Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ewido cannot remove


  • Please log in to reply

#1
pompanoguy

pompanoguy

    Member

  • Member
  • PipPip
  • 99 posts
I have run many of the programs suggested by the people who know on this site, but with no luck. It cannot remove something called "downloader.qoologic.bj

It only comes up on Ewido. Spyware Dr, and Pc. Dr. etc cannot even find this file.
What do I have to do to get rid of it. It is causing my Internet Explorer to bring all sorts of spam to my computer. Help would be appreciated.
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:
I apologize for the delay, the helpers here are very busy.

In order to help you we need to see what's running on your computer.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
pompanoguy

pompanoguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:34:52 AM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\dfndrff_e25.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rdrpk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dyxtubi.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [win3208560997885] C:\WINDOWS\win3208560997885.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e25.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\myihnd.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ktdth3.dll (file missing)
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#5
pompanoguy

pompanoguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Here is the log file...

MICKEY KAY - 06-10-18 9:05:56.54 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\MICKEY KAY\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\system32\ctblkv.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\ctblkv.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\rdrpk.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\dyxtubi.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\ctblkv.exe
C:\WINDOWS\system32\ibalbet.dll
C:\WINDOWS\system32\dyxtubi.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tbmmq.exe
C:\WINDOWS\aohsb.dll
C:\WINDOWS\system32\hrpov.dat
C:\WINDOWS\system32\rdrpk.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-08 15:15 127488 tbmmq.exe.qoo
06-10-08 19:20 127488 ctblkv.exe.qoo
06-10-11 17:36 127488 hrpov.dat.qoo
06-10-11 17:36 51712 ibalbet.dll.qoo
06-10-08 19:30 28672 rdrpk.exe.qoo
06-10-08 15:15 23552 dyxtubi.exe.qoo
06-10-18 08:56 264 aohsb.dll.qoo
06-10-08 15:15 52 oceeqw.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\MICKEY KAY\Application Data\Dxcknwrd.dll
C:\Documents and Settings\MICKEY KAY\Application Data\Dxcdmns.dll
C:\Documents and Settings\MICKEY KAY\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\MICKEY KAY\Application Data\Dxccwrd.dll
C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
C:\Program Files\DeluxeCommunications\Dxc.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartload2.dat
C:\dfndrff_e25.exe
C:\RDFX4.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\network monitor
C:\Program Files\ToolBar888
C:\Program Files\Common Files\{245B89E7-063B-1033-0610-060602150001}


((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-16 15:42 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2006-10-16 15:42 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2006-10-16 15:41 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2006-10-08 15:15 217,276 --a------ C:\WINDOWS\srvawshtsr.exe
2006-10-08 15:15 192 --a------ C:\WINDOWS\system32\ggg.bat
2006-10-08 15:15 147,456 --a------ C:\InstallerC.exe
2006-10-08 15:15 1,233 --a------ C:\WINDOWS\system32\arq86b27.sys
2006-10-08 15:14 32,768 --a------ C:\WINDOWS\system32\setup9x.exe
2006-10-08 15:14 138,862 --a------ C:\WINDOWS\system32\install.exe
2006-10-08 13:49 25,600 --a------ C:\Documents and Settings\MICKEY KAY\usbsermptxp.sys
2006-10-08 13:49 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-10-08 13:49 22,768 --a------ C:\Documents and Settings\MICKEY KAY\usbsermpt.sys
2006-10-08 13:12 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2006-10-05 21:41 81,920 --a------ C:\WINDOWS\system32\PSCLK170.dll
2006-10-05 21:41 81,920 --a------ C:\WINDOWS\system32\CNDCK170.dll
2006-10-05 21:41 40,960 --a------ C:\WINDOWS\system32\CNDNDlg.exe
2006-10-05 21:41 159,744 --a------ C:\WINDOWS\system32\CNDUK170.dll
2006-10-05 21:41 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-10-05 19:13 90,112 --a------ C:\WINDOWS\unvise32.exe
2006-10-05 19:13 82,432 --------- C:\WINDOWS\system32\msxml4r.dll
2006-10-05 19:13 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
2006-10-05 19:13 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll
2006-10-05 19:13 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
2006-10-05 19:13 73,728 --------- C:\WINDOWS\system32\lffax13n.dll
2006-10-05 19:13 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll
2006-10-05 19:13 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
2006-10-05 19:13 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll
2006-10-05 19:13 44,544 --------- C:\WINDOWS\system32\msxml4a.dll
2006-10-05 19:13 40,960 --------- C:\WINDOWS\system32\langserv.dll
2006-10-05 19:13 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL
2006-10-05 19:13 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll
2006-10-05 19:13 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll
2006-10-05 19:13 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll
2006-10-05 19:13 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll
2006-10-05 19:13 24,576 --------- C:\WINDOWS\system32\lftga13n.dll
2006-10-05 19:13 204,881 --------- C:\WINDOWS\system32\DiskIO.dll
2006-10-05 19:13 18,432 --a------ C:\WINDOWS\system32\Cachex.dll
2006-10-05 19:13 155,721 --------- C:\WINDOWS\system32\RALMain.dll
2006-10-05 19:13 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL
2006-10-05 19:13 143,360 --------- C:\WINDOWS\system32\lftif13n.dll
2006-10-05 19:13 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
2006-10-05 19:13 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll
2006-10-05 19:13 1,230,336 --------- C:\WINDOWS\system32\msxml4.dll
2006-10-05 19:12 974,848 --a------ C:\WINDOWS\system32\MFC70.DLL
2006-10-05 19:12 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL
2006-10-05 19:12 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2006-10-05 19:12 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-10-05 19:12 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2006-10-05 19:12 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-10-05 19:12 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL
2006-10-05 19:12 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-10-05 19:12 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-10-05 19:12 54,784 --a------ C:\WINDOWS\system32\MSVCI70.DLL
2006-10-05 19:12 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
2006-10-05 19:12 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-10-05 19:12 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-10-05 19:12 487,424 --a------ C:\WINDOWS\system32\MSVCP70.DLL
2006-10-05 19:12 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-10-05 19:12 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2006-10-05 19:12 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-10-05 19:12 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2006-10-05 19:12 19,456 --a------ C:\WINDOWS\system32\asapi.dll
2006-10-05 19:12 11,264 --a------ C:\WINDOWS\system32\drivers\asapiW2k.sys
2006-10-05 19:09 14,165 --------- C:\WINDOWS\system32\drivers\Pclepci.sys
2006-09-30 12:58 23,040 --------- C:\WINDOWS\kb913800.exe
2006-09-26 14:14 0 --a------ C:\WINDOWS\system32\Ultra.dll
2006-09-26 14:11 4,608 --a------ C:\WINDOWS\system32\W95Inf32.DLL
2006-09-26 14:11 2,272 --a------ C:\WINDOWS\system32\W95Inf16.DLL
2006-09-26 13:51 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2006-09-26 03:24 258,048 --a------ C:\WINDOWS\system32\Uninstall_eRecovery.exe
2006-09-26 03:24 258,048 --a------ C:\WINDOWS\system32\CheckD2DSystem.exe
2006-09-26 03:24 16,384 --a------ C:\WINDOWS\system32\ClearEvent.exe
2006-09-26 03:24 159,744 --a------ C:\WINDOWS\system32\CloseProcessWindow.dll
2006-09-26 03:24 1,168,896 --a------ C:\WINDOWS\system32\ERUpdateHidden.EXE
2006-09-26 03:20 94,298 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2006-09-26 03:20 82,013 --a------ C:\WINDOWS\system32\SynCOM.dll
2006-09-26 03:20 81,920 --a------ C:\WINDOWS\system32\SynTPCo2.dll
2006-09-26 03:20 69,722 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2006-09-26 03:20 192,672 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2006-09-26 03:20 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2006-09-26 03:18 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2006-09-26 03:18 2,879,488 --a------ C:\WINDOWS\SkyTel.exe
2006-09-26 03:17 53,248 --a------ C:\WINDOWS\system32\acpimof.dll
2006-09-26 03:17 45,056 --a------ C:\WINDOWS\system32\Epm-Po.dll
2006-09-26 00:03 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-09-26 00:03 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-09-26 00:03 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-09-26 00:03 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-09-26 00:03 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-09-26 00:03 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-09-26 00:03 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-09-26 00:03 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-09-26 00:03 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-09-26 00:03 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-09-25 23:58 589,824 --a------ C:\WINDOWS\AntiV.EXE
2006-09-25 23:58 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2006-09-25 23:58 253,952 --a------ C:\WINDOWS\AArrange.exe
2006-09-25 23:58 163,840 --a------ C:\WINDOWS\AExec.exe
2006-09-25 23:58 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2006-09-25 23:58 147,456 --a------ C:\WINDOWS\UNINST32.EXE


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 09:34 -------- d-------- C:\Program Files\Hijackthis
2006-10-08 19:11 -------- d-------- C:\Program Files\CleanUp!
2006-10-08 19:04 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-08 15:22 -------- d-------- C:\Program Files\WinRAR
2006-10-08 14:39 -------- d-------- C:\Program Files\Java
2006-10-08 14:38 -------- d-------- C:\Program Files\Common Files\Java
2006-10-08 13:12 -------- d-------- C:\Program Files\mobile PhoneTools
2006-10-05 23:21 -------- d-------- C:\Program Files\DivX
2006-10-05 22:36 -------- d-------- C:\Documents and Settings\MICKEY KAY\Application Data\AdobeUM
2006-10-05 21:36 -------- d-------- C:\Program Files\Canon
2006-10-05 19:30 -------- d-------- C:\Program Files\SmartSound Software
2006-10-05 19:09 -------- d-------- C:\Program Files\Pinnacle
2006-10-02 10:43 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-01 17:51 -------- d-------- C:\Documents and Settings\MICKEY KAY\Application Data\Adobe
2006-09-29 22:45 -------- d-------- C:\Program Files\MSN Messenger
2006-09-29 22:37 -------- d-------- C:\Documents and Settings\MICKEY KAY\Application Data\CyberLink
2006-09-26 14:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-26 14:11 -------- d-------- C:\Program Files\RegVac
2006-09-26 14:11 -------- d-------- C:\Program Files\PCBugDoctor
2006-09-26 13:51 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-26 13:50 -------- d-------- C:\Program Files\Microsoft.NET
2006-09-26 13:50 -------- d-------- C:\Program Files\Microsoft Office
2006-09-26 13:50 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-09-26 03:21 -------- d-------- C:\Program Files\Launch Manager
2006-09-26 03:20 -------- d-------- C:\Program Files\Synaptics
2006-09-26 03:17 -------- d-------- C:\Documents and Settings\MICKEY KAY\Application Data\Macromedia
2006-09-25 23:58 944 --a------ C:\WINDOWS\CLEANUP.CMD
2006-09-25 23:58 747 --a------ C:\WINDOWS\HotFix.bat
2006-09-15 17:17 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"LaunchApp"=""
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"ntiMUI"="C:\\Program Files\\NewTech Infosystems\\NTI CD & DVD-Maker 7\\ntiMUI.exe"
@=""
"Acer ePresentation HPD"="C:\\Acer\\Empowering Technology\\ePresentation\\ePresentation.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ePower_DMC"="C:\\Acer\\Empowering Technology\\ePower\\ePower_DMC.exe"
"Boot"="C:\\Acer\\Empowering Technology\\ePower\\Boot.exe"
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\LManager.exe"
"eRecoveryService"="C:\\Acer\\Empowering Technology\\eRecovery\\eRAgent.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"win3208560997885"="C:\\WINDOWS\\win3208560997885.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Online Services\\vikekakih.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Plus\\sahyh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^tbmmq.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\tbmmq.exe"
"backup"="C:\\WINDOWS\\pss\\tbmmq.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\tbmmq.exe"
"item"="tbmmq"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\arq86b27]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w0760be8.dll,n 00586b22000000030760be8"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKCU"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RTHDCPL"
"hkey"="HKLM"
"command"="RTHDCPL.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-18 9:08:29.62
C:\ComboFix2.txt ... 06-10-18 08:59
C:\ComboFix.txt ... 06-10-18 09:08

Attached Files


Edited by Buckeye_Sam, 18 October 2006 - 02:33 PM.

  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\arq86b27]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^tbmmq.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"win3208560997885"=-
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.



===============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\Program Files\Windows Plus\sahyh.html
    C:\Program Files\Online Services\vikekakih.html
    C:\WINDOWS\win3208560997885.exe




  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.

================



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP