Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

outerinfo pop upd and such


  • Please log in to reply

#1
lgundran

lgundran

    Member

  • Member
  • PipPip
  • 10 posts
once again i have pop ups i downloaded mozilla firefox instead of using internet explorer but sometimes they still pop up here is a hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 16:03, on 07-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\SMANTE~1\explorer.exe
C:\WINDOWS\?ssembly\??anregw.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\customer\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A716B38F-0C36-08CB-15DB-02F2C92341BA} - C:\WINDOWS\system32\fgp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [{8492DEA0-0959-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpol.dll,startup
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cmxgeqma.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Urem] "C:\PROGRA~1\COMMON~1\SMANTE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Ijgnvgi] C:\WINDOWS\?ssembly\??anregw.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165260745562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165260737015
O20 - AppInit_DLLs:
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\b3duZXI\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Please run a scan with HijackThis and check the following lines for removal:

R3 - URLSearchHook: (no name) - {A716B38F-0C36-08CB-15DB-02F2C92341BA} - C:\WINDOWS\system32\fgp.dll
O4 - HKLM\..\Run: [{8492DEA0-0959-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpol.dll,startup
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cmxgeqma.dll",setvm
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Urem] "C:\PROGRA~1\COMMON~1\SMANTE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Ijgnvgi] C:\WINDOWS\?ssembly\??anregw.exe
O20 - AppInit_DLLs:

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Reboot

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

:
  • 0

#3
lgundran

lgundran

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
here is the combofix log i couldnt find a couple of entries on hijack this thoughh

"customer" - 07-01-12 14:03:26 Service Pack 2
ComboFix 07-01-10 - Running from: "C:\Documents and Settings\customer\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\w001b725.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\SVKP.sys
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\b3duZXI
C:\Program Files\Common Files\{3492D~1
C:\Program Files\Common Files\{8492D~2
C:\DOCUME~1\customer\Application Data\SearchToolbarCorp
C:\Program Files\Common Files\download
C:\Program Files\Common Files\windows
C:\WINDOWS\system32\rpcc.dll
C:\Program Files\Common Files\{8492D~1 . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\customer
C:\qoobox\purity\DOCUME~1\customer\Application Data
C:\qoobox\purity\DOCUME~1\customer\Application Data\from.txt
C:\qoobox\purity\DOCUME~1\customer\Application Data\YSTEM~1
C:\qoobox\purity\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\WINDOWS\SSEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


2007-01-12 14:32 <DIR> d-------- C:\Program Files\Common Files\{8492DEA0-095A-1033-0511-040510020001}
2007-01-12 14:31 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-12 14:31 <DIR> d-------- C:\Program Files\VSAdd-in
2007-01-12 14:31 <DIR> d-------- C:\DOCUME~1\customer\Application Data\SearchToolbarCorp
2007-01-12 14:30 88,340 --a------ C:\WINDOWS\system32\vfnsmret.exe
2007-01-10 17:59 <DIR> d-------- C:\WINDOWS\mmuf
2007-01-10 17:59 <DIR> d-------- C:\Program Files\Common Files\mmuf
2007-01-10 17:14 2 --a------ C:\WINDOWS\system32\wnscpcc.exe
2007-01-07 21:19 88,340 --a------ C:\WINDOWS\system32\usciokjl.exe
2007-01-07 21:19 81,684 --a------ C:\WINDOWS\system32\bqcmdjhc.dll
2007-01-07 21:19 44,060 --a------ C:\WINDOWS\system32\pmrrjysq.dll
2007-01-07 21:18 844,506 ---hs---- C:\WINDOWS\system32\qqstv.bak1
2007-01-07 21:18 277,044 --------- C:\WINDOWS\system32\vtsqq.dll
2007-01-07 21:18 118,804 --a------ C:\WINDOWS\system32\cmxgeqma.dll
2007-01-07 21:13 72,704 --a------ C:\WINDOWS\system32\drvpol.dll
2007-01-07 21:13 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2007-01-07 21:13 22,541 ---hs---- C:\WINDOWS\system32\mljkkig.dll
2007-01-07 21:13 16,896 --a------ C:\WINDOWS\system32\winjgf32.dll
2007-01-04 18:52 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-22 10:43 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-16 17:47 737,280 --a------ C:\WINDOWS\iun6002.exe
2006-12-16 17:46 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-12 14:33 -------- d-------- C:\Program Files\Common Files\{8492dea0-095a-1033-0511-040510020001}
2007-01-12 14:31 -------- d-------- C:\Documents and Settings\customer\Application Data\searchtoolbarcorp
2007-01-10 20:34 -------- d-------- C:\Program Files\soulseek
2007-01-07 21:15 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-04 18:20 -------- d-------- C:\Program Files\ares
2007-01-01 18:49 -------- d-------- C:\Program Files\pokerstars.net
2007-01-01 18:49 -------- d-------- C:\Program Files\azureus
2006-12-26 20:12 -------- d-------- C:\Documents and Settings\customer\Application Data\azureus
2006-12-22 10:43 -------- d-------- C:\Documents and Settings\customer\Application Data\lavasoft
2006-12-21 23:19 -------- d---s---- C:\Documents and Settings\customer\Application Data\microsoft
2006-12-10 17:16 -------- d-------- C:\Documents and Settings\customer\Application Data\divx
2006-12-10 17:14 -------- d-------- C:\Program Files\divx
2006-12-06 17:09 -------- d-------- C:\Documents and Settings\customer\Application Data\msn6
2006-12-04 14:21 -------- d--h----- C:\Program Files\installshield installation information
2006-12-04 14:20 -------- d-------- C:\Program Files\ipod
2006-12-02 16:03 -------- d-------- C:\Program Files\winbudget
2006-12-01 20:50 -------- d-------- C:\Program Files\messenger
2006-11-15 16:01 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-11-15 16:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-15 16:01 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-11-15 16:01 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-11-15 15:56 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-11-15 15:56 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-11-15 15:56 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-11-15 15:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-11-15 15:56 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-11-15 15:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-11-15 15:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-11-15 15:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-11-15 15:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-11-15 15:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-11-15 15:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-11-15 15:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-11-15 15:36 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-11-15 15:36 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-11-13 04:22 25600 --a------ C:\WINDOWS\system32\rpccd.dll
2006-10-25 16:14 9216 --a------ C:\WINDOWS\system32\vundofixsvc.exe
2006-10-23 20:44 183476 --a------ C:\WINDOWS\srvnmqczfn.exe
2006-10-23 20:38 217346 --a------ C:\WINDOWS\srvlqzlpqc.exe
2006-10-23 20:37 94720 --a------ C:\WINDOWS\system32\qykcscn.dll
2006-10-23 20:35 921 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-23 20:33 183478 --a------ C:\WINDOWS\srvgxrlqxk.exe
2006-10-23 20:31 217276 --a------ C:\WINDOWS\srvcqlktzz.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{8492DEA0-0959-1033-0511-040510020001}"="\"C:\\Program Files\\Common Files\\{8492DEA0-0959-1033-0511-040510020001}\\Update.exe\" mc-110-12-0000272"
"{8492DEA0-095A-1033-0511-040510020001}"="\"C:\\Program Files\\Common Files\\{8492DEA0-095A-1033-0511-040510020001}\\Update.exe\" mc-110-12-0000272"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpccd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgf32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{534c8fbe-913a-11db-a031-000e5c9d6ac5}]
Shell\AutoRun\command E:\Autorun.exe /run
Shell\Shell00\Command E:\Autorun.exe /run
Shell\Shell01\Command E:\Autorun.exe /action
Shell\Shell02\Command E:\Autorun.exe /uninstall


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-12 14:34:53
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Browse here C:\Documents and Settings\customer\My Documents\HijackThis.exe then right click hijackthis.exe and rename it to jack.exe

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#5
lgundran

lgundran

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
alrighty im seeing a difference but lately i keep getting popups about generic host win32 problem or something of the sort but here are the logs
VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.5.0.5

Java version is 1.5.0.6

Scan started at 16:20:48 07-01-12

Listing files found while scanning....

C:\WINDOWS\system32\winjgf32.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winjgf32.dll
C:\WINDOWS\system32\winjgf32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsqq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsqq.dll Has been deleted!

Performing Repairs to the registry.
Done!


and

Logfile of HijackThis v1.99.1
Scan saved at 17:31, on 07-01-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Documents and Settings\customer\My Documents\jack.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pmrrjysq.dll
O2 - BHO: (no name) - {C4941223-4B7E-4E93-919E-F8C253F5A17A} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [{8492DEA0-0959-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{8492DEA0-095A-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-095A-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\rylmdgyl.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165260745562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165260737015
O20 - Winlogon Notify: rpccd - C:\WINDOWS\system32\rpccd.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#7
lgundran

lgundran

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
SDFix: Version 1.58

07-01-14 - 10:52:08.75

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

COM+ Messages

Path:

"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272

COM+ Messages Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File
Killing PID 128 'smss.exe'
Killing PID 200 'winlogon.exe'

Rebooting

Normal Mode:

Checking Files:


Files will be copied to Backups folder then removed:

C:\WINDOWS\SRVNMQ~1.EXE - Deleted
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\STDRUN2.EXE - Deleted
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\STDRUN3.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN3.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN4.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN5.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN6.EXE - Deleted
C:\DOCUME~1\customer\LOCALS~1\Temp\win154.tmp.exe - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\rpccd.dll - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\win1.tmp - Deleted
C:\WINDOWS\Temp\win16.tmp - Deleted
C:\WINDOWS\Temp\win19.tmp - Deleted
C:\WINDOWS\Temp\win1A.tmp - Deleted
C:\WINDOWS\Temp\win1C.tmp - Deleted
C:\WINDOWS\Temp\win2.tmp - Deleted
C:\WINDOWS\Temp\win23.tmp - Deleted
C:\WINDOWS\Temp\win24.tmp - Deleted
C:\WINDOWS\Temp\win2C.tmp - Deleted
C:\WINDOWS\Temp\win31.tmp - Deleted
C:\WINDOWS\Temp\win32.tmp - Deleted
C:\WINDOWS\Temp\win38.tmp - Deleted
C:\WINDOWS\Temp\win4.tmp - Deleted
C:\WINDOWS\Temp\win40.tmp - Deleted
C:\WINDOWS\Temp\win70.tmp - Deleted
C:\WINDOWS\Temp\win71.tmp - Deleted
C:\WINDOWS\Temp\win72.tmp - Deleted
C:\WINDOWS\Temp\win73.tmp - Deleted
C:\WINDOWS\Temp\winE.tmp - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted



Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Disabled:Ares"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Disabled:WinMX Application"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1124230516\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124230516\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\WINDOWS\\system32\\windir32.exe"="C:\\WINDOWS\\system32\\windir32.exe:*:Enabled:windir32"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32"="C:\\WINDOWS\\system32:*:Enabled:lockx"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\DOCUME~1\\customer\\LOCALS~1\\Temp\\win15E.tmp.exe"="C:\\DOCUME~1\\customer\\LOCALS~1\\Temp\\win15E.tmp.exe:*:Enabled:win15E.tmp"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1124230516\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124230516\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with hidden attributes:

C:\NTDETECT.COM
C:\Documents and Settings\customer\NetHood\SC on teacherweb.com\Desktop.ini
C:\Documents and Settings\customer\NetHood\SC on www.teacherweb.com\Desktop.ini
C:\WINDOWS\system32\mljkkig.dll
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\qstwa.tmp
C:\WINDOWS\system32\config\system.tmp.LOG

Finished
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Can you post a new Hijack log too :whistling:
  • 0

#9
lgundran

lgundran

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
sorry for the late response

Logfile of HijackThis v1.99.1
Scan saved at 16:33, on 07-01-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\customer\My Documents\jack.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pmrrjysq.dll
O2 - BHO: (no name) - {C4941223-4B7E-4E93-919E-F8C253F5A17A} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [{8492DEA0-0959-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{8492DEA0-095A-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-095A-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\rylmdgyl.dll",setvm
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165260745562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165260737015
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :blink:

Sorry for the delay

Well you picked up some more goodies :whistling:

click >>start>>control panel >>add/remove programs and uninstall the following if present:
webHancer
Ipwindows



Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pmrrjysq.dll
O2 - BHO: (no name) - {C4941223-4B7E-4E93-919E-F8C253F5A17A} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [{8492DEA0-0959-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{8492DEA0-095A-1033-0511-040510020001}] "C:\Program Files\Common Files\{8492DEA0-095A-1033-0511-040510020001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\rylmdgyl.dll",setvm
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

please delete the following folders using windows explorer:

C:\Program Files\Ipwindows
C:\Program Files\webHancer
C:\Program Files\Common Files\{8492DEA0-095A-1033-0511-040510020001}
C:\Program Files\Common Files\{8492DEA0-0959-1033-0511-040510020001}


Clean out your Temporary Internet files. Proceed as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Reboot


Run combofix again and paste the log for me with a new Hijack log

Thanks :help:
  • 0

Advertisements


#11
lgundran

lgundran

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
combo fix log

"customer" - 07-01-12 14:03:26 Service Pack 2
ComboFix 07-01-10 - Running from: "C:\Documents and Settings\customer\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\w001b725.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\SVKP.sys
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\b3duZXI
C:\Program Files\Common Files\{3492D~1
C:\Program Files\Common Files\{8492D~2
C:\DOCUME~1\customer\Application Data\SearchToolbarCorp
C:\Program Files\Common Files\download
C:\Program Files\Common Files\windows
C:\WINDOWS\system32\rpcc.dll
C:\Program Files\Common Files\{8492D~1 . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\customer
C:\qoobox\purity\DOCUME~1\customer\Application Data
C:\qoobox\purity\DOCUME~1\customer\Application Data\from.txt
C:\qoobox\purity\DOCUME~1\customer\Application Data\YSTEM~1
C:\qoobox\purity\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\WINDOWS\SSEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


2007-01-12 14:32 <DIR> d-------- C:\Program Files\Common Files\{8492DEA0-095A-1033-0511-040510020001}
2007-01-12 14:31 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-12 14:31 <DIR> d-------- C:\Program Files\VSAdd-in
2007-01-12 14:31 <DIR> d-------- C:\DOCUME~1\customer\Application Data\SearchToolbarCorp
2007-01-12 14:30 88,340 --a------ C:\WINDOWS\system32\vfnsmret.exe
2007-01-10 17:59 <DIR> d-------- C:\WINDOWS\mmuf
2007-01-10 17:59 <DIR> d-------- C:\Program Files\Common Files\mmuf
2007-01-10 17:14 2 --a------ C:\WINDOWS\system32\wnscpcc.exe
2007-01-07 21:19 88,340 --a------ C:\WINDOWS\system32\usciokjl.exe
2007-01-07 21:19 81,684 --a------ C:\WINDOWS\system32\bqcmdjhc.dll
2007-01-07 21:19 44,060 --a------ C:\WINDOWS\system32\pmrrjysq.dll
2007-01-07 21:18 844,506 ---hs---- C:\WINDOWS\system32\qqstv.bak1
2007-01-07 21:18 277,044 --------- C:\WINDOWS\system32\vtsqq.dll
2007-01-07 21:18 118,804 --a------ C:\WINDOWS\system32\cmxgeqma.dll
2007-01-07 21:13 72,704 --a------ C:\WINDOWS\system32\drvpol.dll
2007-01-07 21:13 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2007-01-07 21:13 22,541 ---hs---- C:\WINDOWS\system32\mljkkig.dll
2007-01-07 21:13 16,896 --a------ C:\WINDOWS\system32\winjgf32.dll
2007-01-04 18:52 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-22 10:43 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-16 17:47 737,280 --a------ C:\WINDOWS\iun6002.exe
2006-12-16 17:46 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-12 14:33 -------- d-------- C:\Program Files\Common Files\{8492dea0-095a-1033-0511-040510020001}
2007-01-12 14:31 -------- d-------- C:\Documents and Settings\customer\Application Data\searchtoolbarcorp
2007-01-10 20:34 -------- d-------- C:\Program Files\soulseek
2007-01-07 21:15 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-04 18:20 -------- d-------- C:\Program Files\ares
2007-01-01 18:49 -------- d-------- C:\Program Files\pokerstars.net
2007-01-01 18:49 -------- d-------- C:\Program Files\azureus
2006-12-26 20:12 -------- d-------- C:\Documents and Settings\customer\Application Data\azureus
2006-12-22 10:43 -------- d-------- C:\Documents and Settings\customer\Application Data\lavasoft
2006-12-21 23:19 -------- d---s---- C:\Documents and Settings\customer\Application Data\microsoft
2006-12-10 17:16 -------- d-------- C:\Documents and Settings\customer\Application Data\divx
2006-12-10 17:14 -------- d-------- C:\Program Files\divx
2006-12-06 17:09 -------- d-------- C:\Documents and Settings\customer\Application Data\msn6
2006-12-04 14:21 -------- d--h----- C:\Program Files\installshield installation information
2006-12-04 14:20 -------- d-------- C:\Program Files\ipod
2006-12-02 16:03 -------- d-------- C:\Program Files\winbudget
2006-12-01 20:50 -------- d-------- C:\Program Files\messenger
2006-11-15 16:01 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-11-15 16:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-15 16:01 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-11-15 16:01 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-11-15 15:56 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-11-15 15:56 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-11-15 15:56 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-11-15 15:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-11-15 15:56 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-11-15 15:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-11-15 15:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-11-15 15:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-11-15 15:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-11-15 15:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-11-15 15:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-11-15 15:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-11-15 15:36 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-11-15 15:36 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-11-13 04:22 25600 --a------ C:\WINDOWS\system32\rpccd.dll
2006-10-25 16:14 9216 --a------ C:\WINDOWS\system32\vundofixsvc.exe
2006-10-23 20:44 183476 --a------ C:\WINDOWS\srvnmqczfn.exe
2006-10-23 20:38 217346 --a------ C:\WINDOWS\srvlqzlpqc.exe
2006-10-23 20:37 94720 --a------ C:\WINDOWS\system32\qykcscn.dll
2006-10-23 20:35 921 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-23 20:33 183478 --a------ C:\WINDOWS\srvgxrlqxk.exe
2006-10-23 20:31 217276 --a------ C:\WINDOWS\srvcqlktzz.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{8492DEA0-0959-1033-0511-040510020001}"="\"C:\\Program Files\\Common Files\\{8492DEA0-0959-1033-0511-040510020001}\\Update.exe\" mc-110-12-0000272"
"{8492DEA0-095A-1033-0511-040510020001}"="\"C:\\Program Files\\Common Files\\{8492DEA0-095A-1033-0511-040510020001}\\Update.exe\" mc-110-12-0000272"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpccd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgf32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{534c8fbe-913a-11db-a031-000e5c9d6ac5}]
Shell\AutoRun\command E:\Autorun.exe /run
Shell\Shell00\Command E:\Autorun.exe /run
Shell\Shell01\Command E:\Autorun.exe /action
Shell\Shell02\Command E:\Autorun.exe /uninstall


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-12 14:34:53


hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:14, on 07-01-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\customer\My Documents\jack.exe
C:\Documents and Settings\customer\My Documents\jack.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Can you run combofix again, the log you posted was your first combofix log.
  • 0

#13
lgundran

lgundran

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ill do it tommorow. im swamped at the moment
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Thats fine, me to :whistling:
  • 0

#15
lgundran

lgundran

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
is this what you mean?

"customer" - 07-01-26 20:26:20 Service Pack 2
ComboFix 07-01-10 - Running from: "C:\Documents and Settings\customer\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\customer\Application Data\SearchToolbarCorp
C:\Program Files\Inetget2
C:\Program Files\VSAdd-in
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\customer
C:\qoobox\purity\DOCUME~1\customer\Application Data
C:\qoobox\purity\DOCUME~1\customer\Application Data\from.txt
C:\qoobox\purity\DOCUME~1\customer\Application Data\YSTEM~1
C:\qoobox\purity\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\WINDOWS\SSEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 ))))))))))))))))))))))))))))))))))


2007-01-15 15:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-15 15:07 <DIR> d-------- C:\4456f39c3ddf8fa92000bb62df
2007-01-14 12:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-14 11:24 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-13 13:37 <DIR> d-------- C:\SDFix
2007-01-12 16:44 817,404 ---hs---- C:\WINDOWS\system32\qqstv.bak2
2007-01-12 16:44 118,804 --a------ C:\WINDOWS\system32\rylmdgyl.dll
2007-01-12 16:20 <DIR> d-------- C:\VundoFix Backups
2007-01-12 14:31 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-12 14:30 88,340 --a------ C:\WINDOWS\system32\vfnsmret.exe
2007-01-10 17:59 <DIR> d-------- C:\WINDOWS\mmuf
2007-01-10 17:59 <DIR> d-------- C:\Program Files\Common Files\mmuf
2007-01-10 17:14 2 --a------ C:\WINDOWS\system32\wnscpcc.exe
2007-01-07 21:19 88,340 --a------ C:\WINDOWS\system32\usciokjl.exe
2007-01-07 21:19 81,684 --a------ C:\WINDOWS\system32\bqcmdjhc.dll
2007-01-07 21:19 44,060 --a------ C:\WINDOWS\system32\pmrrjysq.dll
2007-01-07 21:18 118,804 --a------ C:\WINDOWS\system32\cmxgeqma.dll
2007-01-07 21:13 72,704 --a------ C:\WINDOWS\system32\drvpol.dll
2007-01-07 21:13 22,541 ---hs---- C:\WINDOWS\system32\mljkkig.dll
2007-01-04 18:52 <DIR> d-------- C:\Program Files\Mozilla Firefox


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-26 20:17 -------- d-------- C:\Program Files\soulseek
2007-01-13 18:41 -------- d-------- C:\Program Files\pokerstars.net
2007-01-07 21:15 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-04 18:20 -------- d-------- C:\Program Files\ares
2007-01-01 18:49 -------- d-------- C:\Program Files\azureus
2006-12-26 20:12 -------- d-------- C:\DOCUME~1\customer\Application Data\azureus
2006-12-22 10:43 -------- d-------- C:\Program Files\lavasoft
2006-12-22 10:43 -------- d-------- C:\DOCUME~1\customer\Application Data\lavasoft
2006-12-21 23:19 -------- d---s---- C:\DOCUME~1\customer\Application Data\microsoft
2006-12-16 17:46 737280 --a------ C:\WINDOWS\iun6002.exe
2006-12-16 17:46 57344 --a------ C:\WINDOWS\system32\wnaspint.dll
2006-12-10 17:16 -------- d-------- C:\DOCUME~1\customer\Application Data\divx
2006-12-10 17:14 -------- d-------- C:\Program Files\divx
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 17:09 -------- d-------- C:\DOCUME~1\customer\Application Data\msn6
2006-12-04 14:21 -------- d--h----- C:\Program Files\installshield installation information
2006-12-04 14:20 -------- d-------- C:\Program Files\ipod
2006-12-02 16:03 -------- d-------- C:\Program Files\winbudget
2006-12-01 20:50 -------- d-------- C:\Program Files\messenger
2006-11-15 16:01 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-11-15 16:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-15 16:01 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-11-15 16:01 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-11-15 15:56 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-11-15 15:56 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-11-15 15:56 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-11-15 15:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-11-15 15:56 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-11-15 15:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-11-15 15:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-11-15 15:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-11-15 15:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-11-15 15:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-11-15 15:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-11-15 15:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-11-15 15:36 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-11-15 15:36 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{534c8fbe-913a-11db-a031-000e5c9d6ac5}]
Shell\AutoRun\command E:\Autorun.exe /run
Shell\Shell00\Command E:\Autorun.exe /run
Shell\Shell01\Command E:\Autorun.exe /action
Shell\Shell02\Command E:\Autorun.exe /uninstall


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-26 20:29:56
C:\ComboFix2.txt ... 07-01-12 14:34
C:\ComboFix3.txt ... 07-01-21 11:12
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP