deleted.; A0117269.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Probably SCRIPT.Virus;Incurable.Moved.; A0117288.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117288.exe;Probably SCRIPT.Virus;; A0117288.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117288.exe;Program.PsExec.171;; A0117288.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0117292.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117292.exe;Probably SCRIPT.Virus;; A0117292.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117292.exe;Program.PsExec.171;; A0117292.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0117314.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117314.exe;Probably SCRIPT.Virus;; A0117314.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117314.exe;Program.PsExec.171;; A0117314.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0118365.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0118365.exe;Probably SCRIPT.Virus;; A0118365.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0118365.exe;Program.PsExec.171;; A0118365.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0118434.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118438.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118443.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118446.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118450.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118455.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.882;Deleted.; A0118459.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118471.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118472.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.882;Deleted.; A0118477.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118479.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.; A0118506.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.Uploader.24577;Deleted.; A0118507.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.DownLoader.61691;Deleted.; A0118587.EXE;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Program.PsExec.170;Incurable.Moved.; A0118597.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Probably SCRIPT.Virus;Incurable.Moved.; A0118730.EXE;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Program.PsExec.170;Incurable.Moved.; A0118741.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Probably SCRIPT.Virus;Incurable.Moved.; A0118792.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Trojan.Fakealert.678;Deleted.; A0118804.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Probably SCRIPT.Virus;Incurable.Moved.; A0118823.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118823.exe;Probably SCRIPT.Virus;; A0118823.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118823.exe;Program.PsExec.171;; A0118823.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Archive contains infected objects;Moved.; logXv061083.exe;C:\WINDOWS\SYSTEM32\logXv06;Trojan.DownLoader.56730;Deleted.; Combo 1 Fix.exe\327882R2FWJFW\FIND3M.bat;F:\Combo 1 Fix.exe;Probably SCRIPT.Virus;; Combo 1 Fix.exe\327882R2FWJFW\psexec.cfexe;F:\Combo 1 Fix.exe;Program.PsExec.171;; Combo 1 Fix.exe;F:\;Archive contains infected objects;Moved.; Combo-2Fix.exe\327882R2FWJFW\FIND3M.bat;F:\Combo-2Fix.exe;Probably SCRIPT.Virus;; Combo-2Fix.exe\327882R2FWJFW\psexec.cfexe;F:\Combo-2Fix.exe;Program.PsExec.171;; Combo-2Fix.exe;F:\;Archive contains infected objects;Moved.; A0117060.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117060.exe;Probably SCRIPT.Virus;; A0117060.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117060.exe;Program.PsExec.171;; A0117060.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0117258.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117258.exe;Probably SCRIPT.Virus;; A0117258.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117258.exe;Program.PsExec.171;; A0117258.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0117259.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117259.exe;Probably SCRIPT.Virus;; A0117259.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117259.exe;Program.PsExec.171;; A0117259.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0117261.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117261.exe;Probably SCRIPT.Virus;; A0117261.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117261.exe;Program.PsExec.171;; A0117261.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0117317.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117317.exe;Probably SCRIPT.Virus;; A0117317.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117317.exe;Program.PsExec.171;; A0117317.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.; A0118825.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118825.exe;Probably SCRIPT.Virus;; A0118825.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118825.exe;Program.PsExec.171;; A0118825.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Archive contains infected objects;Moved.; A0118826.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118826.exe;Probably SCRIPT.Virus;; A0118826.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118826.exe;Program.PsExec.171;; A0118826.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Archive contains infected objects;Moved.; HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:51:42 AM, on 6/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\WINDOWS\system32\LxrJD31s.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\SYSTEM32\monitorbk.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\COMPAQ\CPQINET\CPQInet.exe C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\Program Files\Software by Design\Calendar.exe C:\Program Files\SpywareGuard\sgmain.exe C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe" O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SWKSrv] C:\Program Files\SpywareKill\SWKSrv.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe" O4 - HKUS\S-1-5-21-3569660965-1238661117-741939197-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?') O4 - HKUS\S-1-5-21-3569660965-1238661117-741939197-1003\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe (User '?') O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe O4 - Global Startup: Exif Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Support - {44B33957-091D-45DA-9E91-CD5224B6BA17} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409 O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kelly.kellyservices.com/iNotes.cab,...0CQu76,CT=java+ O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://kelly.kellyservices.com/,DanaInfo=....va+iNotes6W.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm200...ick/TMSetup.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} (TeleVoxAudioPlayer2.TVoxAudioPlayer) - https://www.mytelevox.com/labcalls/cabs/Tel...udioPlayer2.CAB O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://kelly.kellyservices.com/dana-cached...perSetupSP1.cab O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCo...tionControl.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 9484 bytes

loophole View Member Profile	Jun 22 2008, 05:33 PM Post #15
Geek Mod Posts: 9,798 From: Indiana U.S. A. OS: 2000, xp, xp pro, Vista Home Premium	Looks much better Most are harmless, before we begin the final clean up, how are things running?

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Please Help with Malware Removal[RESOLVED]	9 / 612	6th June 2005 - 11:13 PM sayitaintso started - last by greyknight17
Virus, Spyware and Trojan Removal Please help with Virus Removal	11 / 511	13th November 2005 - 07:36 AM tanarpeti started - last by g2i2r4
Windows XP�, 2000, 2003, NT Please help with virus removal.	2 / 343	10th March 2007 - 09:28 PM Jman151 started - last by Jman151
Virus, Spyware and Trojan Removal PLEASE HELP WITH VIRUS - POSSIBLY WINFIXER AND .WIN32 [RESOLVED] 12	17 / 1,072	13th June 2008 - 09:39 AM ralfcam started - last by greyknight17