Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help with trojan

Started by Xiaoxiao , Oct 21 2006 11:13 PM

  • This topic is locked This topic is locked

#16
Armodeluxe
Posted 30 October 2006 - 06:54 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
When you say Msn, what is it? Are you talking about Msn Messenger, the instant message program?

Please post a new combofix log, combofix deals with most of those infections listed.

That dll error is nothing to worry about, it will be fixed when we fix an item in HijackThis.
  • 0

Advertisements

#17
Xiaoxiao
Posted 31 October 2006 - 04:54 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ohh, sorrie about not being specific, yes, i mean msn the instant messenger. heres a combofix log

Dennis - 06-10-31 20:14:26.09 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Dennis\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aaa00000.sys
C:\Documents and Settings\LocalService\Application Data\NetMon


((((((((((((((((((((((((((((((( Files Created from 2006-09-31 to 2006-10-31 ))))))))))))))))))))))))))))))))))


2006-10-29 19:26 23,800 --a------ C:\WINDOWS\system32\eqr77652.dll
2006-10-29 19:24 20,480 --a------ C:\Documents and Settings\Dennis\tut.exe
2006-10-29 19:24 109,056 --a------ C:\Documents and Settings\Dennis\drsmartload1135a.exe
2006-10-19 21:58 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL
2006-10-11 23:32 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-10-11 23:32 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-10-03 23:38 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-10-03 23:38 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-10-03 23:38 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2006-10-03 23:38 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-29 23:11 -------- d-------- C:\Program Files\Windows Live Toolbar
2006-10-29 23:10 -------- d-------- C:\Program Files\MSN Messenger
2006-10-29 22:44 -------- d-------- C:\Program Files\Common Files
2006-10-29 22:03 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-29 21:21 -------- d-------- C:\Program Files\Warcraft III
2006-10-26 22:28 518 --a------ C:\Program Files\ddncgajd.txt
2006-10-22 20:25 -------- d-------- C:\Program Files\HJT
2006-10-20 23:40 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Symantec
2006-10-19 21:58 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-15 11:34 -------- d-------- C:\Program Files\Google
2006-10-15 10:23 -------- d-------- C:\Program Files\Common Files\Skyscape
2006-10-14 18:53 724992 --a------ C:\WINDOWS\iun6002.exe
2006-10-05 12:57 1402 --a------ C:\Documents and Settings\Dennis\Application Data\Cosmos Prefs
2006-10-03 23:11 -------- d-------- C:\Program Files\Webroot
2006-10-03 23:11 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Webroot(2)
2006-10-03 23:11 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Webroot
2006-09-30 20:14 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-09-28 21:25 -------- d---s---- C:\Documents and Settings\Dennis\Application Data\Microsoft
2006-09-26 15:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-21 21:00 -------- d-------- C:\Program Files\Graphmatica
2006-09-21 16:07 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Design Science
2006-09-21 16:06 -------- d-------- C:\Program Files\MathType
2006-09-14 21:32 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Hamachi
2006-09-14 16:40 -------- d-------- C:\Program Files\Hamachi
2006-09-14 16:39 10578 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-09-12 18:10 -------- d-------- C:\Documents and Settings\Dennis\Application Data\IMVU
2006-09-05 17:40 606848 --a------ C:\WINDOWS\flashax.exe
2006-09-05 17:40 12288 --a------ C:\WINDOWS\impborl.dll
2006-09-05 16:09 -------- d-------- C:\Program Files\DivX
2006-09-04 22:28 -------- d-------- C:\Program Files\Real
2006-09-04 17:08 -------- d-------- C:\Program Files\Merck
2006-09-03 12:14 -------- d-------- C:\Program Files\Common Files\Real
2006-09-03 12:14 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Real
2006-09-03 11:56 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Leadertech


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"eqr77652"="\"RUNDLL32.EXE\" w004463d.dll,n 0067764c0000000a004463d"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Messenger\\kybeqik.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\hoxynahac.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20050731-141955-693
O4 - HKLM\..\Run: [aenntko] C:\WINDOWS\System32\aenntko.exe
backup-20050724-220734-753
O4 - HKLM\..\Run: [aenntko] C:\WINDOWS\System32\aenntko.exe
backup-20050724-220718-858
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
backup-20050724-220624-127
O4 - HKLM\..\Run: [aenntko] C:\WINDOWS\System32\aenntko.exe
backup-20050724-215658-292
O4 - HKLM\..\Run: [aenntko] C:\WINDOWS\System32\aenntko.exe
backup-20050724-100241-514
O4 - HKLM\..\Run: [aenntko] C:\WINDOWS\System32\aenntko.exe
backup-20050723-123101-231
O4 - HKLM\..\Run: [aenntko] C:\WINDOWS\System32\aenntko.exe
backup-20050723-122927-933
O4 - HKLM\..\Run: [aenntko] C:\WINDOWS\System32\aenntko.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

Completion time: 06-10-31 20:15:40.59
C:\ComboFix.txt ... 06-10-31 20:15
  • 0

#18
Armodeluxe
Posted 31 October 2006 - 07:15 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Ok, let's go. Good news is no more rootkit detection. Even though it gave no log, I guess Avenger was able to take care of that.

Scan for Hidden Data Streams
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Open ADS Spy.."
  • Click on "Scan"
  • At the end of the scan, remove these items:

    C:\WINDOWS\system32 : lzx32.sys (69500 bytes)
    C:\WINDOWS\system32 : lzx32.sys (69500 bytes)

    Highlight the entries and click: Remove selected

    First download AVG Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.[list]
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and tapping the F8 key just before Windows starts to load, until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
After the scan, look for these files and delete them if they still exist:

C:\WINDOWS\system32\eqr77652.dll
C:\Documents and Settings\Dennis\tut.exe
C:\Documents and Settings\Dennis\drsmartload1135a.exe
C:\Program Files\ddncgajd.txt
C:\Program Files\Messenger\kybeqik.html
C:\Program Files\MSN\hoxynahac.html


Reboot your system back into Normal Mode.

Then Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box.
Apply.
Apply and Exit Display properties.

Then post the results of the AVG Anti-Spyware report scan and a new HijackThis log.
  • 0

#19
Xiaoxiao
Posted 04 November 2006 - 06:06 PM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
hi, im out of the country atm, sorrie for the lack of response.


i should be back home in a week or so.
  • 0

#20
Armodeluxe
Posted 05 November 2006 - 06:45 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Ok, thanks for letting me know.
  • 0

#21
Xiaoxiao
Posted 16 November 2006 - 03:42 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
im back! yay!

sorry for the delay, i had to return back to china for a funeral.

neways that aside. can u give me some fresh instructions?

the thing with hjt didnt pick anyhign up,

and AVG did find some stuff... but i forgot to get the log... now its not picking up anythng anymore... :whistling:

computer generally like what it was before, except sometimes my operating window gets unselected, like running microsoft word not on a miximum window, and u clicked on the back ground of ur desktop, so that the actual application gets unselected... (erm, do u know what im trying to say? lol sorry for my lack of communication skills...)

Also, how do i get rid of that rundll thingy at the start of every start up?

Im now with out any antivirus program, can u suggest me a good one? (i got both AVG antispyware as well as Webroot Spyware now, premium version)

oooo another thing... those files, there is no folder named msn, nor messenger (i remember deleting them manually a while ago just with common delete button), the files C:\WINDOWS\system32\eqr77652.dll i found, and also a .ini was also there, i deleted both with AVG's inbuild delete sofware, i also deleted:C:\Program Files\ddncgajd.txt, and i couldnt find the files inside the documents and settings/dennis/ the two files there i was not there

Edited by Xiaoxiao, 16 November 2006 - 03:55 AM.

  • 0

#22
Armodeluxe
Posted 16 November 2006 - 08:13 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Post these 3 logs and let's see where we're standing.

a new HijackThis log

a new combofix log

this log:

Also, please download SREng
http://www.kztechs.c...reng/sreng2.zip

Extract it to Desktop and double click SREng.exe to run it
Select: Smart Scan and click on the [Scan] button.

The progress bar may stop at times, be patient, it is still scanning.

When finished, click on the Save Reports button and save the log to Desktop

Please post the SREng log in your reply.

The dll error will go after we fix an item in HijackThis. The focus problem, I have no idea, we may have to seek help from Windows staff if it doesn't go away after we clean the malware.

Here are 3 good free antiviruses, pick one. I myself use AVG. Antivir has the best detection rates, but doesn't have email protection.
Antivir
AVG
Avast
  • 0

#23
Armodeluxe
Posted 16 November 2006 - 08:14 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Forgot to say, post the logs seperately so that they don't get cut off.
  • 0

#24
Xiaoxiao
Posted 19 November 2006 - 03:32 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
oo, i nearly forgot, yesterday, a scan from spysweeper picked up a trojan called snifula or something like that, there was also a trace, so one thingy in total and one trace (no idea what that means lol) its name is: trojan-phisher-snifula.

and here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:06 PM, on 19/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\asuskbservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: update wnwb - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [eqr77652] "RUNDLL32.EXE" w004463d.dll,n 0067764c0000000a004463d
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141179784968
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#25
Xiaoxiao
Posted 19 November 2006 - 04:11 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Dennis - 06-11-19 19:33:23.67 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Dennis\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-19 to 2006-11-19 ))))))))))))))))))))))))))))))))))


2006-11-11 13:21 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-10 14:15 14 --a------ C:\WINDOWS\system32\winwhork8206.dll
2006-11-09 18:50 9,728 --a------ C:\WINDOWS\system32\SysInCHS.dll
2006-11-09 18:50 29,696 --a------ C:\WINDOWS\system32\MCICHS.dll
2006-11-09 18:50 28,160 --a------ C:\WINDOWS\system32\CmDlgCHS.dll
2006-11-09 18:50 13,824 --a------ C:\WINDOWS\system32\InetCHS.dll
2006-11-09 18:50 124,416 --a------ C:\WINDOWS\system32\MSCmCCHS.dll
2006-11-08 23:17 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-11-08 23:13 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2006-10-19 21:58 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-16 22:36 -------- d-------- C:\Documents and Settings\Dennis\Application Data\DivX
2006-11-16 22:35 -------- d-------- C:\Program Files\DivX
2006-11-13 15:50 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-12 14:34 -------- d-------- C:\Documents and Settings\Dennis\Application Data\AdobeAUM
2006-11-11 13:20 -------- d-------- C:\Program Files\Grisoft
2006-11-10 23:09 -------- d-------- C:\Program Files\Overture 4.0 ???
2006-11-10 15:15 -------- d-------- C:\Program Files\zuoquV6mf
2006-11-10 01:08 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Petroglyph
2006-11-10 00:53 -------- d-------- C:\Program Files\LucasArts
2006-11-08 23:06 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-08 23:03 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-02 23:18 -------- d-------- C:\Program Files\Warcraft III
2006-10-29 23:11 -------- d-------- C:\Program Files\Windows Live Toolbar
2006-10-29 23:10 -------- d-------- C:\Program Files\MSN Messenger
2006-10-29 22:44 -------- d-------- C:\Program Files\Common Files
2006-10-29 22:03 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-22 20:25 -------- d-------- C:\Program Files\HJT
2006-10-20 23:40 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Symantec
2006-10-19 21:58 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-15 11:34 -------- d-------- C:\Program Files\Google
2006-10-15 10:23 -------- d-------- C:\Program Files\Common Files\Skyscape
2006-10-14 18:53 724992 --a------ C:\WINDOWS\iun6002.exe
2006-10-05 12:57 1402 --a------ C:\Documents and Settings\Dennis\Application Data\Cosmos Prefs
2006-10-03 23:11 -------- d-------- C:\Program Files\Webroot
2006-10-03 23:11 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Webroot(2)
2006-10-03 23:11 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Webroot
2006-10-03 05:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-03 05:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-03 05:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-03 05:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-30 20:14 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-09-28 21:25 -------- d---s---- C:\Documents and Settings\Dennis\Application Data\Microsoft
2006-09-21 21:00 -------- d-------- C:\Program Files\Graphmatica
2006-09-21 16:07 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Design Science
2006-09-21 16:06 -------- d-------- C:\Program Files\MathType
2006-09-05 17:40 606848 --a------ C:\WINDOWS\flashax.exe
2006-09-05 17:40 12288 --a------ C:\WINDOWS\impborl.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"eqr77652"="\"RUNDLL32.EXE\" w004463d.dll,n 0067764c0000000a004463d"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Messenger\\kybeqik.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\hoxynahac.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

Completion time: 06-11-19 19:35:08.50
C:\ComboFix.txt ... 06-11-19 19:35
C:\ComboFix2.txt ... 06-10-31 20:15
  • 0

Advertisements

#26
Xiaoxiao
Posted 19 November 2006 - 04:16 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
2006-11-19,20:15:30

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 1 (Build 2600)
- Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<MsnMsgr><"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background> [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<NvCplDaemon><"RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<nwiz><"nwiz.exe" /install> [NVIDIA Corporation]
<Cmaudio><RunDll32 cmicnfg.cpl,CMICtrlWnd> [N/A]
<eqr77652><"RUNDLL32.EXE" w004463d.dll,n 0067764c0000000a004463d> [N/A]
<SpySweeper><"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray> [Webroot Software, Inc.]
<!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized> [Anti-Malware Development a.s.]
<Adobe Photo Downloader><"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"> [Adobe Systems Incorporated]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{9EF34FF2-3396-4527-9D27-04C8C1C67806}><D:\Program Files\MS Anit Spyware\shellextension.dll> [(Verified)Microsoft Corporation]
<{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll> [Anti-Malware Development a.s.]

==================================
Startup Folders
[Canon LASER SHOT LBP-1120 Status Window]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon LASER SHOT LBP-1120 Status Window.LNK --> C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [CANON INC.]><N>
[Microsoft Office]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>

==================================
Services
[ASUSKeyboardService / ASUSKeyboardService]
<C:\WINDOWS\asuskbservice.exe><ASUSTeK COMPUTER INC.>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard]
<C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[Creative Service for CDROM Access / Creative Service for CDROM Access]
<C:\WINDOWS\System32\CTSvcCDA.EXE><Creative Technology Ltd>
[Human Interface Device Access / HidServ]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InCD Helper / InCDsrv]
<C:\Program Files\Ahead\InCD\InCDsrv.exe><Nero AG>
[InCD Helper (read only) / InCDsrvR]
<C:\Program Files\Ahead\InCD\InCDsrv.exe -r><Nero AG>
[%NVSVC.name% / NVSvc]
<C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[Symantec Network Drivers Service / SNDSrvc]
<"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"><N/A>
[Webroot Spy Sweeper Engine / WebrootSpySweeperService]
<"C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"><Webroot Software, Inc.>
[WMDM PMSP Service / WMDM PMSP Service]
<C:\WINDOWS\System32\MsPMSPSv.exe><Microsoft Corporation>

==================================
Drivers
[a347bus / a347bus]
<\SystemRoot\System32\DRIVERS\a347bus.sys><>
[a347scsi / a347scsi]
<\SystemRoot\System32\Drivers\a347scsi.sys><>
[ANVIOCTL / ANVIOCTL]
<System32\DRIVERS\anvioctl.sys><ASUSTeK>
[AnyDVD / AnyDVD]
<System32\Drivers\AnyDVD.sys><SlySoft, Inc.>
[Aspi32 / Aspi32]
<System32\drivers\aspi32.sys><Adaptec>
[asuskbnt / asuskbnt]
<System32\DRIVERS\asuskbnt.sys><ASUSTeK COMPUTER INC.>
[Standard IDE/ESDI Hard Disk Controller / atapi]
<\SystemRoot\System32\DRIVERS\atapi.sys><N/A>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver]
<\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln]
<System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[C-Media WDM Audio Interface / cmuda]
<system32\drivers\cmuda.sys><C-Media Inc>
[NetComm USB Network Adapter Driver / CnxTrLan]
<System32\DRIVERS\CnxTrLan.sys><Conexant>
[NetComm USB Network Interface Device Driver / CnxTrUsb]
<System32\DRIVERS\CnxTrUsb.sys><Conexant>
[EIO / EIO]
<\??\C:\WINDOWS\system32\drivers\EIO.sys><ASUSTeK Computer Inc.>
[ElbyCDIO Driver / ElbyCDIO]
<System32\Drivers\ElbyCDIO.sys><Elaborate Bytes AG>
[ElbyDelay / ElbyDelay]
<System32\Drivers\ElbyDelay.sys><Elaborate Bytes AG>
[VIA Rhine-Family Fast Ethernet Adapter Driver Service / FETND5BV]
<System32\DRIVERS\fetnd5bv.sys><VIA Technologies, Inc.>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS]
<System32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[ftaxhcbq / ftaxhcbq]
<\SystemRoot\System32\drivers\pmddlsuy.sys><N/A>
[gmer / gmer]
<System32\DRIVERS\gmer.sys><GMER>
[GMSIPCI / GMSIPCI]
<\??\E:\INSTALL\GMSIPCI.SYS><N/A>
[Hamachi Network Interface / hamachi]
<System32\DRIVERS\hamachi.sys><Applied Networking Inc.>
[InCD File System / InCDfs]
<C:\WINDOWS\SYSTEM32\DRIVERS\InCDfs.SYS><Nero AG>
[InCDPass / InCDPass]
<System32\DRIVERS\InCDPass.sys><Nero AG>
[InCD Reader / incdrm]
<C:\WINDOWS\SYSTEM32\DRIVERS\incdrm.SYS><Nero AG>
[kgitiaiv / kgitiaiv]
<\SystemRoot\System32\drivers\hewjpiui.sys><N/A>
[NUVision II Audio Service / nuvaud2]
<System32\DRIVERS\nuvaud2.sys><Nogatech Ltd.>
[NUVision II Video Service / nuvvid2]
<System32\DRIVERS\nuvvid2.sys><Nogatech Ltd.>
[nv / nv]
<System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Odyssey Network Services Miniport / odysseyIM3]
<System32\DRIVERS\odysseyIM3.sys><Funk Software, Inc.>
[PCANDIS5 Protocol Driver / PCANDIS5]
<\??\C:\WINDOWS\System32\PCANDIS5.SYS><Printing Communications Assoc., Inc. (PCAUSA)>
[PfModNT / PfModNT]
<\??\C:\WINDOWS\System32\drivers\PfModNT.sys><Creative Technology Ltd.>
[pktcuofc / pktcuofc]
<\SystemRoot\System32\drivers\qnctchtt.sys><N/A>
[Direct Parallel Link Driver / Ptilink]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20]
<\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[S3Psddr / S3Psddr]
<System32\DRIVERS\s3gnbm.sys><S3 Graphics, Inc.>
[Secdrv / Secdrv]
<System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[Spy Sweeper File System Filer Driver: 0509 / SSFS0509]
<\SystemRoot\SYSTEM32\Drivers\SSFS0509.SYS><Webroot Software Inc (www.webroot.com)>
[Spy Sweeper Hookrack MiniDriver / SSHRMD]
<\SystemRoot\SYSTEM32\Drivers\SSHRMD.SYS><Webroot Software Inc (www.webroot.com)>
[Spy Sweeper Interdiction Driver / SSIDRV]
<\SystemRoot\SYSTEM32\Drivers\SSIDRV.SYS><Webroot Software Inc (www.webroot.com)>
[Webroot Spy Sweeper Keylogger Shield Keyboard Filter / SSKBFD]
<System32\Drivers\sskbfd.sys><Webroot Software Inc (www.webroot.com)>
[SYMDNS / SYMDNS]
<\SystemRoot\System32\Drivers\SYMDNS.SYS><Symantec Corporation>
[SymEvent / SymEvent]
<\??\C:\Program Files\Symantec\SYMEVENT.SYS><N/A>
[SYMFW / SYMFW]
<\SystemRoot\System32\Drivers\SYMFW.SYS><Symantec Corporation>
[SYMIDS / SYMIDS]
<\SystemRoot\System32\Drivers\SYMIDS.SYS><Symantec Corporation>
[SYMNDIS / SYMNDIS]
<\SystemRoot\System32\Drivers\SYMNDIS.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV]
<\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI]
<\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>
[D-Link AirPlus G+ Wireless Adapter / TNET1130]
<System32\DRIVERS\GPlus.sys><>
[LGE U8XXX driver (WDM) / U81xbus]
<System32\DRIVERS\U81xbus.sys><MCCI>
[LGE U8XXX USB WMC Modem Filter / U81xmdfl]
<System32\DRIVERS\U81xmdfl.sys><MCCI>
[LGE U8XXX USB WMC Modem Driver / U81xmdm]
<System32\DRIVERS\U81xmdm.sys><MCCI>
[LGE U8XXX USB WMC Device Management Drivers (WDM) / U81xmgmt]
<System32\DRIVERS\U81xmgmt.sys><MCCI>
[LGE U8XXX USB WMC OBEX Interface / U81xobex]
<System32\DRIVERS\U81xobex.sys><MCCI>

==================================
Browser Add-ons
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx, >
[Windows Live Sign-in Helper]
{9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[Windows Live Toolbar Helper]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\Windows Live Toolbar\msntb.dll, Microsoft Corporation>
[bho Class]
{ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} <C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll, ?????????>
[Java Plug-in 1.5.0_05]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll, N/A>
[&Research]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[Run IMVU]
{d9288080-1baa-4bc4-9cf8-a92d743db949} <, N/A>
[&Radio]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, N/A>
[Windows Live Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\Windows Live Toolbar\msntb.dll, Microsoft Corporation>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\System32\wuweb.dll, Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>
[&Windows Live Search]
<res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm, N/A>
[E&xport to Microsoft Excel]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[Quick Search (Yisou.com)]
<res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003, N/A>

==================================
Running Processes
[PID: 700][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll] [Anti-Malware Development a.s., 7, 5, 0, 47]
[C:\Program Files\WinRAR\rarext.dll] [N/A, N/A]
[C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx] [, 1, 0, 0, 1]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[PID: 1480][C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe] [Webroot Software, Inc., 5,0,7,1608]
[C:\Program Files\Webroot\Spy Sweeper\wrid.dll] [N/A, N/A]
[C:\Program Files\Webroot\Spy Sweeper\language.dll] [Webroot Software, Inc., 5,0,7,1608]
[PID: 1488][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe] [Anti-Malware Development a.s., 7, 5, 0, 50]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll] [Anti-Malware Development a.s., 4, 2, 0, 15]
[PID: 1552][C:\Program Files\MSN Messenger\MsnMsgr.Exe] [Microsoft Corporation, 8.0.0812.00]
[C:\WINDOWS\System32\devenum.dll] [N/A, N/A]
[C:\WINDOWS\System32\msdmo.dll] [N/A, N/A]
[PID: 2020][C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE] [CANON INC., 1.00.0.007]
[PID: 2064][C:\Program Files\Mozilla Firefox\firefox.exe] [Mozilla, 1.0.7]
[C:\Program Files\Mozilla Firefox\js3250.dll] [Netscape Communications Corporation, 4.0]
[C:\Program Files\Mozilla Firefox\nspr4.dll] [Netscape Communications Corporation, 4.5 Beta]
[C:\Program Files\Mozilla Firefox\xpcom.dll] [Mozilla Foundation, 1.7.12: 2005091517]
[C:\Program Files\Mozilla Firefox\plc4.dll] [Netscape Communications Corporation, 4.5 Beta]
[C:\Program Files\Mozilla Firefox\plds4.dll] [Netscape Communications Corporation, 4.5 Beta]
[C:\Program Files\Mozilla Firefox\smime3.dll] [Netscape Communications Corporation, 3.9.3]
[C:\Program Files\Mozilla Firefox\nss3.dll] [Netscape Communications Corporation, 3.9.3]
[C:\Program Files\Mozilla Firefox\softokn3.dll] [Netscape Communications Corporation, 3.9.3]
[C:\Program Files\Mozilla Firefox\ssl3.dll] [Netscape Communications Corporation, 3.9.3]
[C:\Program Files\Mozilla Firefox\xpcom_compat.dll] [Mozilla Foundation, 1.7.12: 2005091517]
[C:\Program Files\Mozilla Firefox\components\qfaservices.dll] [Mozilla Foundation, 1.7.12: 2005091517]
[C:\Program Files\Mozilla Firefox\components\FULLSOFT.DLL] [Full Circle Software, Inc., 2.2.unofficial]
[C:\Program Files\Mozilla Firefox\components\jar50.dll] [Mozilla Foundation, 1.7.12: 2005091517]
[C:\Program Files\Mozilla Firefox\nssckbi.dll] [Netscape Communications Corporation, 1.42]
[PID: 2824][C:\Program Files\Webroot\Spy Sweeper\SSU.EXE] [N/A, N/A]
[PID: 2484][C:\Documents and Settings\Dennis\Desktop\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS Error. []
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
N/A

==================================
  • 0

#27
Armodeluxe
Posted 19 November 2006 - 08:31 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Evey program gives a different name to the infections it detects, Googling that one yields only one Spwsweeper log, impossible to say what that is.

Delete the version of combofix you have and also delete this folder under your C:\ drive:

C:\sUBs

Then download a different version here, but don't run it yet.

combofix.exe

Open HijackThis and click Scan. Put a check next to these:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: update wnwb - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
O4 - HKLM\..\Run: [eqr77652] "RUNDLL32.EXE" w004463d.dll,n 0067764c0000000a004463d
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003

Close all other windows except HijackThis and click Fix Checked.

Go to Start > Run and copy/paste the lines below into the Run box, one line at a time, and click OK after pasting each line.

sc delete ftaxhcbq
sc delete kgitiaiv
sc delete pktcuofc

Then boot into safe mode.

Run the new combofix and save its log.

After that, using Windows Explorer navigate to these files and folders in bold and delete them if they still exist.

C:\WINDOWS\system32\winwhork8206.dll
C:\Program Files\zuoquV6mf
C:\Program Files\Messenger\kybeqik.html
C:\Program Files\MSN\hoxynahac.html
C:\WINDOWS\system32\drivers\pmddlsuy.sys
C:\WINDOWS\system32\drivers\hewjpiui.sys
C:\WINDOWS\system32\drivers\qnctchtt.sys
C:\PROGRAM FILES\COMMON FILES\Wnwb

Boot back into normal mode.

Then Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box.
Apply.
Apply and Exit Display properties.

Then post the combofix log and a new HijackThis log. Let me know of any persisting problems.
  • 0

#28
Xiaoxiao
Posted 19 November 2006 - 09:31 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
erm... lol how do i uninstall combofix again?

also that folder under C:/sUBs dosn't exist, i also changed folderoptions so that i can see invisible files, and its still not there, however a bunch of files along the name of: sqmdata(and followed by a number 01 to 10).sqm

and also other files named sqmnoopt(a number again numbered 01-10).sqm

i dont recognise any of these files, wondering what they are.
  • 0

#29
Armodeluxe
Posted 20 November 2006 - 08:20 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
There is no uninstall, just delete the combofix.exe you have and then download the new one.

For sqmdata files, see here:

http://forums.techgu...qmdata-sqm.html
  • 0

#30
Xiaoxiao
Posted 25 November 2006 - 06:48 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
sigh, this is getting really really annoying, i think i'll jsut format my pc, just a last question, if im to back up my files, how do i check that the stuff that i've backed up isnt infected with a virus?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP