Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop-ups Everywhere [SOLVED] [RESOLVED]

Started by broken98 , Aug 17 2007 01:38 AM

  • This topic is locked This topic is locked

#1
broken98
Posted 17 August 2007 - 01:38 AM

broken98

    Member

  • Member
  • PipPip
  • 74 posts
I'm getting killed by pop-ups of all kinds, help is really needed.
Here's my first log.
Thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 3:36:11 AM, on 8/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\FotomatDeviceConnect.exe
C:\Program Files\MSN\mege22011.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\rlqanuvt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lanny\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\FotomatDeviceConnect.exe
O4 - HKLM\..\Run: [mege] C:\Program Files\MSN\mege22011.exe
O4 - HKLM\..\Run: [{D4-45-57-70-ZN}] C:\DOCUME~1\lisa\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\wayougrh.dll",forkonce
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activatio...oad/tgctlcm.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\MHC Interactive\GEDONLINE\cab\awswax70.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109555465843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172481116531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\rlqanuvt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
  • 0

Advertisements

#2
jwbirdsong
Posted 17 August 2007 - 07:49 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Please download VundoFix.exe (by Atribune) to your Desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a Combofix log (below) in a reply to this thread.

    Download Combofix to your desktop.
    Doubleclick combofix.exe
    Follow the prompts.
    Don't click on the window while the fix is running, because that will cause your system to hang.

    When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. Run the Vudnofix at LEAST 2 times OR until you get a "No vundo found message"
  • 0

#3
broken98
Posted 18 August 2007 - 03:46 AM

broken98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Thank you for the prompt.
Here are the two scans of Vundo and Combofix.

1. Vundo Scan
VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:12:30 AM 8/18/2007

Listing files found while scanning....

C:\WINDOWS\System32\bbeeg.bak1
C:\WINDOWS\System32\bbeeg.bak2
C:\WINDOWS\System32\bbeeg.ini
C:\WINDOWS\System32\bhmpkjlq.dll
C:\WINDOWS\System32\geebb.dll
C:\windows\system32\hrguoyaw.ini
C:\windows\system32\jterohsu.ini
C:\WINDOWS\System32\mljhhef.dll
C:\windows\system32\mniknjhp.dll
C:\windows\system32\phjnkinm.ini
C:\windows\system32\phjnkinm.ini2
C:\windows\system32\phjnkinm.tmp
C:\windows\system32\qomnoop.dll
C:\windows\system32\ssqoonk.dll
C:\windows\system32\urqqopq.dll
C:\WINDOWS\System32\ushoretj.dll
C:\windows\system32\wayougrh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\bbeeg.bak1
C:\WINDOWS\System32\bbeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\bbeeg.bak2
C:\WINDOWS\System32\bbeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\bbeeg.ini
C:\WINDOWS\System32\bbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\bhmpkjlq.dll
C:\WINDOWS\System32\bhmpkjlq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\geebb.dll
C:\WINDOWS\System32\geebb.dll Has been deleted!

Attempting to delete C:\windows\system32\hrguoyaw.ini
C:\windows\system32\hrguoyaw.ini Has been deleted!

Attempting to delete C:\windows\system32\jterohsu.ini
C:\windows\system32\jterohsu.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\mljhhef.dll
C:\WINDOWS\System32\mljhhef.dll Has been deleted!

Attempting to delete C:\windows\system32\mniknjhp.dll
C:\windows\system32\mniknjhp.dll Has been deleted!

Attempting to delete C:\windows\system32\phjnkinm.ini
C:\windows\system32\phjnkinm.ini Has been deleted!

Attempting to delete C:\windows\system32\phjnkinm.ini2
C:\windows\system32\phjnkinm.ini2 Has been deleted!

Attempting to delete C:\windows\system32\phjnkinm.tmp
C:\windows\system32\phjnkinm.tmp Has been deleted!

Attempting to delete C:\windows\system32\qomnoop.dll
C:\windows\system32\qomnoop.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqoonk.dll
C:\windows\system32\ssqoonk.dll Has been deleted!

Attempting to delete C:\windows\system32\urqqopq.dll
C:\windows\system32\urqqopq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ushoretj.dll
C:\WINDOWS\System32\ushoretj.dll Has been deleted!

Attempting to delete C:\windows\system32\wayougrh.dll
C:\windows\system32\wayougrh.dll Has been deleted!

Performing Repairs to the registry.
Done!

2. Combofix Scan
ComboFix 07-08-14.4 - "lanny" 2007-08-18 5:24:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.70 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\lanny\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\smante~1\S?mantec\
C:\Program Files\Common Files\smante~1\winlogon.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Online Services\qukadopa.dll
C:\Program Files\Online Services\qukadopa196.dll
C:\Program Files\Online Services\qukadopa408.dll
C:\Program Files\Online Services\qukadopa517.dll
C:\Program Files\Online Services\qukadopa566.dll
C:\Program Files\Online Services\qukadopa678.dll
C:\Program Files\Online Services\qukadopa772.dll
C:\Program Files\Online Services\qukadopa916.dll
C:\Program Files\Online Services\qukadopa934.dll
C:\Program Files\Online Services\qukadopa941.dll
C:\Program Files\Online Services\rteserijo.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\j?vaw.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\fibmtm.dll
C:\WINDOWS\system32\gxnasefx.exe
C:\WINDOWS\system32\tempchk
C:\WINDOWS\system32\tempchk\w86.exe
C:\WINDOWS\system32\V1
C:\WINDOWS\system32\win
C:\WINDOWS\system32\win\w7q.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z1\vt22011.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\nm


((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


2007-08-18 05:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 05:12 <DIR> d-------- C:\VundoFix Backups
2007-08-14 14:06 <DIR> d-------- C:\DOCUME~1\lanny\APPLIC~1\Apple Computer
2007-08-14 14:05 <DIR> d-------- C:\Program Files\Safari
2007-08-14 14:05 <DIR> d-------- C:\Program Files\Bonjour
2007-08-14 13:11 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-14 13:11 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-08-11 15:18 <DIR> d-------- C:\DOCUME~1\lisa\APPLIC~1\AlwaysNeat
2007-08-11 12:49 <DIR> d-------- C:\Program Files\Bingo MEGA


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-18 05:34 --------- d-------- C:\Program Files\Online Services
2007-08-17 07:19 --------- d-------- C:\Program Files\BearShare Music
2007-08-14 08:44 --------- d-------- C:\Program Files\MorpheusBar
2007-08-14 08:13 --------- d-------- C:\Program Files\Morpheus Premium
2007-08-14 08:13 --------- d-------- C:\Program Files\Morpheus
2007-08-14 08:12 --------- d-------- C:\Program Files\LimeWire
2007-08-14 08:08 --------- d-------- C:\Program Files\Kazaa
2007-08-14 08:07 --------- d-------- C:\Program Files\MSN Games
2007-08-14 07:14 --------- d-------- C:\Program Files\MySpace
2007-08-14 07:13 --------- d-------- C:\Program Files\Zylom Games
2007-06-25 18:19 --------- d-------- C:\Program Files\Common Files\CA Shared


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{959F5B7A-3660-4F11-C692-C5CBFC030CCA}]
2007-08-18 05:34 70144 --a------ C:\Program Files\Online Services\qukadopa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8EC1F87-7A42-4E0B-A531-7E366561C0D4}]
C:\WINDOWS\System32\geebb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 20:58]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 15:31]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-19 12:56]
"ViewpointPhotosDeviceConnect"="C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\FotomatDeviceConnect.exe" [2007-02-24 15:34]
"mege"="C:\Program Files\MSN\mege22011.exe" [2007-08-07 16:30]
"{D4-45-57-70-ZN}"="C:\DOCUME~1\lisa\LOCALS~1\Temp\thinksnet.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-06-05 11:58:41]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= C:\Program Files\Online Services\rteserijo.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\System32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 05:33:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-18 5:35:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-18 05:35

--- E O F ---
  • 0

#4
jwbirdsong
Posted 18 August 2007 - 08:58 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Open Notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\MSN\mege22011.exe
C:\DOCUME~1\lisa\LOCALS~1\Temp\thinksnet.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{959F5B7A-3660-4F11-C692-C5CBFC030CCA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8EC1F87-7A42-4E0B-A531-7E366561C0D4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mege"=-
"{D4-45-57-70-ZN}"=-

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= -

Save this as CFScript.txt

Then drag/drop the CFScript.txt onto ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in you next reply also do/post the following (no need to wait for it to post Combofix log)

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content",
(You will have to re-enter passwords at websites that require them.)
Click OK

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log

Edited by jwbirdsong, 18 August 2007 - 08:59 AM.

  • 0

#5
broken98
Posted 19 August 2007 - 07:04 AM

broken98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
IE had an error message when trying to use Panda
but I did the Combofix as you requested and emptied
all the cashe, cookies and temp files.
Here is the new Combo log and a Hijack log.


ComboFix 07-08-14.4 - "lanny" 2007-08-19 8:39:12.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.47 [GMT -4:00]


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-18 20:40 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-08-18 20:40 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2007-08-18 20:40 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-08-18 20:40 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2007-08-18 20:40 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2007-08-18 20:39 <DIR> d-------- C:\Garmin
2007-08-18 06:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-18 05:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 14:06 <DIR> d-------- C:\DOCUME~1\lanny\APPLIC~1\Apple Computer
2007-08-14 14:05 <DIR> d-------- C:\Program Files\Safari
2007-08-14 14:05 <DIR> d-------- C:\Program Files\Bonjour
2007-08-14 13:11 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-14 13:11 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-08-11 15:18 <DIR> d-------- C:\DOCUME~1\lisa\APPLIC~1\AlwaysNeat
2007-08-11 12:49 <DIR> d-------- C:\Program Files\Bingo MEGA


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 08:15 --------- d-------- C:\Program Files\Online Services
2007-08-17 07:19 --------- d-------- C:\Program Files\BearShare Music
2007-08-14 08:44 --------- d-------- C:\Program Files\MorpheusBar
2007-08-14 08:13 --------- d-------- C:\Program Files\Morpheus Premium
2007-08-14 08:13 --------- d-------- C:\Program Files\Morpheus
2007-08-14 08:12 --------- d-------- C:\Program Files\LimeWire
2007-08-14 08:08 --------- d-------- C:\Program Files\Kazaa
2007-08-14 08:07 --------- d-------- C:\Program Files\MSN Games
2007-08-14 07:14 --------- d-------- C:\Program Files\MySpace
2007-08-14 07:13 --------- d-------- C:\Program Files\Zylom Games
2007-06-25 18:19 --------- d-------- C:\Program Files\Common Files\CA Shared


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 20:58]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 15:31]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-19 12:56]
"ViewpointPhotosDeviceConnect"="C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\FotomatDeviceConnect.exe" [2007-02-24 15:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-06-05 11:58:41]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= C:\Program Files\Online Services\rteserijo.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\System32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 grmnusb;grmnusb;C:\WINDOWS\System32\drivers\grmnusb.sys
S3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 08:45:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 8:46:30
C:\ComboFix-quarantined-files.txt ... 2007-08-19 08:46
C:\ComboFix2.txt ... 2007-08-19 08:19
C:\ComboFix3.txt ... 2007-08-18 05:35

--- E O F ---

Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 9:03:11 AM, on 8/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\FotomatDeviceConnect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\lanny\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\FotomatDeviceConnect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
  • 0

#6
jwbirdsong
Posted 22 August 2007 - 04:53 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Sorry lost track of ya there for a minute.
What kind of error when you tried Panda?

See if you can get a Kaspersky scan.
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
When done post the Kaspersky log and a fresh HijackThis log.
  • 0

#7
broken98
Posted 26 August 2007 - 04:34 AM

broken98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
I'm sorry but Kaspersky WebScanner won't work either with my Internet
Explorer or Firefox.
  • 0

#8
jwbirdsong
Posted 04 September 2007 - 05:54 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Sorry lost ya over the long weekend.

You may want to try and do the following and see if Panda/Kaspersy will work.

Open IE>Click Tools>Internet Options>Security (tab)>Click the Globe>Click Default Level>Apply>OK/Close
Close IE....
Reopen IE and try Panda/Kaspersky again

When you go to Panda make sure to watch for The information bar (it is a gold bar that appears belowe the address bar..See HERE) to pop up and tell you an ActiveX could not be downloaded...If this happens Right click the bar and choose Install
  • 0

#9
broken98
Posted 04 September 2007 - 06:40 PM

broken98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Thanks for writing back, I'll give your suggestion a try and get back to you.
  • 0

#10
jwbirdsong
Posted 06 September 2007 - 05:33 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Let me know how it goes (or doesn't go)
  • 0

Advertisements

#11
broken98
Posted 06 September 2007 - 05:53 AM

broken98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
I made sure the default security level was checked in IE but Panda still won't run.
I get a yellow triangle that appears in the bottom of the window when I try to do
the scan.
  • 0

#12
jwbirdsong
Posted 06 September 2007 - 06:33 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
same with Kaspersky?

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Edited by jwbirdsong, 06 September 2007 - 06:34 AM.

  • 0

#13
broken98
Posted 06 September 2007 - 07:08 AM

broken98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Yes I get the same result with Kaspersky, a yellow triangle symbol.
I'm now doing the Dr. Web Cureit scan and will send the results.
  • 0

#14
broken98
Posted 06 September 2007 - 09:16 AM

broken98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Here is the Dr.Web scan. It looks like it found a lot of things.

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.3.30.1;Probably BACKDOOR.Trojan;;
bis72.exe;C:\Documents and Settings\bryan\Local Settings\Temp;Trojan.Swizzor;Deleted.;
p2psetup.exe\data001;C:\Documents and Settings\bryan\Local Settings\Temp\p2psetup.exe;Adware.PeerNet;;
p2psetup.exe;C:\Documents and Settings\bryan\Local Settings\Temp;Archive contains infected objects;Moved.;
uninstall.exe;C:\Documents and Settings\bryan\Local Settings\Temp;Adware.Xbarre;;
southpm2.exe;C:\Documents and Settings\bryan\Local Settings\Temp\Temporary Directory 1 for spmario-1.zip;Trojan.Click.70;Incurable.Moved.;
southpm2.exe;C:\Documents and Settings\bryan\Local Settings\Temp\Temporary Directory 1 for spmario.zip;Trojan.Click.70;Incurable.Moved.;
southpm2.exe;C:\Documents and Settings\bryan\Local Settings\Temp\Temporary Directory 2 for spmario.zip;Trojan.Click.70;Incurable.Moved.;
southpm2.exe;C:\Documents and Settings\bryan\Local Settings\Temp\Temporary Directory 3 for spmario.zip;Trojan.Click.70;Incurable.Moved.;
p2psetup[1].exe\data001;C:\Documents and Settings\bryan\Local Settings\Temporary Internet Files\Content.IE5\A5OQ9WV7\p2psetup[1].exe;Adware.PeerNet;;
p2psetup[1].exe;C:\Documents and Settings\bryan\Local Settings\Temporary Internet Files\Content.IE5\A5OQ9WV7;Archive contains infected objects;Moved.;
UWA7P_0001_N91M0809NetInstaller.exe;C:\Documents and Settings\lisa\Local Settings\Temp\ICD1.tmp;Trojan.DownLoader.10963;Deleted.;
adfcookmazafuka[1];C:\Documents and Settings\lisa\Local Settings\Temporary Internet Files\Content.IE5\GH2BSPAN;Trojan.Click.2799;Deleted.;
tk58[1].exe;C:\Documents and Settings\lisa\Local Settings\Temporary Internet Files\Content.IE5\OHEFAJGP;Trojan.StartPage.19993;Deleted.;
TopSearch.dll;C:\Program Files\Kazaa;Adware.Altnet;;
sfcont.dll;C:\Program Files\RXToolBar;Adware.RXToolbar;;
prqtect.exe;C:\Program Files\TDS3\xDynamic\TDS.Unpk;Trojan.KeyLogger.422;Deleted.;
setup_silent_26221.exe_;C:\Program Files\TDS3\xDynamic\TDS.Unpk;Adware.MDH;;
winlogon.exe.vir;C:\QooBox\Quarantine\C\Program Files\Common Files\SMANTE~1;Adware.ClickSpring;;
mege22011.exe.vir;C:\QooBox\Quarantine\C\Program Files\MSN;Adware.Ttc;;
qukadopa.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa196.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa408.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa517.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa566.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa678.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa772.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa916.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa934.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
qukadopa941.dll.vir;C:\QooBox\Quarantine\C\Program Files\Online Services;Trojan.StartPage.19992;Deleted.;
bhmpkjlq.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
geebb.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
mljhhef.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
mniknjhp.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
qomnoop.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
ssqoonk.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
urqqopq.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
ushoretj.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
wayougrh.dll.bad.vir;C:\QooBox\Quarantine\C\VundoFix Backups;Trojan.Virtumod;Deleted.;
b122.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.MulDrop.8200;Deleted.;
tk58.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.StartPage.19993;Deleted.;
JVAWEX~1.VIR;C:\QooBox\Quarantine\C\WINDOWS\CROSOF~1.NET;Trojan.DownLoader.29746;Deleted.;
fibmtm.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.DownLoader.29746;Deleted.;
gxnasefx.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
f02WtR1065.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\f02WtR;Trojan.DownLoader.24715;Deleted.;
w7q.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\win;Trojan.DownLoader.26881;Deleted.;
A0087706.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP1008;Trojan.KeyLogger.422;Deleted.;
A0085512.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Adware.WebHancer;;
A0085514.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Adware.WebHancer;;
A0085515.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Adware.WebHancer;;
A0085524.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Adware.WebHancer;;
A0085570.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Trojan.StartPage.19993;Deleted.;
A0085581.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Adware.ClickSpring;;
A0085582.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Trojan.StartPage.19992;Deleted.;
A0085583.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Trojan.DownLoader.24772;Deleted.;
A0085595.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP971;Trojan.StartPage.19993;Deleted.;
A0085787.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP973;Adware.Msearch;;
A0085791.DLL;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP973;Adware.Msearch;;
A0085793.DLL;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP973;Adware.Msearch;;
A0085889.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP974;Trojan.StartPage.19993;Deleted.;
A0085894.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP974;Trojan.EzulaAd;Deleted.;
A0085895.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP974;Trojan.Virtumod;Deleted.;
A0085921.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085922.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085923.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085924.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085925.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085927.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085928.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085929.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085930.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.Altnet;;
A0085936.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.InstaFinder;;
A0085938.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Trojan.Winpop;Deleted.;
A0085939.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Trojan.Winpop;Deleted.;
A0085940.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Trojan.LowZones.267;Deleted.;
A0085941.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Probably DLOADER.Trojan;;
A0085944.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.WebHancer;;
A0085945.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP976;Adware.WebHancer;;
A0085960.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP977;Trojan.StartPage.19993;Deleted.;
A0085972.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP977;Trojan.StartPage.19993;Deleted.;
A0085994.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP977;Trojan.StartPage.19993;Deleted.;
A0086036.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP981;Trojan.StartPage.19993;Deleted.;
A0086038.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP981;Trojan.EzulaAd;Deleted.;
A0086039.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP981;Trojan.Virtumod;Deleted.;
A0086145.DLL;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Adware.Msearch;;
A0086151.DLL;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Adware.IESearch;;
A0086153.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.StartPage.19993;Deleted.;
A0086161.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086162.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086163.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086164.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086166.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086167.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086168.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086169.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.Virtumod;Deleted.;
A0086170.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Adware.IESearch;;
A0086175.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP984;Trojan.StartPage.19993;Deleted.;
A0086200.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.MulDrop.8200;Deleted.;
A0086201.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.EzulaAd;Deleted.;
A0086202.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.DownLoader.29746;Deleted.;
A0086203.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086204.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086205.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086206.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086207.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086208.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086209.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086210.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086211.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086212.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19992;Deleted.;
A0086214.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Adware.ClickSpring;;
A0086215.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.DownLoader.26881;Deleted.;
A0086216.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.DownLoader.29746;Deleted.;
A0086218.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.DownLoader.24715;Deleted.;
A0086220.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP985;Trojan.StartPage.19993;Deleted.;
A0086346.dll;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP988;Trojan.StartPage.19992;Deleted.;
A0086347.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP988;Trojan.StartPage.19993;Deleted.;
A0086348.exe;C:\System Volume Information\_restore{7CCFAFCD-69C5-4B02-B4D0-8BD30DCE1D53}\RP988;Adware.Ttc;;
  • 0

#15
jwbirdsong
Posted 06 September 2007 - 01:25 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Actually it's not really as bad as it first appears...Most of the items are either in quarantine (from Combofix or TDS3) in temp files/TIF (will empty shortly) or in System Volume Information (SystemRestore folder).

Go to Start>Run>type in cmd and hit enter.
Enter the 2 lines below, one at atime, and hit enter after each

sc stop SysmonLog
sc delete SysmonLog


Close the command window now

Open Control Panel>Add/Remove and unisntall the RXToolbar

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.3.30.1
    C:\Documents and Settings\bryan\Local Settings\Temp\p2psetup.exe
    C:\Documents and Settings\bryan\Local Settings\Temp;Adware.Xbarre;;
    C:\Documents and Settings\bryan\Local Settings\Temp\Temporary Directory 2 for spmario.zi
    C:\Program Files\Kazaa
    C:\Program Files\RXToolBar\
    C:\QooBox\
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Delete the Combofix you now have and download new/updated one and post a fresh Combofix log

Edited by jwbirdsong, 06 September 2007 - 01:32 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP