Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win?.tmp is sprouting files in my TEMP Folder


  • Please log in to reply

#1
Namic

Namic

    New Member

  • Member
  • Pip
  • 6 posts
Everything started with that dreaded winantvirus2007. One day I logged onto my computer and found it fully insalled. I had never installed this program before and was wondering where it came from or who installed it without my consent. Guess what I tried to delete it and unistall it. I thought I got rid of it but then it came back with new popups and programs. I stopped some of them with the msconfig>Start tab and by deleting some of them but some of them came back and new ones kept loading onto my computer. I realized their must be some hidden program running in the background of my computer that is sending messages to my iexplorer.exe. I can't find it. Recently I found that their was a new process running on my compter called WinBDB.tmp. I deleted it but all these other lookalike files just kept coming back. I am no computer Wiz, but I'm trying. I would like to enjoy my online experience, but these popups are making it irritating. The most annoying sofar is that damned ucleaner_setup.exe process and the Drive cleaner popup. Can some one help me get to the bottom of this. I would like to get rid of that Win???.tmp and the source of all these problems. Please Please Help me. Here is my Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:38 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\cadix\screen saver\cssCtrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PENSOFT\Quick95.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [biggoufA] C:\WINDOWS\biggoufA.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwon.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\rdamttlj.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Atnt] "C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe" -vt yazb
O4 - Startup: Quick StartUp.lnk = C:\PENSOFT\fquick32.exe
O4 - Startup: Shortcut to JoyToKey (2).lnk = C:\Documents and Settings\Dimitri\My Documents\PC updates\jtk379en\JoyToKey.exe
O4 - Startup: Start.lnk = C:\PENSOFT\Quick95.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: CADIX Screen Saver Control.lnk = C:\cadix\screen saver\cssCtrl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185561151500
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsof...cure/ocarpt.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\biggouf.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\disoso.html

--
End of file - 8299 bytes


What should I do?
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Namic, I'm just looking over your log and will get back to you soon.
  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Namic, my name is Rorschach and I'll be helping you with your problems.


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


So in your next reply please post the following : the VundoFix text, the SmitfraudFix report, a new HijackThis log, and tell me how your PC is running now and if you had any problems.
  • 0

#4
Namic

Namic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Rorschach I followed your instructions and my computer is running smoothly with the exception that win???.tmp files are still sprouting up in my C:\Windows\Temp Folder. Other than that ....Awesome!

Here are my logs

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:38 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\cadix\screen saver\cssCtrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PENSOFT\Quick95.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27B00AA0-E20D-409D-B209-FC575A04DD96} - C:\WINDOWS\System32\geebx.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [biggoufA] C:\WINDOWS\biggoufA.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Atnt] "C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe" -vt yazb
O4 - Startup: Quick StartUp.lnk = C:\PENSOFT\fquick32.exe
O4 - Startup: Shortcut to JoyToKey (2).lnk = C:\Documents and Settings\Dimitri\My Documents\PC updates\jtk379en\JoyToKey.exe
O4 - Startup: Start.lnk = C:\PENSOFT\Quick95.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: CADIX Screen Saver Control.lnk = C:\cadix\screen saver\cssCtrl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185561151500
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsof...cure/ocarpt.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\biggouf.exe (file missing)

--
End of file - 8977 bytes



And Here is the

Rapport:

SmitFraudFix v2.212

Scan done at 14:10:52.50, Fri 08/17/2007
Run from C:\Documents and Settings\Dimitri\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\mgrs.exe Deleted
C:\WINDOWS\system32\drvwon.dll Deleted
C:\Documents and Settings\Dimitri\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{791F5B42-8A7E-490A-9788-94DD5BC25068}: DhcpNameServer=192.168.2.1 68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{791F5B42-8A7E-490A-9788-94DD5BC25068}: DhcpNameServer=192.168.2.1 68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\..\{791F5B42-8A7E-490A-9788-94DD5BC25068}: DhcpNameServer=192.168.2.1 68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.68.162 68.87.74.162


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Is there anything else I should do and should I be worried about the win???.tmp files constantly loading in my C:\Windows\Temp Folder?
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Namic, I have to split this post into two due to length, so make sure you read below as well.

Is there anything else I should do and should I be worried about the win???.tmp files constantly loading in my C:\Windows\Temp Folder?

We have a bit left to do, we will deal with that temp file now :whistling:


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.


@echo off
sc stop DomainService
sc delete DomainService
sc stop "Net Agent"
sc delete "Net Agent"
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"
exit


Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in FixService.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find FixService.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by Rorschach112, 18 August 2007 - 06:33 AM.

  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {27B00AA0-E20D-409D-B209-FC575A04DD96} - C:\WINDOWS\System32\geebx.dll (file missing)
O4 - HKLM\..\Run: [biggoufA] C:\WINDOWS\biggoufA.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKCU\..\Run: [Atnt] "C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe" -vt yazb
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\biggouf.exe (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Finally :

Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\biggoufA.exe
    C:\WINDOWS\svhost.exe
    C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe
    C:\WINDOWS\SYSTEM32\winccf32.dll
    C:\WINDOWS\System32\qwerty12.exe
    C:\WINDOWS\dls0523pmw.exe
    C:\WINDOWS\biggouf.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.


So in your next reply please post the following : the ComboFix log, a new HijackThis log, the OTMoveIt results, tell me how your PC is running and if you had any problems.
  • 0

#7
Namic

Namic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
So Far so Good...I've completed step 1 and I'm moving on to step 2. Here is the Log that was created by CobmoFix.exe:

ComboFix 07-08-14.4 - "Dimitri" 2007-08-18 14:47:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.263 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\sstem~1\ati2evxx.exe
C:\Program Files\Common Files\sstem~1\s?stem\
C:\Program Files\Common Files\vixy83122.dll
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\b122.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\scurit~1
C:\WINDOWS\smbols~1
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\agpjymeb.exe
C:\WINDOWS\system32\aothubsm.exe
C:\WINDOWS\system32\atchhasy.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\bcygrrvl.exe
C:\WINDOWS\system32\beahyihl.exe
C:\WINDOWS\system32\bhlldevw.exe
C:\WINDOWS\system32\bqrsdpyd.exe
C:\WINDOWS\system32\bwhfmovo.exe
C:\WINDOWS\system32\cbxwvst.dll
C:\WINDOWS\system32\cgqqksdi.exe
C:\WINDOWS\system32\ckbrivii.exe
C:\WINDOWS\system32\cvhkgjtf.exe
C:\WINDOWS\system32\dkquenda.exe
C:\WINDOWS\system32\dlfcmtjx.dll
C:\WINDOWS\system32\dplexexp.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dvydupdk.exe
C:\WINDOWS\system32\edeifhqp.exe
C:\WINDOWS\system32\edyituxu.exe
C:\WINDOWS\system32\eorrdyhm.exe
C:\WINDOWS\system32\eyfycrpl.exe
C:\WINDOWS\system32\fvranttj.exe
C:\WINDOWS\system32\fxhokjnj.exe
C:\WINDOWS\system32\fypuiubr.exe
C:\WINDOWS\system32\gcyoigjd.exe
C:\WINDOWS\system32\genccwmg.exe
C:\WINDOWS\system32\gydbikhx.exe
C:\WINDOWS\system32\heiptgww.exe
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\hsbrebip.exe
C:\WINDOWS\system32\ixicqjha.exe
C:\WINDOWS\system32\jaeycwvw.exe
C:\WINDOWS\system32\jqvdxlbl.exe
C:\WINDOWS\system32\jsoiiuso.exe
C:\WINDOWS\system32\jstnysmw.exe
C:\WINDOWS\system32\kbpfkaiq.exe
C:\WINDOWS\system32\kcbjtoag.exe
C:\WINDOWS\system32\kuappdfx.exe
C:\WINDOWS\system32\kxbgqhqw.exe
C:\WINDOWS\system32\kyvfvgyc.exe
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L1\mwspasrt83122.exe
C:\WINDOWS\system32\L11
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\lerldjeg.exe
C:\WINDOWS\system32\lhnbyplp.exe
C:\WINDOWS\system32\ljjhhhi.dll
C:\WINDOWS\system32\lkmmdbap.exe
C:\WINDOWS\system32\matskvks.exe
C:\WINDOWS\system32\mgqelumd.exe
C:\WINDOWS\system32\mhyiaekd.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msvojswu.exe
C:\WINDOWS\system32\nqrrgikv.exe
C:\WINDOWS\system32\nxybcbak.exe
C:\WINDOWS\system32\odiwewmj.exe
C:\WINDOWS\system32\ohnoyddu.exe
C:\WINDOWS\system32\ojvkuecw.exe
C:\WINDOWS\system32\otoikamk.exe
C:\WINDOWS\system32\owvialbl.exe
C:\WINDOWS\system32\oyfbeers.exe
C:\WINDOWS\system32\pjbdgqpp.exe
C:\WINDOWS\system32\pjykbxth.exe
C:\WINDOWS\system32\plhdxdcm.exe
C:\WINDOWS\system32\pshqxlgw.exe
C:\WINDOWS\system32\ptnawdjq.exe
C:\WINDOWS\system32\quskymdv.exe
C:\WINDOWS\system32\qvnmhwgl.exe
C:\WINDOWS\system32\rbdloevl.exe
C:\WINDOWS\system32\rggxogpo.exe
C:\WINDOWS\system32\risksxrx.exe
C:\WINDOWS\system32\rmktmbga.exe
C:\WINDOWS\system32\rqesprwf.exe
C:\WINDOWS\system32\sldtvfxt.exe
C:\WINDOWS\system32\sqegyhhn.exe
C:\WINDOWS\system32\ssqrsqp.dll
C:\WINDOWS\system32\svraaqot.exe
C:\WINDOWS\system32\thiicwny.exe
C:\WINDOWS\system32\tpebwela.exe
C:\WINDOWS\system32\uchrcakl.exe
C:\WINDOWS\system32\uqgclrfw.exe
C:\WINDOWS\system32\uqhhvoma.exe
C:\WINDOWS\system32\vcqkbhjm.exe
C:\WINDOWS\system32\vflhdray.exe
C:\WINDOWS\system32\vkvyrsch.exe
C:\WINDOWS\system32\vpkmyxvq.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winccf32.dll
C:\WINDOWS\system32\wvnmlkkd.exe
C:\WINDOWS\system32\wxhaasyd.exe
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak2
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.tmp
C:\WINDOWS\system32\xjydmilc.exe
C:\WINDOWS\system32\xqlaphrh.exe
C:\WINDOWS\system32\xqxngxcw.exe
C:\WINDOWS\system32\yakdfkum.exe
C:\WINDOWS\system32\ydiuydfr.exe
C:\WINDOWS\system32\yetbhkce.exe
C:\WINDOWS\system32\yhrfatbq.exe
C:\WINDOWS\system32\ypcpjtar.exe
C:\WINDOWS\system32\ysqqiwjq.exe
C:\WINDOWS\system32\ytkeoian.exe
C:\WINDOWS\system32\yyewwwtl.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\ApiMon
-------\core


((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


2007-08-18 14:46 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 14:46 1,417,160 --a------ C:\ComboFix.exe
2007-08-18 14:38 50,688 --a------ C:\ATF-Cleaner.exe
2007-08-17 13:47 111,616 --a------ C:\VundoFix.exe
2007-08-17 13:47 <DIR> d-------- C:\VundoFix Backups
2007-08-17 13:44 <DIR> d-------- C:\bintheredunthat
2007-08-17 13:31 <DIR> d-------- C:\BFU
2007-08-16 14:12 812,344 --a------ C:\HJTsetup.exe
2007-08-16 14:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-15 11:58 43,542 --a------ C:\WINDOWS\system32\iifghee.dll
2007-08-11 17:29 <DIR> d-------- C:\WINDOWS\pss
2007-08-11 13:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-10 16:31 <DIR> d-------- C:\DOCUME~1\Dimitri\APPLIC~1\System Tweaker
2007-08-10 11:58 <DIR> d-------- C:\Program Files\Uniblue
2007-08-10 11:58 <DIR> d-------- C:\DOCUME~1\Dimitri\APPLIC~1\Uniblue
2007-08-05 21:43 <DIR> d-------- C:\Program Files\DivX
2007-08-05 20:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-05 20:37 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-28 14:37 126,016 --a------ C:\WINDOWS\system32\ovpknver.dll
2007-07-28 11:02 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-27 17:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-27 12:50 <DIR> d-------- C:\Program Files\Microsoft Works
2007-07-26 19:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 13:16 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-25 05:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-25 05:21 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-07-25 05:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-07-25 05:21 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-07-25 03:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-24 13:31 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-07-23 12:53 <DIR> d-------- C:\bdc53f2d4b31aa9579f703f36da5
2007-07-23 07:01 851,968 -----c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-23 07:01 536,576 -----c--- C:\WINDOWS\system32\dllcache\msado15.dll
2007-07-23 07:01 332,928 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2007-07-23 07:01 225,664 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2007-07-23 07:01 200,704 -----c--- C:\WINDOWS\system32\dllcache\msadox.dll
2007-07-23 07:01 180,224 -----c--- C:\WINDOWS\system32\dllcache\msadomd.dll
2007-07-23 07:01 102,400 -----c--- C:\WINDOWS\system32\dllcache\msjro.dll
2007-07-23 07:01 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2007-07-23 07:00 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys
2007-07-23 07:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\agentdpv.dll
2007-07-23 07:00 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll
2007-07-23 07:00 433,152 -----c--- C:\WINDOWS\system32\dllcache\riched20.dll
2007-07-23 07:00 42,496 -----c--- C:\WINDOWS\system32\dllcache\agentdp2.dll
2007-07-23 07:00 359,808 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-23 07:00 256,512 -----c--- C:\WINDOWS\system32\dllcache\agentsvr.exe
2007-07-23 07:00 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll
2007-07-23 06:58 8,192 -----c--- C:\WINDOWS\system32\dllcache\rasadhlp.dll
2007-07-23 06:58 148,480 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2007-07-23 06:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-23 04:48 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-23 04:48 <DIR> d-------- C:\Program Files\CleanMyPC
2007-07-23 02:07 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-23 01:57 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-23 01:47 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-07-23 01:47 9,728 --a------ C:\WINDOWS\system32\comsdupd.exe
2007-07-23 01:47 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-07-23 01:47 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-07-23 01:47 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-07-23 01:47 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-07-23 01:47 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-23 01:47 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-07-23 01:47 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-07-23 01:47 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-07-23 01:47 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-07-23 01:47 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2007-07-23 01:47 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-07-23 01:47 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-07-23 01:47 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2007-07-23 01:47 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2007-07-23 01:47 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-07-23 01:47 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-07-23 01:47 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-07-23 01:47 37,376 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-07-23 01:47 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-07-23 01:47 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2007-07-23 01:47 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-07-23 01:47 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-07-23 01:47 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-07-23 01:47 32,768 --a------ C:\WINDOWS\system32\asr_pfu.exe
2007-07-23 01:47 31,744 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-07-23 01:47 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-07-23 01:47 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-07-23 01:47 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-07-23 01:47 3,901 --------- C:\WINDOWS\system32\drivers\siint5.dll
2007-07-23 01:47 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-07-23 01:47 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-07-23 01:47 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-07-23 01:47 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-07-23 01:47 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-07-23 01:47 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-07-23 01:47 29,056 --------- C:\WINDOWS\system32\drivers\ip6fw.sys
2007-07-23 01:47 28,672 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-07-23 01:47 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2007-07-23 01:47 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2007-07-23 01:47 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-07-23 01:47 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2007-07-23 01:47 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-07-23 01:47 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-18 14:45 --------- d-------- C:\DOCUME~1\Dimitri\APPLIC~1\ComcastToolbar
2007-07-25 05:26 --------- d-------- C:\Program Files\Messenger
2007-07-24 10:45 26468 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-24 10:45 11180 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-07-23 02:01 2722 --a------ C:\WINDOWS\pchealth\HELPCTR\PackageStore\SkuStore.bin
2007-07-23 01:58 8972 --a------ C:\WINDOWS\pchealth\HELPCTR\Config\Cntstore.bin
2007-07-23 01:46 --------- d-------- C:\Program Files\Movie Maker
2007-07-23 01:34 --------- d-------- C:\Program Files\Windows NT
2007-07-15 23:59 --------- d-------- C:\DOCUME~1\Dimitri\APPLIC~1\Google
2007-07-13 13:05 --------- d-------- C:\DOCUME~1\Dimitri\APPLIC~1\HP
2007-07-13 13:03 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-07-13 13:02 --------- d-------- C:\Program Files\Common Files\HP
2007-07-13 12:58 --------- d-------- C:\Program Files\HP
2007-07-13 12:58 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-13 12:57 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-07-12 16:39 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-12 15:51 --------- d-------- C:\Program Files\3D Flash Animator 4.9.5
2007-07-12 15:49 --------- d-------- C:\Program Files\Common Files\Macromedia Shared
2007-07-12 15:09 --------- d-------- C:\Program Files\Google
2007-07-05 00:08 --------- d-------- C:\Program Files\QuickTime
2007-06-27 12:42 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-26 17:40 --------- d-------- C:\Program Files\support.com
2007-06-26 17:21 --------- d-------- C:\Program Files\Common Files\Scanner
2007-06-26 17:21 --------- d-------- C:\Program Files\ComcastToolbar
2007-06-26 10:09 658944 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-22 19:45 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-22 19:21 --------- d-------- C:\DOCUME~1\Dimitri\APPLIC~1\Help
2007-06-22 19:18 --------- d-------- C:\Program Files\Common Files\Ravisent Shared
2007-06-22 19:18 --------- d-------- C:\Program Files\ATI Multimedia
2007-06-22 19:00 --------- d-------- C:\DOCUME~1\Dimitri\APPLIC~1\InterTrust
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 -----c--- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 -----c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 -----c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 -----c--- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 -----c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 -----c--- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 -----c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 -----c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 -----c--- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 -----c--- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 -----c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 -----c--- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 -----c--- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 -----c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 -----c--- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 -----c--- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 -----c--- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-09 04:57 93 --a------ C:\WINDOWS\Info.Com
2007-06-09 04:56 82432 --a------ C:\WINDOWS\system32\Wrting32.Dll
2007-06-09 04:56 53728 --a------ C:\WINDOWS\rmfile.exe
2007-06-09 04:56 43664 --a------ C:\WINDOWS\addrun.exe
2007-06-09 04:56 347648 --a------ C:\WINDOWS\system32\ScrSav.Scr
2007-06-09 04:56 271360 --a------ C:\WINDOWS\system32\InkPanel.Dll
2007-06-09 04:54 27632 --a------ C:\WINDOWS\system\Ctl3DV2.Dll
2006-02-19 03:28 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27B00AA0-E20D-409D-B209-FC575A04DD96}]
C:\WINDOWS\System32\geebx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2005-04-25 17:01 C:\WINDOWS\system32\atwtusb.exe]
"PenLock"="" []
"AtiPTA"="atiptaxx.exe" [2001-10-27 01:32 C:\WINDOWS\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-05 00:05]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"biggoufA"="C:\WINDOWS\biggoufA.exe" []
"svhost"="C:\WINDOWS\svhost.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 11:57]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2001-10-02 15:23]
"Uniblue SpyEraser"="" []
"Atnt"="C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe" []

C:\Documents and Settings\Dimitri\Start Menu\Programs\Startup\
Quick StartUp.lnk - C:\PENSOFT\fquick32.exe [2007-06-09 04:56:37]
Shortcut to JoyToKey (2).lnk - C:\Documents and Settings\Dimitri\My Documents\PC updates\jtk379en\JoyToKey.exe [2007-06-22 15:44:26]
Start.lnk - C:\PENSOFT\Quick95.exe [2007-06-09 04:56:37]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-31 09:41:24]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Album Fast Start.lnk - C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe [2007-06-09 05:02:36]
CADIX Screen Saver Control.lnk - C:\cadix\screen saver\cssCtrl.exe [2007-06-09 04:58:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"F:\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\winBDB.tmp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magicantispy]
C:\Program Files\Magicantispy\Magicantispy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
"C:\WINDOWS\poolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

R1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
R2 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\atintuxx.sys
R2 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinxsxx.sys
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS
R2 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\system32\DRIVERS\atinraxx.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S2 SVKP;SVKP;\??\C:\WINDOWS\System32\SVKP.sys


Contents of the 'Scheduled Tasks' folder
2007-08-10 20:27:32 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
2007-08-10 20:27:31 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 14:51:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-18 14:53:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-18 14:53

--- E O F ---
  • 0

#8
Namic

Namic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the QTMoveit Log:

C:\WINDOWS\biggoufA.exe
C:\WINDOWS\svhost.exe
C:\PROGRA~1\COMMON~1\SSTEM~1\ati2evxx.exe
C:\WINDOWS\SYSTEM32\winccf32.dll
C:\WINDOWS\System32\qwerty12.exe
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\biggouf.exe

Created on 08/18/2007 15:13:22

And Here is the Higjackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:48 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\cadix\screen saver\cssCtrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PENSOFT\Quick95.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dimitri\Desktop\OTMoveIt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Startup: Quick StartUp.lnk = C:\PENSOFT\fquick32.exe
O4 - Startup: Shortcut to JoyToKey (2).lnk = C:\Documents and Settings\Dimitri\My Documents\PC updates\jtk379en\JoyToKey.exe
O4 - Startup: Start.lnk = C:\PENSOFT\Quick95.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: CADIX Screen Saver Control.lnk = C:\cadix\screen saver\cssCtrl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185561151500
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsof...cure/ocarpt.CAB
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8024 bytes





Well in short that nasty little Win???.tmp problem seems to be gone. I don't see it sprouting up miscelaneous files and my web browsing seems to be a lot faster with out many interuptions from popups or error messages. I really appreciate your help. You are amazing! How did you figure this out? Do you have any pointers on how I can avoid these problems from happening again?
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Namic

I really appreciate your help. You are amazing! How did you figure this out? Do you have any pointers on how I can avoid these problems from happening again?

There was much reading and learning involved :whistling: Yes I will give you tips at the end in how to prevent this happening again. We still have a little work left though.



Open notepad (Start > Run and type notepad > click Ok) and copy/paste the text in the quote box below into it:

File::
C:\WINDOWS\system32\iifghee.dll
C:\WINDOWS\system32\ovpknver.dll
C:\WINDOWS\system32\Wrting32.Dll
C:\WINDOWS\rmfile.exe
C:\WINDOWS\addrun.exe
C:\WINDOWS\system32\ScrSav.Scr
C:\WINDOWS\system32\InkPanel.Dll
C:\WINDOWS\TEMP\winBDB.tmp.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\retadpu77.exe

Folder::
C:\WINDOWS\Info.Com
C:\Program Files\Magicantispy
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\WinPop

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magicantispy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27B00AA0-E20D-409D-B209-FC575A04DD96}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"biggoufA"=-
"svhost"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Atnt"=-



Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Run ComboFix again and post the resultant log file please.



Next :

Please run HijackThis, click "Do a system scan only" and check this entry

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close all windows except for HijackThis and click "Fix checked".



* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Double click the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

So in your next reply I need to see the following : the ComboFix log, the Dr. Web Cureit report, a new HijackThis log, and tell me how your PC is running now and if you had any problems.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP