Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

pop up

Started by ptorline , May 22 2007 01:16 AM

  • Please log in to reply

#1
ptorline
Posted 22 May 2007 - 01:16 AM

ptorline

    Member

  • Member
  • PipPip
  • 17 posts
i posted all of my logs and other things in the wrong forum and now i try to run highjackthis and it gives me a program error saying that it has generated errors. i dont know what to do!!
  • 0

Advertisements

#2
jwbirdsong
Posted 22 May 2007 - 06:10 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
What EXACTLY does the error say.....
Try and re-downlaod/install a new copy of HIJACKTHIS and see if it helps.
  • 0

#3
ptorline
Posted 22 May 2007 - 08:40 AM

ptorline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
i tried to reinstall it but it didn't work i still get the same message. it says: "HijackThis.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created."

then the only option i have to click is ok.
  • 0

#4
jwbirdsong
Posted 22 May 2007 - 10:30 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
OK
Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthis log.
  • 0

#5
ptorline
Posted 22 May 2007 - 12:11 PM

ptorline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
"MTorline" - 2007-05-22 10:58:31 Service Pack 4
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\mtorline\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\awvvv.dll
C:\WINNT\system32\cwglqoym.dll
C:\WINNT\system32\viffavas.dll
C:\WINNT\system32\xxwwu.dll
C:\WINNT\system32\yayvu.dll
C:\WINNT\system32\efcyy.dll
C:\WINNT\system32\fcyww.dll
C:\WINNT\system32\byxxx.dll
C:\WINNT\system32\yaywv.dll
C:\WINNT\system32\upqvrpnw.dll
C:\WINNT\system32\ddcbaaw.dll
C:\WINNT\system32\savaffiv.ini
C:\WINNT\system32\uwwxx.ini
C:\WINNT\system32\uvyay.ini
C:\WINNT\system32\yycfe.ini
C:\WINNT\system32\wwycf.ini
C:\WINNT\system32\wwycf.bak2
C:\WINNT\system32\xxxyb.ini
C:\WINNT\system32\vwyay.ini
C:\WINNT\system32\wnprvqpu.ini
C:\WINNT\SYSTEM32\ybbeg.tmp
C:\WINNT\SYSTEM32\ybbeg.ini2
C:\WINNT\SYSTEM32\ybbeg.bak1
C:\WINNT\SYSTEM32\ybbeg.bak2
C:\WINNT\system32\urqrspm.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\retadpu1000106.exe
C:\9757614.exe
C:\Program Files\Internet Explorer\qudanuba.dll
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\17O7\tmpTF.log
C:\WINNT\system32\bszip.dll
C:\WINNT\system32\drivers\fad.sys
C:\WINNT\system32\Explorer.exe
C:\WINNT\notedad.exe
C:\WINNT\system32\mp43.exe
C:\WINNT\VTTC.exe
C:\Program Files\outerinfo
C:\WINNT\system32\smpi1
C:\Temp\17O7
C:\Temp\tn3
C:\WINNT\DOWNLO~1.\Temp
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\drivers\core.sys . . . . failed to delete


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core
-------\RpcApi


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))


2007-05-22 00:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 23:20 60,928 --a------ C:\WINNT\SYSTEM32\mtflm.dll
2007-05-21 23:08 2 --a------ C:\WINNT\SYSTEM32\wnstsicomsv32.exe
2007-05-21 22:58 72,320 --------- C:\WINNT\SYSTEM32\DRIVERS\core.sys
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\TQ0
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T6
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T4
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T3
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T1QaSQ
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\pog
2007-05-21 22:58 <DIR> d-------- C:\temp\0b9
2007-05-20 16:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-20 16:01 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 21:48 <DIR> d-------- C:\Program Files\??pPatch
2007-05-16 19:24 <DIR> d-------- C:\FOUND.000
2007-05-16 16:55 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\STOPzilla!
2007-05-16 16:54 <DIR> d-------- C:\Program Files\STOPzilla!
2007-05-16 16:35 <DIR> d-------- C:\Program Files\CHARTER
2007-05-16 16:30 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-05-16 16:29 <DIR> d-------- C:\Program Files\Support.com
2007-05-16 16:29 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\Support.com
2007-05-14 19:53 <DIR> d-------- C:\WINNT\SYSTEM32\SBO
2007-05-03 16:20 <DIR> d-------- C:\Program Files\Trials
2007-04-30 16:51 <DIR> d-------- C:\WINNT\qumq
2007-04-30 16:51 <DIR> d-------- C:\Program Files\Common Files\qumq
2007-04-30 16:36 <DIR> d--hs---- C:\WINNT\QWxsZWdpYW5jZQ
2007-04-29 16:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-29 16:41 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\Lavasoft
2007-04-29 16:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-28 20:27 <DIR> d-------- C:\Program Files\DivX
2007-04-28 19:03 892,928 --a------ C:\WINNT\SYSTEM32\NCTAudioInformation.dll
2007-04-28 19:03 393,216 --a------ C:\WINNT\SYSTEM32\VorbisEncX.dll
2007-04-28 19:03 339,968 --a------ C:\WINNT\SYSTEM32\MP3EncX.dll
2007-04-28 19:03 331,776 --a------ C:\WINNT\SYSTEM32\NCTAudioCDRipper2.dll
2007-04-28 19:03 309,616 --a------ C:\WINNT\SYSTEM32\wmv8dmod.dll
2007-04-28 19:03 303,104 --a------ C:\WINNT\SYSTEM32\WMAEncX.dll
2007-04-28 19:03 101,888 --a------ C:\WINNT\SYSTEM32\VB6STKIT.DLL
2007-04-28 19:03 1,839,104 --a------ C:\WINNT\SYSTEM32\NCTAudioFile2.dll
2007-04-28 19:02 <DIR> d-------- C:\Program Files\SoftwareClub.ws
2007-04-28 15:05 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-28 14:25 <DIR> dr--s---- C:\WINNT\F?nts
2007-04-28 14:21 <DIR> d-------- C:\Program Files\BitLord


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 04:48:28 -------- d-----w C:\Program Files\??pPatch
2007-04-11 06:04:04 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Azureus
2007-04-09 06:20:52 -------- d-----w C:\Program Files\QuickTime
2007-04-05 07:15:32 -------- d--h--w C:\DOCUME~1\mtorline\APPLIC~1\Move Networks
2007-04-01 02:40:14 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Viewpoint
2007-03-31 21:18:38 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Ahead
2007-03-31 21:11:12 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-29 00:42:46 -------- d-----w C:\Program Files\Common Files\Real
2007-03-29 00:42:44 -------- d-----w C:\Program Files\Real
2007-03-29 00:42:08 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Real
2007-03-29 00:05:54 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\DivX
2007-03-27 07:55:58 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-03-27 07:55:50 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-03-27 07:55:24 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-03-27 07:55:24 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-03-27 07:49:08 73,728 ----a-w C:\WINNT\system32\dpl100.dll
2007-03-27 07:49:08 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-03-27 07:49:06 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-03-27 07:49:04 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-03-27 07:49:04 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-03-27 07:49:04 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-03-27 07:49:04 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-03-27 07:49:04 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-03-27 07:49:00 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-03-27 07:49:00 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-03-27 07:49:00 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-03-27 07:49:00 639,066 ----a-w C:\WINNT\system32\DivX.dll
2007-03-27 06:03:08 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\BitTorrent
2007-03-27 04:02:52 -------- d-----w C:\Program Files\HP Photosmart 11
2007-03-26 23:58:18 -------- d-----w C:\Program Files\Viewpoint
2007-03-26 23:57:58 -------- d-----w C:\Program Files\Common Files\AOL
2007-03-26 23:55:36 335 ----a-w C:\WINNT\nsreg.dat
2007-03-19 18:14:32 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Sonic
2007-02-16 01:40:36 124,472 ----a-w C:\WINNT\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [01-04-16 16:39 ]
{1CB1D813-3585-2C52-A34F-1BE339E5A992}=C:\WINNT\system32\kqoev.dll []
{356D87C2-5AEE-4D94-A513-CB7B86E163B6}=C:\Program Files\NetMeeting\merote.dll [07-04-06 12:27 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINNT\system32\dla\tfswshx.dll [04-03-15 01:04 ]
{8ACFE278-80FF-49F2-B535-9CC45EE7169C}=C:\Program Files\NetMeeting\merote.dll [07-04-06 12:27 ]
{9D583E62-D1A9-9B2C-D908-FFADDDBB729E}=C:\WINNT\system32\mtflm.dll [07-05-21 06:59 ]
{B08D32DE-64B2-4137-8345-87293E70D40B}=C:\WINNT\system32\iea.dll []
{FCB8D92D-7B4A-4BB2-AFCE-095CE4D0FC34}=C:\WINNT\system32\lkaoblwq.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 07:00 C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [04-08-20 14:55 ]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [04-08-20 14:51 ]
"sethook"="cmd /c start /min cmd /c c:\dell\src_path.cmd" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [03-03-17 18:21 ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03-03-17 18:20 ]
"bascstray"="BascsTray.exe" []
"bacstray"="BacsTray.exe" [03-05-14 18:37 C:\WINNT\SYSTEM32\BacsTray.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03-01-31 11:27 ]
"PRPCMonitor"="PRPCUI.exe" [02-10-07 03:00 C:\WINNT\SYSTEM32\prpcui.exe]
"BuildBU"="c:\dell\bldbubg.exe" [03-05-01 16:10 ]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [02-09-20 16:46 ]
"dla"="C:\WINNT\system32\dla\tfswctrl.exe" [04-03-15 01:04 ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [03-08-19 01:01 ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [02-09-10 21:26 ]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe" [06-01-06 11:07 ]
"HPHmon04"="C:\WINNT\system32\hphmon04.exe" [06-01-06 11:07 ]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-08 23:20 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-04-28 15:05 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [03-06-20 07:00 C:\WINNT\SYSTEM32\INTERNAT.EXE]
"Brct"="C:\PROGRA~1\PPATCH~1\nopdb.exe" [07-05-21 23:06 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"Winamp Media"=C:\WINNT\system32\qmedia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvst]
vtuvvst.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages kerberos msv1_0 schannel

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
wugroup wuauserv
BITSgroup BITS

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN


Contents of the 'Scheduled Tasks' folder
2007-05-22 07:00:02 C:\WINNT\tasks\At1.job
2007-05-22 08:00:02 C:\WINNT\tasks\At2.job
2007-05-22 09:00:02 C:\WINNT\tasks\At3.job
2007-05-22 10:00:02 C:\WINNT\tasks\At4.job
2007-05-22 11:00:02 C:\WINNT\tasks\At5.job
2007-05-22 12:00:02 C:\WINNT\tasks\At6.job
2007-05-22 13:00:02 C:\WINNT\tasks\At7.job
2007-05-22 14:00:02 C:\WINNT\tasks\At8.job
2007-05-22 15:00:02 C:\WINNT\tasks\At9.job
2007-05-22 16:00:02 C:\WINNT\tasks\At10.job
2007-05-22 17:00:02 C:\WINNT\tasks\At11.job
2007-05-22 18:00:04 C:\WINNT\tasks\At12.job
2007-05-21 19:00:02 C:\WINNT\tasks\At13.job
2007-05-21 20:00:02 C:\WINNT\tasks\At14.job
2007-05-21 21:00:02 C:\WINNT\tasks\At15.job
2007-05-21 22:00:02 C:\WINNT\tasks\At16.job
2007-05-21 23:00:02 C:\WINNT\tasks\At17.job
2007-05-22 00:00:02 C:\WINNT\tasks\At18.job
2007-05-22 01:00:02 C:\WINNT\tasks\At19.job
2007-05-22 02:00:02 C:\WINNT\tasks\At20.job
2007-05-22 03:00:02 C:\WINNT\tasks\At21.job
2007-05-22 04:00:02 C:\WINNT\tasks\At22.job
2007-05-22 05:00:02 C:\WINNT\tasks\At23.job
2007-05-22 06:00:02 C:\WINNT\tasks\At24.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 11:09:46
Windows 5.0.2195 Service Pack 4 FAT

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-22 11:11:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-22 11:11

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 11:14, on 2007-05-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\PPATCH~1\nopdb.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB1D813-3585-2C52-A34F-1BE339E5A992} - C:\WINNT\system32\kqoev.dll (file missing)
O2 - BHO: (no name) - {356D87C2-5AEE-4D94-A513-CB7B86E163B6} - C:\Program Files\NetMeeting\merote.dll
O2 - BHO: (no name) - {503737A4-4BE9-4B40-A95A-1906F3A623D8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {8ACFE278-80FF-49F2-B535-9CC45EE7169C} - C:\Program Files\NetMeeting\merote.dll
O2 - BHO: (no name) - {9D583E62-D1A9-9B2C-D908-FFADDDBB729E} - C:\WINNT\system32\mtflm.dll
O2 - BHO: IE Assistant - {B08D32DE-64B2-4137-8345-87293E70D40B} - C:\WINNT\system32\iea.dll (file missing)
O2 - BHO: (no name) - {FCB8D92D-7B4A-4BB2-AFCE-095CE4D0FC34} - C:\WINNT\system32\lkaoblwq.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Brct] "C:\PROGRA~1\PPATCH~1\nopdb.exe" -vt yazb
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spam...ckerutility.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9334A4C1-19AC-4B10-8D0F-AC5E370D5C38}: NameServer = 208.67.222.222,208.67.220.220,208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtuvvst - vtuvvst.dll (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#6
jwbirdsong
Posted 23 May 2007 - 10:28 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Please go here to upload a suspicious file for analysis.
  • Enter your username ptorline
  • Copy and paste the link to this thread http://www.geekstogo...up-t158850.html
  • Browse for these filenames: C:\Program Files\NetMeeting\merote.dllandC:\WINNT\system32\mtflm.dll
  • In the comments, please mention that jwbirdsong asked you to upload this file
  • Click on Send File
CLOSE IE/Firefox

Open HijackThis and click on Do a system scan only. Place a check mark next to the following:



O2 - BHO: (no name) - {1CB1D813-3585-2C52-A34F-1BE339E5A992} - C:\WINNT\system32\kqoev.dll (file missing)
O2 - BHO: (no name) - {356D87C2-5AEE-4D94-A513-CB7B86E163B6} - C:\Program Files\NetMeeting\merote.dll
O2 - BHO: (no name) - {503737A4-4BE9-4B40-A95A-1906F3A623D8} - (no file)
O2 - BHO: (no name) - {8ACFE278-80FF-49F2-B535-9CC45EE7169C} - C:\Program Files\NetMeeting\merote.dll
O2 - BHO: (no name) - {9D583E62-D1A9-9B2C-D908-FFADDDBB729E} - C:\WINNT\system32\mtflm.dll
O2 - BHO: IE Assistant - {B08D32DE-64B2-4137-8345-87293E70D40B} - C:\WINNT\system32\iea.dll (file missing)
O2 - BHO: (no name) - {FCB8D92D-7B4A-4BB2-AFCE-095CE4D0FC34} - C:\WINNT\system32\lkaoblwq.dll (file missing)
O4 - HKCU\..\Run: [Brct] "C:\PROGRA~1\PPATCH~1\nopdb.exe" -vt yazb
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spam...ckerutility.cab
O20 - Winlogon Notify: vtuvvst - vtuvvst.dll (file missing)
Close ALL other open windows and programs and click Fix checked.

Reboot

Please download VundoFix.exe (by Atribune) to your Desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Post a fresh HijackThis log and c:\vundofix.txt
  • 0

#7
ptorline
Posted 23 May 2007 - 08:07 PM

ptorline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
the vundo fix didn't find anything wrong, so it didn't give me anything to post. but here is the new highjack this log



Logfile of HijackThis v1.99.1
Scan saved at 19:08, on 2007-05-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {CA0E3B6D-87FF-CC7A-D908-FFADDDBB759D} - C:\WINNT\system32\bdkc.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9334A4C1-19AC-4B10-8D0F-AC5E370D5C38}: NameServer = 208.67.222.222,208.67.220.220,208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#8
jwbirdsong
Posted 23 May 2007 - 09:43 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Once again please upload a file just like you did a while ago
C:\WINNT\system32\bdkc.dll

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report and a new ComboFix log....
  • 0

#9
jwbirdsong
Posted 23 May 2007 - 10:08 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Got it thanks......carry on.....it garbage,,you can check and remove that line in HJT ..(But I knew that B4 you sent it..)
O2 - BHO: (no name) - {CA0E3B6D-87FF-CC7A-D908-FFADDDBB759D} - C:\WINNT\system32\bdkc.dll

I just forgot to include that in last post
  • 0

#10
ptorline
Posted 23 May 2007 - 10:42 PM

ptorline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Incident Status Location

Hacktool:Rootkit/NTRootkit.AJ Not disinfected C:\WINNT\SYSTEM32\DRIVERS\CORE.SYS
Adware:Adware/Adsmart Not disinfected C:\WINNT\SYSTEM32\T1QaSQ\T1QaSQ1065.exe
Adware:Adware/WebBuying Not disinfected C:\WINNT\SYSTEM32\TQ0\DLL2.EXE
Adware:Adware/TTC Not disinfected C:\WINNT\SYSTEM32\T3\DLLTK67.EXE
Adware:Adware/DeluxeComunications Not disinfected C:\WINNT\SYSTEM32\T4\D5LL.EXE
Virus:Trj/Downloader.OJF Disinfected C:\WINNT\SYSTEM32\T6\DLWR.EXE
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\NIRCMD.EXE
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
Virus:Trj/Downloader.OLY Disinfected C:\QooBox\Quarantine\C\WINNT\retadpu1000106.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\viffavas.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\upqvrpnw.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\ddcbaaw.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\urqrspm.dll.vir
Adware:Adware/TTC Not disinfected C:\QooBox\Quarantine\C\WINNT\VTTC.exe.vir
Adware:Adware/Adsmart Not disinfected C:\QooBox\Quarantine\C\9757614.exe.vir
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\MTORLINE\Local Settings\Temp\CTXAD.EXE[NDrv.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\MTORLINE\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@com[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@advertising[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@bravenet[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\MTORLINE\Cookies\[email protected][1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@findwhat[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@entrepreneur[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\MTORLINE\Cookies\[email protected][1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\MTORLINE\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@adultfriendfinder[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\MTORLINE\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@overture[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@mediaplex[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@fastclick[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@tribalfusion[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@doubleclick[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@questionmarket[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@atdmt[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@trafficmp[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@casalemedia[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\MTORLINE\Cookies\[email protected][2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@zedo[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\MTORLINE\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@adrevolver[3].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\MTORLINE\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\MTORLINE\Cookies\mtorline@statcounter[2].txt
Adware:Adware/PurityScan Not disinfected C:\Program Files\??pPatch\NOPDB.EXE
Adware:Adware/TTC Not disinfected C:\Program Files\Hijackthis\BACKUPS\backup-20070523-190016-825.dll
Adware:Adware/TTC Not disinfected C:\Program Files\Hijackthis\BACKUPS\backup-20070523-190016-999.dll


"MTorline" - 2007-05-23 21:29:14 Service Pack 4
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\mtorline\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\outerinfo
C:\Temp\tn3
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\drivers\core.sys . . . . failed to delete


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-23 ))))))))))))))))))))))))))))))))))


2007-05-23 21:36 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_3a8.dat
2007-05-23 21:05 <DIR> d-------- C:\WINNT\SYSTEM32\ActiveScan
2007-05-23 19:05 <DIR> d-------- C:\VundoFix Backups
2007-05-22 23:45 60,928 --a------ C:\WINNT\SYSTEM32\bdkc.dll
2007-05-22 11:11 49,152 --a------ C:\WINNT\nircmd.exe
2007-05-22 00:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 23:08 2 --a------ C:\WINNT\SYSTEM32\wnstsicomsv32.exe
2007-05-21 22:58 72,320 --------- C:\WINNT\SYSTEM32\DRIVERS\core.sys
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\TQ0
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T6
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T4
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T3
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\T1QaSQ
2007-05-21 22:58 <DIR> d-------- C:\WINNT\SYSTEM32\pog
2007-05-21 22:58 <DIR> d-------- C:\temp\0b9
2007-05-20 16:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-20 16:01 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 21:48 <DIR> d-------- C:\Program Files\??pPatch
2007-05-16 19:24 <DIR> d-------- C:\FOUND.000
2007-05-16 16:55 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\STOPzilla!
2007-05-16 16:54 <DIR> d-------- C:\Program Files\STOPzilla!
2007-05-16 16:35 <DIR> d-------- C:\Program Files\CHARTER
2007-05-16 16:30 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-05-16 16:29 <DIR> d-------- C:\Program Files\Support.com
2007-05-16 16:29 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\Support.com
2007-05-14 19:53 <DIR> d-------- C:\WINNT\SYSTEM32\SBO
2007-05-03 16:20 <DIR> d-------- C:\Program Files\Trials
2007-04-30 16:51 <DIR> d-------- C:\WINNT\qumq
2007-04-30 16:51 <DIR> d-------- C:\Program Files\Common Files\qumq
2007-04-30 16:36 <DIR> d--hs---- C:\WINNT\QWxsZWdpYW5jZQ
2007-04-29 16:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-29 16:41 <DIR> d-------- C:\DOCUME~1\mtorline\APPLIC~1\Lavasoft
2007-04-29 16:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-28 20:27 <DIR> d-------- C:\Program Files\DivX
2007-04-28 19:03 892,928 --a------ C:\WINNT\SYSTEM32\NCTAudioInformation.dll
2007-04-28 19:03 393,216 --a------ C:\WINNT\SYSTEM32\VorbisEncX.dll
2007-04-28 19:03 339,968 --a------ C:\WINNT\SYSTEM32\MP3EncX.dll
2007-04-28 19:03 331,776 --a------ C:\WINNT\SYSTEM32\NCTAudioCDRipper2.dll
2007-04-28 19:03 309,616 --a------ C:\WINNT\SYSTEM32\wmv8dmod.dll
2007-04-28 19:03 303,104 --a------ C:\WINNT\SYSTEM32\WMAEncX.dll
2007-04-28 19:03 101,888 --a------ C:\WINNT\SYSTEM32\VB6STKIT.DLL
2007-04-28 19:03 1,839,104 --a------ C:\WINNT\SYSTEM32\NCTAudioFile2.dll
2007-04-28 19:02 <DIR> d-------- C:\Program Files\SoftwareClub.ws
2007-04-28 15:05 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-28 14:25 <DIR> dr--s---- C:\WINNT\F?nts
2007-04-28 14:21 <DIR> d-------- C:\Program Files\BitLord


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 04:48:28 -------- d-----w C:\Program Files\??pPatch
2007-04-11 06:04:04 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Azureus
2007-04-09 06:20:52 -------- d-----w C:\Program Files\QuickTime
2007-04-05 07:15:32 -------- d--h--w C:\DOCUME~1\mtorline\APPLIC~1\Move Networks
2007-04-01 02:40:14 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Viewpoint
2007-03-31 21:18:38 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Ahead
2007-03-31 21:11:12 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-29 00:42:46 -------- d-----w C:\Program Files\Common Files\Real
2007-03-29 00:42:44 -------- d-----w C:\Program Files\Real
2007-03-29 00:42:08 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Real
2007-03-29 00:05:54 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\DivX
2007-03-27 07:55:58 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-03-27 07:55:50 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-03-27 07:55:24 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-03-27 07:55:24 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-03-27 07:49:08 73,728 ----a-w C:\WINNT\system32\dpl100.dll
2007-03-27 07:49:08 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-03-27 07:49:06 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-03-27 07:49:04 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-03-27 07:49:04 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-03-27 07:49:04 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-03-27 07:49:04 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-03-27 07:49:04 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-03-27 07:49:00 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-03-27 07:49:00 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-03-27 07:49:00 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-03-27 07:49:00 639,066 ----a-w C:\WINNT\system32\DivX.dll
2007-03-27 06:03:08 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\BitTorrent
2007-03-27 04:02:52 -------- d-----w C:\Program Files\HP Photosmart 11
2007-03-26 23:58:18 -------- d-----w C:\Program Files\Viewpoint
2007-03-26 23:57:58 -------- d-----w C:\Program Files\Common Files\AOL
2007-03-26 23:55:36 335 ----a-w C:\WINNT\nsreg.dat
2007-03-19 18:14:32 -------- d-----w C:\DOCUME~1\mtorline\APPLIC~1\Sonic
2007-02-16 01:40:36 124,472 ----a-w C:\WINNT\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [01-04-16 16:39 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINNT\system32\dla\tfswshx.dll [04-03-15 01:04 ]
{CA0E3B6D-87FF-CC7A-D908-FFADDDBB759D}=C:\WINNT\system32\bdkc.dll [07-05-21 06:59 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 07:00 C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [04-08-20 14:55 ]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [04-08-20 14:51 ]
"sethook"="cmd /c start /min cmd /c c:\dell\src_path.cmd" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [03-03-17 18:21 ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03-03-17 18:20 ]
"bascstray"="BascsTray.exe" []
"bacstray"="BacsTray.exe" [03-05-14 18:37 C:\WINNT\SYSTEM32\BacsTray.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03-01-31 11:27 ]
"PRPCMonitor"="PRPCUI.exe" [02-10-07 03:00 C:\WINNT\SYSTEM32\prpcui.exe]
"BuildBU"="c:\dell\bldbubg.exe" [03-05-01 16:10 ]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [02-09-20 16:46 ]
"dla"="C:\WINNT\system32\dla\tfswctrl.exe" [04-03-15 01:04 ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [03-08-19 01:01 ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [02-09-10 21:26 ]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe" [06-01-06 11:07 ]
"HPHmon04"="C:\WINNT\system32\hphmon04.exe" [06-01-06 11:07 ]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-08 23:20 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-04-28 15:05 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [03-06-20 07:00 C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"Winamp Media"=C:\WINNT\system32\qmedia.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages kerberos msv1_0 schannel

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
wugroup wuauserv
BITSgroup BITS

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN

*Newly Created Service* -CORE

Contents of the 'Scheduled Tasks' folder
2007-05-23 07:00:02 C:\WINNT\tasks\At1.job
2007-05-23 08:00:02 C:\WINNT\tasks\At2.job
2007-05-23 09:00:02 C:\WINNT\tasks\At3.job
2007-05-23 10:00:00 C:\WINNT\tasks\At4.job
2007-05-23 11:00:02 C:\WINNT\tasks\At5.job
2007-05-23 12:00:02 C:\WINNT\tasks\At6.job
2007-05-23 13:00:02 C:\WINNT\tasks\At7.job
2007-05-23 14:00:02 C:\WINNT\tasks\At8.job
2007-05-23 15:00:02 C:\WINNT\tasks\At9.job
2007-05-23 16:00:02 C:\WINNT\tasks\At10.job
2007-05-23 17:00:02 C:\WINNT\tasks\At11.job
2007-05-23 18:00:02 C:\WINNT\tasks\At12.job
2007-05-23 19:00:02 C:\WINNT\tasks\At13.job
2007-05-23 20:00:02 C:\WINNT\tasks\At14.job
2007-05-23 21:00:02 C:\WINNT\tasks\At15.job
2007-05-23 22:00:02 C:\WINNT\tasks\At16.job
2007-05-23 23:00:02 C:\WINNT\tasks\At17.job
2007-05-24 00:00:02 C:\WINNT\tasks\At18.job
2007-05-24 01:00:02 C:\WINNT\tasks\At19.job
2007-05-24 02:00:02 C:\WINNT\tasks\At20.job
2007-05-24 03:00:02 C:\WINNT\tasks\At21.job
2007-05-24 04:00:02 C:\WINNT\tasks\At22.job
2007-05-23 05:00:02 C:\WINNT\tasks\At23.job
2007-05-22 06:00:02 C:\WINNT\tasks\At24.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 21:37:32
Windows 5.0.2195 Service Pack 4 FAT

scanning hidden processes ...

? [1468]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-23 21:38:27 - machine was rebooted
C:\ComboFix2.txt ... 07-05-22 11:11
C:\ComboFix-quarantined-files.txt ... 07-05-23 21:38

--- E O F ---
  • 0

#11
jwbirdsong
Posted 24 May 2007 - 04:25 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode (without Nextorking) by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the C:\SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

  • 0

#12
ptorline
Posted 24 May 2007 - 09:38 PM

ptorline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
SDFix: Version 1.84

Run by MTorline - Thu 2007-05-24 - 20:37:37.47

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core

ImagePath:
system32\drivers\core.sys

core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\drivers\core.cache.dsk - Deleted
C:\WINNT\system32\drivers\core.sys - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINNT\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\??pPatch\nopdb.exe
C:\Program Files\STOPzilla!\swin32z.sys
C:\Documents and Settings\mtorline\My Documents\~WRL1051.tmp
C:\Documents and Settings\mtorline\Application Data\Microsoft\Word\~WRL0389.tmp
C:\Program Files\InterActual\InterActual Player\itiB.tmp

Finished
  • 0

#13
jwbirdsong
Posted 24 May 2007 - 11:31 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Set your computer to show hidden files as directed HERE

Then use window explorer to find and delete the following FOLDER

C:\Program Files\??pPatch The ?? will be replaced by letters/numbers.. The folder will have a regular name (may be apPatch) but if you are unsure check inside the folder and nopdb.exewill be there.

Next please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\SYSTEM32\T1QaSQ\T1QaSQ1065.exe
    C:\WINNT\SYSTEM32\T3\DLLTK67.EXE
    C:\WINNT\SYSTEM32\T4\D5LL.EXE
    C:\WINNT\SYSTEM32\T6\DLWR.EXE
    C:\WINNT\SYSTEM32\TQ0\DLL2.EXE
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (just please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

After reboot post a final(?) HijackThis log and let me know how the computer is running.

P.S. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Edited by jwbirdsong, 24 May 2007 - 11:32 PM.

  • 0

#14
ptorline
Posted 25 May 2007 - 09:52 PM

ptorline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
it seems to be running a lot quicker now, and i haven't had a pop up yet but i will see. thank you very much.



Logfile of HijackThis v1.99.1
Scan saved at 20:54, on 2007-05-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\system32\svchost.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9334A4C1-19AC-4B10-8D0F-AC5E370D5C38}: NameServer = 208.67.222.222,208.67.220.220,208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Allegiancecapital.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#15
jwbirdsong
Posted 26 May 2007 - 05:44 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Good job your log is clean.

You can delete the combofix sdfix c:!Killbox folder/files now..

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content",
(You will have to re-enter passwords at websites that require them.)
Click OK

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP