Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis and other logs - I hope this is the right place for this? [


  • This topic is locked This topic is locked

#1
jfromme1

jfromme1

    New Member

  • Member
  • Pip
  • 3 posts
Hello, I have just finished following the instructions on this site for removing Outerinfo from my computer. I'd appreciate it if someone could check my log files for Hijack, Combofix and Anti-Malware to see if i did it right. Or please let me know if this was the wrong place to post this information. Thanks very much for your time! - Jason

*** Hijack Log ***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:04 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {076E87FE-1A1F-4057-B8B9-5BC1225F7CBF} - C:\Program Files\MSN Gaming Zone\lavu.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2D812E56-AFD2-4C7F-87B4-1C7B1CF3D5D8} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {4C11BBBE-0251-5FAB-0212-2B00B8BD8BC6} - C:\WINDOWS\system32\guw.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6AF0FE17-0786-4BB2-9EC9-99B6701F6285} - C:\Program Files\Windows Media Player\hokemoqy83122.dll (file missing)
O2 - BHO: 0 - {8A615191-1BF8-4119-BF89-17F73F0CEE5F} - (no file)
O2 - BHO: 0 - {900E4750-38A0-4F33-4291-5AA2B625A255} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C5DDC4D2-DD00-401E-BF17-0CAFABAAFFC6} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {D3F4220C-5E69-4EC9-8239-357483D1DE80} - C:\Program Files\Windows Media Player\hokemoqy4444.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Osus] "C:\DOCUME~1\Jason\APPLIC~1\ASKS~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Rvvmjin] C:\WINDOWS\S?mantec\?ti2evxx.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fccccyv - C:\WINDOWS\
O20 - Winlogon Notify: obttjnqr - obttjnqr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPNBC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

--
End of file - 9126 bytes

*** Combofix Log ***

ComboFix 08-02.05.1 - Jason 2008-02-04 12:39:17.1 - NTFSx86
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jason\Application Data\ASKS~1
C:\Documents and Settings\Jason\Application Data\ASKS~1\?asks\
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\bXlyYQ\
C:\WINDOWS\smante~1
C:\WINDOWS\smante~1\?ti2evxx.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\obttjnqr.dllbox
C:\WINDOWS\system32\onscqnrq.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.ini2
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 11:50 . 2008-02-04 11:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 10:40 . 2008-01-31 10:57 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-31 10:40 . 2008-01-31 10:40 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-31 10:35 . 2008-01-31 10:35 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-31 10:35 . 2008-02-04 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-31 10:35 . 2008-02-04 12:50 3,920,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-31 10:35 . 2008-02-04 12:48 53,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-31 10:35 . 2008-02-04 12:49 11,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-31 10:35 . 2008-02-04 12:48 2,156 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-31 10:33 . 2008-01-31 10:33 <DIR> d-------- C:\kav
2008-01-29 15:42 . 2008-01-29 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 15:40 . 2008-01-29 15:40 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-01-29 10:38 . 2008-01-29 15:26 22 --a------ C:\WINDOWS\pskt.ini
2008-01-28 18:47 . 2008-01-30 13:50 <DIR> d-------- C:\WINDOWS\system32\wnis6
2008-01-28 18:47 . 2008-01-29 16:42 <DIR> d-------- C:\WINDOWS\system32\nip4
2008-01-28 18:47 . 2008-01-31 11:14 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-28 18:47 . 2008-01-28 18:47 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-28 18:47 . 2008-01-28 20:24 <DIR> d-------- C:\WINDOWS\system32\comg9
2008-01-28 18:47 . 2008-01-28 18:47 <DIR> d-------- C:\Temp\gTiis19
2008-01-28 18:47 . 2008-01-28 18:47 <DIR> d-------- C:\Temp\cXzz9
2008-01-28 18:47 . 2008-02-04 12:40 <DIR> d-------- C:\Temp
2008-01-27 18:08 . 2008-01-27 18:10 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Canon
2008-01-27 15:54 . 1996-07-01 00:00 77,312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL
2008-01-27 15:30 . 2008-01-27 15:30 <DIR> d--h----- C:\CanoScan
2008-01-27 15:30 . 2002-05-24 03:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL
2008-01-27 15:30 . 2002-04-12 20:23 339,968 --a------ C:\WINDOWS\system32\N124UFW.dll
2008-01-27 15:30 . 2002-09-27 14:56 69,632 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-01-11 08:12 . 2008-01-11 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-01-11 08:11 . 2008-01-11 08:11 <DIR> d-------- C:\Program Files\Uniblue
2008-01-11 08:11 . 2008-01-11 08:11 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Uniblue
2008-01-07 05:23 . 1998-08-26 20:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2008-01-07 05:23 . 1998-08-20 03:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-01-07 05:23 . 1998-09-02 00:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-01-07 05:22 . 1998-09-02 00:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-01-07 05:22 . 1998-09-02 00:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-01-07 05:22 . 1998-08-17 01:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-01-07 05:22 . 1998-08-17 01:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-01-07 05:22 . 1998-08-17 01:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-01-07 05:22 . 2008-01-07 05:22 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2008-01-07 05:22 . 2008-01-07 05:22 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2008-01-07 05:22 . 2008-01-07 05:34 11 --a------ C:\trace.ini
2008-01-07 05:21 . 2008-01-07 05:21 <DIR> d-------- C:\Program Files\Auralog
2008-01-05 11:23 . 2008-01-05 11:23 0 --a------ C:\WINDOWS\iplayer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 05:29 --------- d-----w C:\Documents and Settings\Jason\Application Data\Skype
2008-01-30 03:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 03:52 --------- d-----w C:\Program Files\Toshiba
2008-01-28 21:30 --------- d-----w C:\Documents and Settings\Jason\Application Data\ZoomBrowser EX
2008-01-28 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-28 00:50 --------- d-----w C:\Program Files\Canon
2008-01-28 00:01 --------- d-----w C:\Program Files\ArcSoft
2008-01-26 04:39 --------- d-----w C:\Documents and Settings\Jason\Application Data\uTorrent
2008-01-05 20:31 --------- d-----w C:\Program Files\DivX
2007-12-31 17:49 --------- d-----w C:\Program Files\AC3Filter
2007-12-31 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-25 14:01 --------- d-----w C:\Program Files\eFax Messenger 4.3
2007-12-25 14:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\eFax Messenger
2007-12-25 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2007-12-25 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2007-12-18 08:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-16 18:56 --------- d-----w C:\Program Files\Litsoft
2007-12-16 18:55 140,288 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-12-15 16:30 --------- d-----w C:\Documents and Settings\Jason\Application Data\Yahoo!
2007-12-13 21:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-12-10 14:47 --------- d-----w C:\Program Files\Audacity
2007-12-10 14:19 --------- d-----w C:\Program Files\Bulent's Screen Recorder 4
2007-12-08 15:36 --------- d-----w C:\Program Files\eMule
2004-10-10 15:03 169,808 ----a-w C:\Documents and Settings\myra\Application Data\shb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{076E87FE-1A1F-4057-B8B9-5BC1225F7CBF}]
C:\Program Files\MSN Gaming Zone\lavu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D812E56-AFD2-4C7F-87B4-1C7B1CF3D5D8}]
C:\WINDOWS\system32\vtsqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C11BBBE-0251-5FAB-0212-2B00B8BD8BC6}]
C:\WINDOWS\system32\guw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF0FE17-0786-4BB2-9EC9-99B6701F6285}]
C:\Program Files\Windows Media Player\hokemoqy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A615191-1BF8-4119-BF89-17F73F0CEE5F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{900E4750-38A0-4F33-4291-5AA2B625A255}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5DDC4D2-DD00-401E-BF17-0CAFABAAFFC6}]
C:\WINDOWS\system32\awtqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F4220C-5E69-4EC9-8239-357483D1DE80}]
C:\Program Files\Windows Media Player\hokemoqy4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Osus"="C:\DOCUME~1\Jason\APPLIC~1\ASKS~1\spoolsv.exe" [ ]
"Rvvmjin"="C:\WINDOWS\S?mantec\?ti2evxx.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 17:38 54472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccccyv]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\obttjnqr]
obttjnqr.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 20:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 20:01 258048 C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2003-03-26 10:15 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 11:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0b\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLCC]
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-07-17 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
--a------ 2003-11-05 05:38 1380352 C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
--a------ 2007-03-06 09:21 116224 C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 10:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1100834960\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 00:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-06-21 02:40 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 00:19 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2006-03-27 07:57 126104 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 16:16 172032 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
--a------ 2004-08-01 13:47 102672 C:\Program Files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2003-10-20 09:39 159744 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 04:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-18 19:32 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
--a------ 2004-05-13 03:38 258114 C:\Program Files\NZSearch\hcm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2003-10-15 16:03 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-05 03:24 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 18:00 126976 C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2003-11-19 21:15 278528 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 11:50]
R2 Dynex DX-WGPNBC WLService;Dynex Wireless G Enhanced Adapter Service;C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe [2004-03-29 15:08]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 09:03]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 05:16:52 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 12:51:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2008-02-04 13:00:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 21:00:11
.
2008-01-09 15:24:47 --- E O F ---

*** Anti-Malware Log ***

Malwarebytes' Anti-Malware 1.02
Database version: 318

Scan type: Full Scan (C:\|)
Objects scanned: 84581
Time elapsed: 35 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP2\A0000004.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP2\A0000005.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ets1\ovstadcom2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

*** End ***
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

I see Kaspersky Antivirus running, but I see you also have McAfee installed, but disabled via msconfig.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So in case McAfee is also still installed, I suggest you uninstall it.

Also, I see you have Viewpoint installed... (but disabled)
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\GameFly_2.ico
C:\WINDOWS\pskt.ini

Folder::
C:\WINDOWS\system32\wnis6
C:\WINDOWS\system32\nip4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\ets1
C:\WINDOWS\system32\comg9
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{076E87FE-1A1F-4057-B8B9-5BC1225F7CBF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D812E56-AFD2-4C7F-87B4-1C7B1CF3D5D8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C11BBBE-0251-5FAB-0212-2B00B8BD8BC6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF0FE17-0786-4BB2-9EC9-99B6701F6285}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A615191-1BF8-4119-BF89-17F73F0CEE5F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{900E4750-38A0-4F33-4291-5AA2B625A255}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5DDC4D2-DD00-401E-BF17-0CAFABAAFFC6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F4220C-5E69-4EC9-8239-357483D1DE80}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Osus"=-
"Rvvmjin"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omnipage"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccccyv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\obttjnqr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#3
jfromme1

jfromme1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi miekiemoes and thanks for your help, I really appreciate you taking the time :) I tried to follow all your instructions, and was partly successful:

1) I downloaded and installed Recovery Console, successfully, I think
2) I couldn't find McAfee in my Add/Remove Programs CP
3) I couldn't find Viewpoint either in my Add/Remove Programs CP
4) I downloaded & installed DelDomains.inf, I think
5) I ran the script you provided through ComboFix, and it generated a new report, which follows:
6) Also ran HijackThis, which report also follows:

Thanks again! - Jason

***COMBOFIX REPORT***

ComboFix 08-02.05.1 - Jason 2008-02-13 17:52:45.2 - NTFSx86
Running from: C:\Documents and Settings\Jason\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\GameFly_2.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\gTiis19\lTig.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\comg9
C:\WINDOWS\system32\ets1
C:\WINDOWS\system32\GameFly_2.ico
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nip4
C:\WINDOWS\system32\wnis6

.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-13 17:49 . 2008-01-11 10:10 226 --a------ C:\Boot.bak
2008-02-13 17:48 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-04 13:03 . 2008-02-04 13:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-04 13:03 . 2008-02-04 13:03 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Malwarebytes
2008-02-04 13:03 . 2008-02-04 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-04 12:35 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-04 11:50 . 2008-02-04 11:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 10:40 . 2008-01-31 10:57 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-31 10:40 . 2008-01-31 10:40 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-31 10:35 . 2008-01-31 10:35 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-31 10:35 . 2008-02-13 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-31 10:35 . 2008-02-13 17:56 4,972,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-31 10:35 . 2008-02-13 13:04 65,948 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-31 10:35 . 2008-02-13 17:56 40,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-31 10:35 . 2008-02-13 13:04 4,436 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-31 10:33 . 2008-01-31 10:33 <DIR> d-------- C:\kav
2008-01-29 15:42 . 2008-01-29 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-27 18:08 . 2008-01-27 18:10 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Canon
2008-01-27 15:54 . 1996-07-01 00:00 77,312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL
2008-01-27 15:30 . 2008-01-27 15:30 <DIR> d--h----- C:\CanoScan
2008-01-27 15:30 . 2002-05-24 03:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL
2008-01-27 15:30 . 2002-04-12 20:23 339,968 --a------ C:\WINDOWS\system32\N124UFW.dll
2008-01-27 15:30 . 2002-09-27 14:56 69,632 --a------ C:\WINDOWS\system32\CNQU70.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 23:22 --------- d-----w C:\Documents and Settings\Jason\Application Data\ZoomBrowser EX
2008-02-13 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-02-13 21:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\Skype
2008-01-30 03:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 03:52 --------- d-----w C:\Program Files\Toshiba
2008-01-28 00:50 --------- d-----w C:\Program Files\Canon
2008-01-28 00:01 --------- d-----w C:\Program Files\ArcSoft
2008-01-26 04:39 --------- d-----w C:\Documents and Settings\Jason\Application Data\uTorrent
2008-01-11 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
2008-01-11 16:11 --------- d-----w C:\Program Files\Uniblue
2008-01-11 16:11 --------- d-----w C:\Documents and Settings\Jason\Application Data\Uniblue
2008-01-07 13:22 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2008-01-07 13:21 --------- d-----w C:\Program Files\Auralog
2008-01-05 20:31 --------- d-----w C:\Program Files\DivX
2007-12-31 17:49 --------- d-----w C:\Program Files\AC3Filter
2007-12-31 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-25 14:01 --------- d-----w C:\Program Files\eFax Messenger 4.3
2007-12-25 14:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\eFax Messenger
2007-12-25 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2007-12-25 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 08:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-18 08:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-16 18:56 --------- d-----w C:\Program Files\Litsoft
2007-12-16 18:55 140,288 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-12-15 16:30 --------- d-----w C:\Documents and Settings\Jason\Application Data\Yahoo!
2007-12-10 14:19 585,728 ----a-w C:\WINDOWS\system32\bsratswf.dll
2007-12-10 14:19 147,456 ----a-w C:\WINDOWS\system32\bsratwmv.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2004-10-10 15:03 169,808 ----a-w C:\Documents and Settings\myra\Application Data\shb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 17:38 54472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 20:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 20:01 258048 C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2003-03-26 10:15 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 11:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0b\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLCC]
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-07-17 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
--a------ 2003-11-05 05:38 1380352 C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
--a------ 2007-03-06 09:21 116224 C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 10:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1100834960\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 00:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-06-21 02:40 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 00:19 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2006-03-27 07:57 126104 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 16:16 172032 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
--a------ 2004-08-01 13:47 102672 C:\Program Files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2003-10-20 09:39 159744 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 04:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-18 19:32 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
--a------ 2004-05-13 03:38 258114 C:\Program Files\NZSearch\hcm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2003-10-15 16:03 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-05 03:24 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 18:00 126976 C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2003-11-19 21:15 278528 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 11:50]
R2 Dynex DX-WGPNBC WLService;Dynex Wireless G Enhanced Adapter Service;C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe [2004-03-29 15:08]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 09:03]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 17:38]

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 05:16:52 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 17:57:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-13 17:58:54
ComboFix-quarantined-files.txt 2008-02-14 01:58:22
ComboFix2.txt 2008-02-04 21:00:18
.
2008-02-13 07:08:57 --- E O F ---


***HIJACKTHIS REPORT***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:15 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPNBC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

--
End of file - 6970 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again. :)


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#5
jfromme1

jfromme1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi again...this time I think I did everything succesfully:

1) Ran HijackThis, clicked the two items you told me to and selected Fix Checked.
2) Downloaded Java Runtime Environement (JRE) 6 Update 4
3) Uninstalled Java 2 Runtime Environment using Add/Remove Programs CP
4) rebooted computer
5) Ran 'jre-6u4-windows-i586-p.exe' and installed the new Java Environment
6) Start > Run > ComboFix /u - here the computer created a message saying that ComboFix could not be located. It seems to have uninstalled it a little too effectively, perhaps? :) In any case, I can't seem to find any icons or other evidence that ComboFix is still on my computer, so I think it worked?

My computer is working well, now. I haven't had anymore pop-up ad windows, and Kaspersky hasn't detected any viruses or malware. I'm thinking of switching to AVG Anti-Virus Free Edition when the trial period ends for Kaspersky. It's a little too twitchy for my tastes, challenging every module that gets loaded, basically expecting me to know whether or not it's okay for my programs to behave the way they do. I don't have anywhere near the expertise to feel comfortable continually allowing/denying processes - I'm a classical musician for Pete's sake! :)

I must say that it feels very gratifiying to follow your very well written instructions and imagine little bits of irrelevant code, markers, and lost links getting swept into the rubbish bin and recycled. You really have done a huge favor for me, and I wonder if I can repay it somehow? Hmm...would you like a MIDI file of a brand new, one-of-a-kind polyphonic ring tone written by a (well, not famous yet, but maybe some day?) composer of some modest distinction? Write me at

fromme1 AT yahoo.com (mailaddress munged)

if you'd like such a thing sent to you :) Or if you're ever in Portland, Oregon I'll buy you dinner, ok? You like Thai food? Hopefully I'm not being too weird (I know I'm being overly effusive) - I just want you to know I'm happy my computer is functioning again, and that you have made a new friend in Portland, Oregon.

Yours Very Truly,

Jason Fromme

Edited by miekiemoes, 14 February 2008 - 03:41 AM.

  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP