Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bugs and worms and Malware...Oh my [RESOLVED]

Started by Cygnus , Feb 11 2008 11:29 AM

  • This topic is locked This topic is locked

#16
miekiemoes
Posted 17 February 2008 - 04:56 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, you may post a HijackThislog from your wife's computer in this thread :)
  • 0

Advertisements

#17
Cygnus
Posted 17 February 2008 - 06:34 AM

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Thanks!

Her anti-spyware and ad-aware were outdated so I did some clean-up 1st. She had the virtumonde virus and I though I had taken care of that earlier this week. Oddly her system did not lock up when I used Spybot S&S to remove it like mine did. I had removed several entries of the vundo virus with vundofix. Oh well.

She has not had any issues with explorer not starting up, but she has had system lock-ups, pop ups and an oddity... she is a forum moderator and when she is in the admin control panel she is sometimes limited in what she can do... some of the changes she makes will not take. She has to use my laptop and it will work...???

But here is her log file, hope you can get her running good. This was originally MY Multimedia/gaming machine until hers went belly up. She has kinda taken it over now...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:43 AM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1124477354\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124477354\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AB0296C-D672-4E6F-9D85-F5E6D93E6137} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A2679FF-4FDB-4140-B946-D00B2A9CE346} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124477354\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Dora Fairytale Adventures Registration.lnk = E:\ATR1.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O20 - Winlogon Notify: rqrppqn - rqrppqn.dll (file missing)
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10377 bytes
  • 0

#18
miekiemoes
Posted 17 February 2008 - 08:44 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please download Combofix on this computer as well and run it.
Then post the log Combofix creates.

She has not had any issues with explorer not starting up, but she has had system lock-ups, pop ups and an oddity... she is a forum moderator and when she is in the admin control panel she is sometimes limited in what she can do... some of the changes she makes will not take. She has to use my laptop and it will work...???

That could be because of her firewall messing with cookies/blocking them... or a third party Add-on interfering here. We'll figure out afterwards.
I see the System Mechanic Professional's Firewall is installed here. I don't really recommend this one.
Also, is her Authentium Antivirus still up to date? Because I want to make sure here that there's a proper Antivirus and Firewall installed in this case instead of an Antivirus and Firewall which are poor.
  • 0

#19
Cygnus
Posted 17 February 2008 - 10:39 AM

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Hi,

OK, will do the ComboFix (knew you'd say that) She is doing something on her forum ATM but I asked her about a few things. She says Iolo was the firewall but it causes problems so she does not use it, and does not remember the one you mentioned and do not recomend. I am thinking to uninstall both and use ZoneAlarm. Thoughts on this?

Also she is unaware of the AV program and I do not remember what came with the PC when I bought it. She "hijacked" my desktop a few years ago and I spent 2 years in Iraq, so I don't really know what she has done. I will see if I can find the AV program and do updates as well as using the site you recommended to me earlier that informs of what security issues programs on the PC has and give you the details with the next post.

I really appreciate all the assistance!

[Edit]
I found the AV following the address listed above. No icon or folder in start menu. Double clicked the .exe but no window came up. Task manager shows it running but no way to check for updates. Secunia did not show anything on it. SHe does have a lot of updates to do in Flashplayer and Java.
I noticed some entries on the logs and I guess I should also mention that this system has pretty much become the family PC. Our daughter (14) uses it and connects her ipod and my boys (4 & 6) play online games, though mostly on nickelodeon or disney.





ComboFix 08-02-17.2 - Owner 2008-02-17 11:57:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.279 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\BR7MJNTE\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\outlook
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\cup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\accessories\heart.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\audio\sfx\sfx_rollover_1.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\credits.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\upgradegrid.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\backgrounds\upgradetitle.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\backchalkup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\pauseover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\buttons\tryagain.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\cook\stove.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\blue\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\old_male\green\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\blue\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\purple\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\customers\young_female\red\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\dishcart.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\furniture\drinkstation_on1.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\p1icon.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\hiscore\textedit.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\playfirst_logo.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\diner\tables\2top.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\restaurants\tableshadow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\splash\aol_logo.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\assets\splash\playfirst_logo.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.72\dinerdash.exe
C:\WINDOWS\Registration\CRMLog\ntp2.ini
C:\WINDOWS\system32\alknqdlc.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\bpuwbrqw.dll
C:\WINDOWS\system32\bxvqcnuv.dll
C:\WINDOWS\system32\byphkutp.dll
C:\WINDOWS\system32\cccnymgb.dll
C:\WINDOWS\system32\ciqfbnjf.dll
C:\WINDOWS\system32\clffpxmk.dll
C:\WINDOWS\system32\cqkyverj.dll
C:\WINDOWS\system32\cwgomiuf.dll
C:\WINDOWS\system32\ecvwanam.dll
C:\WINDOWS\system32\emyykvnn.dll
C:\WINDOWS\system32\fbscwcks.dll
C:\WINDOWS\system32\fnxhblye.dll
C:\WINDOWS\system32\fuusggre.dll
C:\WINDOWS\system32\fymqycpt.dll
C:\WINDOWS\system32\ggyeicof.dll
C:\WINDOWS\system32\hxmkamln.dll
C:\WINDOWS\system32\idritvip.dll
C:\WINDOWS\system32\iiftbxvy.dll
C:\WINDOWS\system32\isfjdpih.dll
C:\WINDOWS\system32\jvhblhlf.dll
C:\WINDOWS\system32\jwpcbppq.dll
C:\WINDOWS\system32\ldblabkw.dll
C:\WINDOWS\system32\lpbtlgky.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mrlaaysf.dll
C:\WINDOWS\system32\nrooocao.dll
C:\WINDOWS\system32\obhssmik.dll
C:\WINDOWS\system32\ocvimuqi.dll
C:\WINDOWS\system32\ohxwdfdn.dll
C:\WINDOWS\system32\oscatdum.dll
C:\WINDOWS\system32\pgonwbcs.dll
C:\WINDOWS\system32\phtfegiv.dll
C:\WINDOWS\system32\plqgiujd.dll
C:\WINDOWS\system32\qiyymrrm.dll
C:\WINDOWS\system32\qjqntcsw.dll
C:\WINDOWS\system32\qkfsmbfi.dll
C:\WINDOWS\system32\qsqxstbt.dll
C:\WINDOWS\system32\rebttbkj.dll
C:\WINDOWS\system32\rhgywplf.dll
C:\WINDOWS\system32\rjggqway.dll
C:\WINDOWS\system32\rpmsxbrm.dll
C:\WINDOWS\system32\svnscyod.dll
C:\WINDOWS\system32\tfthvqee.dll
C:\WINDOWS\system32\tpnutqef.dll
C:\WINDOWS\system32\tpoacnmo.dll
C:\WINDOWS\system32\ubowedoe.dll
C:\WINDOWS\system32\uipixlyc.dll
C:\WINDOWS\system32\wevorsvi.dll
C:\WINDOWS\system32\wqyraayf.dll
C:\WINDOWS\system32\wvkxsacw.dll
C:\WINDOWS\system32\xnonchus.dll
C:\WINDOWS\system32\xrmpcnhi.dll
C:\WINDOWS\system32\xrqbmdls.dll
C:\WINDOWS\system32\ywlrtjfp.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 07:15 . 2008-02-17 06:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-17 07:15 . 2008-02-17 07:15 3,443 --a------ C:\WINDOWS\unins000.dat
2008-02-17 06:24 . 2008-02-17 06:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Business Logic
2008-02-13 05:05 . 2008-02-13 05:05 <DIR> d-------- C:\VundoFix Backups
2008-02-12 21:28 . 2008-02-12 21:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-02-12 21:20 . 2008-02-12 21:20 <DIR> d-------- C:\Program Files\Atari
2008-01-22 18:10 . 2008-01-22 18:11 30,600 --a------ C:\WINDOWS\System32YG6U.SHD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 12:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 12:13 --------- d-----w C:\Program Files\RegistryFix
2008-02-17 11:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 03:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\HPAppData
2008-02-13 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 19:59 --------- d-----w C:\Program Files\America Online 9.0
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2006-12-02 15:45 229,704 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-05-25 14:40 5,115,704 ----a-w C:\Program Files\Firefox Setup 1.5.0.3.exe
2005-10-31 12:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-07-22 21:09 178 -c--a-w C:\Program Files\INSTALL.LOG
2003-07-18 19:57 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2007-11-14 19:24 426,050 --sh--w C:\WINDOWS\system32\oqtss.bak1
2007-11-13 11:13 428,175 --sh--w C:\WINDOWS\system32\oqtss.bak2
2007-07-23 09:33 1,784,709 --sh--w C:\WINDOWS\system32\oqtss.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 15:52 1298024 -ra------ C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 15:52 177768 -ra------ C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 13:44 831557 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 10:01 392832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 19:11 114688]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 13:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 13:44 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-22 00:28 188416]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HostManager"="C:\Program Files\Common Files\AOL\1124477354\ee\AOLHostManager.exe" [2005-08-02 14:33 159832]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-20 19:03 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-11 20:34 49152]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Dora Fairytale Adventures Registration.lnk - E:\ATR1.exe [2007-03-09 15:24:00 4943872]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-03-11 20:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrppqn]
rqrppqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqo]
C:\WINDOWS\system32\sstqo.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker]
wjview /cp:p C:\Program Files\EbatesMoeMoneyMaker\System\Code Main lp: C:\Program Files\EbatesMoeMoneyMaker

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2002-05-10 00:24 1011712 C:\Program Files\ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
--a------ 2006-09-19 18:10 190024 C:\Program Files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MOD]
C:\Program Files\Microangelo\muamgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 09:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBHC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-05-01 11:05]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-05-10 00:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2004-06-15 08:10:00 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2003-07-21 12:00:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 12:08:33
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQuerySystemInformation

scanning hidden processes ...

C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe [1468]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1124477354\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2008-02-17 12:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 17:19:06
.
2008-02-13 10:09:53 --- E O F ---

Edited by Cygnus, 17 February 2008 - 11:43 AM.

  • 0

#20
miekiemoes
Posted 17 February 2008 - 11:26 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
To be honest - I don't really recommend Zonealarm either since the latest version is quite buggy and installs an additional toolbar which is not recommended.

Look in my signature below for the Firewalls I recommend.
Make sure that the iolo firewall is uninstalled first before she installs a new one!
  • 0

#21
Cygnus
Posted 17 February 2008 - 11:45 AM

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
I guess you were replying when I was editing the above post. The ComboFix results are above.
  • 0

#22
miekiemoes
Posted 17 February 2008 - 11:50 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please also uninstall RegistryFix via software > add/remove programs.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2
Folder::
C:\VundoFix Backups
Filelook::
C:\WINDOWS\System32YG6U.SHD
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrppqn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#23
Cygnus
Posted 17 February 2008 - 12:18 PM

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
While I work on the script you sent....

Registry fix is not in the add/remove programs list. I followed the path indicated by the log and it shows the folder but it is empty - no hidden. Is deleting the folder good enough or is there files I need to look for somewhere?

I am thinking to use Trend Micro PC-Cillin Internet Security 2008 16.0 Build 1412
  • 0

#24
miekiemoes
Posted 17 February 2008 - 12:22 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, you may delete that folder.

I am thinking to use Trend Micro PC-Cillin Internet Security 2008 16.0 Build 1412

If you purchased it, then yes.. because it's not for free. Keep in mind that this Security Suite may cause problems on some systems.. for example a huge system slowdown and the Firewall may cause some issues as well.
So in case you're having problems with it afterwards - then reconsider another one.
  • 0

#25
Cygnus
Posted 17 February 2008 - 12:30 PM

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
If it will help, I have another gig of RAM on the way that will put system total at 1.5GB and will replace the other chips to max at 2GB next month if need be. She is not the power user that I am.

Wife using PC, will get back in a few.
  • 0

Advertisements

#26
miekiemoes
Posted 17 February 2008 - 12:33 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok, just take your time :)
  • 0

#27
Cygnus
Posted 17 February 2008 - 12:57 PM

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Ok....I deleted the registryfix folder after the fact, but here they are:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:41 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Common Files\AOL\1124477354\ee\AOLHostManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1124477354\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....ink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124477354\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Dora Fairytale Adventures Registration.lnk = E:\ATR1.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9646 bytes






ComboFix 08-02-17.2 - Owner 2008-02-17 13:44:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.193 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\adamwrkx.exe.bad
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\aroeeqnf.exe.bad
C:\VundoFix Backups\awtss.dll.bad
C:\VundoFix Backups\aylpchki.dll.bad
C:\VundoFix Backups\bfjrflyt.exe.bad
C:\VundoFix Backups\biqxpshp.exe.bad
C:\VundoFix Backups\bvnuvbxr.dll.bad
C:\VundoFix Backups\cdhpwcij.dll.bad
C:\VundoFix Backups\ceeygysl.ini.bad
C:\VundoFix Backups\chldyoif.exe.bad
C:\VundoFix Backups\cjfregym.exe.bad
C:\VundoFix Backups\cuaugpdi.ini.bad
C:\VundoFix Backups\cvxklvpk.exe.bad
C:\VundoFix Backups\cwxqtncl.exe.bad
C:\VundoFix Backups\cyukgmtr.dll.bad
C:\VundoFix Backups\dconjqhd.ini.bad
C:\VundoFix Backups\ddfckdou.exe.bad
C:\VundoFix Backups\dhqjnocd.dll.bad
C:\VundoFix Backups\dotkoqqu.dll.bad
C:\VundoFix Backups\dpxthddi.dll.bad
C:\VundoFix Backups\dqavgbtb.exe.bad
C:\VundoFix Backups\dxpxpqif.exe.bad
C:\VundoFix Backups\dynnaudf.dll.bad
C:\VundoFix Backups\efsbexfn.exe.bad
C:\VundoFix Backups\ejkhcguh.dll.bad
C:\VundoFix Backups\ekfgehhu.dll.bad
C:\VundoFix Backups\erpmkaum.dll.bad
C:\VundoFix Backups\etpwhxlk.dll.bad
C:\VundoFix Backups\fcssljmb.dll.bad
C:\VundoFix Backups\fdklbmpm.dll.bad
C:\VundoFix Backups\fduannyd.ini.bad
C:\VundoFix Backups\feaoggvt.dll.bad
C:\VundoFix Backups\fipwhpdc.exe.bad
C:\VundoFix Backups\fnvcfdrs.exe.bad
C:\VundoFix Backups\fpbnvirx.dll.bad
C:\VundoFix Backups\fqspofgv.exe.bad
C:\VundoFix Backups\fvlmmtev.exe.bad
C:\VundoFix Backups\fwodjkuh.dll.bad
C:\VundoFix Backups\fxispxmf.exe.bad
C:\VundoFix Backups\fycyfxph.dll.bad
C:\VundoFix Backups\fymhvufd.exe.bad
C:\VundoFix Backups\gcttjmci.exe.bad
C:\VundoFix Backups\gjvqnnsy.exe.bad
C:\VundoFix Backups\gsgerdvy.exe.bad
C:\VundoFix Backups\gslkcmtl.dll.bad
C:\VundoFix Backups\gvngkigj.exe.bad
C:\VundoFix Backups\gwijnmyp.dll.bad
C:\VundoFix Backups\gwxndsgr.exe.bad
C:\VundoFix Backups\hdqtbtpq.exe.bad
C:\VundoFix Backups\hkwubacd.exe.bad
C:\VundoFix Backups\hlbdfdmi.dll.bad
C:\VundoFix Backups\hlccvcdg.dll.bad
C:\VundoFix Backups\hnmeucpd.dll.bad
C:\VundoFix Backups\htbnhecd.dll.bad
C:\VundoFix Backups\hugchkje.ini.bad
C:\VundoFix Backups\huiqgvcs.dll.bad
C:\VundoFix Backups\hyjqwfyy.ini.bad
C:\VundoFix Backups\ibeawlum.ini.bad
C:\VundoFix Backups\iddhtxpd.ini.bad
C:\VundoFix Backups\idpguauc.dll.bad
C:\VundoFix Backups\igphkmtw.exe.bad
C:\VundoFix Backups\iidcqcwu.exe.bad
C:\VundoFix Backups\ioimbtpo.ini.bad
C:\VundoFix Backups\ipesvmay.dll.bad
C:\VundoFix Backups\iptaofjc.dll.bad
C:\VundoFix Backups\iqumykjm.exe.bad
C:\VundoFix Backups\irpgjqmv.ini.bad
C:\VundoFix Backups\ityfdurf.dll.bad
C:\VundoFix Backups\jboaauru.exe.bad
C:\VundoFix Backups\jklahfji.exe.bad
C:\VundoFix Backups\jucenfmp.ini.bad
C:\VundoFix Backups\jypeotfx.exe.bad
C:\VundoFix Backups\kanglyqu.exe.bad
C:\VundoFix Backups\kepcrnds.dll.bad
C:\VundoFix Backups\kgnhiwfp.dll.bad
C:\VundoFix Backups\kgunngtl.ini.bad
C:\VundoFix Backups\klcudxpd.exe.bad
C:\VundoFix Backups\klxnvpst.ini.bad
C:\VundoFix Backups\kmpxddhx.dll.bad
C:\VundoFix Backups\koplqage.exe.bad
C:\VundoFix Backups\ktiqitev.dll.bad
C:\VundoFix Backups\ktotpchs.exe.bad
C:\VundoFix Backups\ljyakgqm.ini.bad
C:\VundoFix Backups\lmhqdltp.dll.bad
C:\VundoFix Backups\lrowudqu.dll.bad
C:\VundoFix Backups\lrwkdiwe.exe.bad
C:\VundoFix Backups\lsygyeec.dll.bad
C:\VundoFix Backups\ltgnnugk.dll.bad
C:\VundoFix Backups\ltmcklsg.ini.bad
C:\VundoFix Backups\ltwhospn.dll.bad
C:\VundoFix Backups\luxgcdsq.exe.bad
C:\VundoFix Backups\mdylvbmc.dll.bad
C:\VundoFix Backups\mfrwvpxg.exe.bad
C:\VundoFix Backups\mfuaexkw.exe.bad
C:\VundoFix Backups\mfvtlmoe.dll.bad
C:\VundoFix Backups\mgnegebb.exe.bad
C:\VundoFix Backups\mqgkayjl.dll.bad
C:\VundoFix Backups\msooslgn.exe.bad
C:\VundoFix Backups\mulwaebi.dll.bad
C:\VundoFix Backups\nfsiabua.exe.bad
C:\VundoFix Backups\nosmvfwp.exe.bad
C:\VundoFix Backups\npcbclwl.exe.bad
C:\VundoFix Backups\nryjqvhb.exe.bad
C:\VundoFix Backups\ocgdflco.exe.bad
C:\VundoFix Backups\ofbusnhy.exe.bad
C:\VundoFix Backups\okltflcx.exe.bad
C:\VundoFix Backups\optbmioi.dll.bad
C:\VundoFix Backups\otcvswfa.exe.bad
C:\VundoFix Backups\ovwwefii.exe.bad
C:\VundoFix Backups\oxlqonfq.dll.bad
C:\VundoFix Backups\pboawbin.exe.bad
C:\VundoFix Backups\pfwihngk.ini.bad
C:\VundoFix Backups\pjweqmhk.dll.bad
C:\VundoFix Backups\pmfnecuj.dll.bad
C:\VundoFix Backups\ptldqhml.ini.bad
C:\VundoFix Backups\pucdbqsx.exe.bad
C:\VundoFix Backups\pxtceaob.exe.bad
C:\VundoFix Backups\pymnjiwg.ini.bad
C:\VundoFix Backups\qcxxfcig.exe.bad
C:\VundoFix Backups\qdjjutef.exe.bad
C:\VundoFix Backups\qfnoqlxo.ini.bad
C:\VundoFix Backups\qiucsknx.exe.bad
C:\VundoFix Backups\qkkisomo.exe.bad
C:\VundoFix Backups\qlkqyotm.exe.bad
C:\VundoFix Backups\qxvhqqbb.dll.bad
C:\VundoFix Backups\rauxgpiy.exe.bad
C:\VundoFix Backups\regdos.dll.bad
C:\VundoFix Backups\rfvfiutb.exe.bad
C:\VundoFix Backups\rgwgxntv.exe.bad
C:\VundoFix Backups\rjhbyhyj.exe.bad
C:\VundoFix Backups\rmywuyav.dll.bad
C:\VundoFix Backups\rovwfsro.exe.bad
C:\VundoFix Backups\rtktahwu.dll.bad
C:\VundoFix Backups\rtmgkuyc.ini.bad
C:\VundoFix Backups\rtmnhoyi.exe.bad
C:\VundoFix Backups\sbwmdkan.dll.bad
C:\VundoFix Backups\sfandyht.exe.bad
C:\VundoFix Backups\sswlevhe.dll.bad
C:\VundoFix Backups\sywtswkv.exe.bad
C:\VundoFix Backups\tbjjdsym.exe.bad
C:\VundoFix Backups\tcxtvfse.exe.bad
C:\VundoFix Backups\tekyhkpu.ini.bad
C:\VundoFix Backups\tfccjrjk.exe.bad
C:\VundoFix Backups\thubnfkt.ini.bad
C:\VundoFix Backups\tjmppeqb.dll.bad
C:\VundoFix Backups\tkfnbuht.dll.bad
C:\VundoFix Backups\tspvnxlk.dll.bad
C:\VundoFix Backups\tvggoaef.ini.bad
C:\VundoFix Backups\uakqtyug.dll.bad
C:\VundoFix Backups\ubfmnlbt.exe.bad
C:\VundoFix Backups\ucsvigex.exe.bad
C:\VundoFix Backups\ueanyamh.exe.bad
C:\VundoFix Backups\ueavxqst.exe.bad
C:\VundoFix Backups\uhhegfke.ini.bad
C:\VundoFix Backups\uhrvfhrl.exe.bad
C:\VundoFix Backups\ulwlubda.exe.bad
C:\VundoFix Backups\umekmops.dll.bad
C:\VundoFix Backups\upjxsdly.exe.bad
C:\VundoFix Backups\upkhyket.dll.bad
C:\VundoFix Backups\uqcoknok.exe.bad
C:\VundoFix Backups\uqduworl.ini.bad
C:\VundoFix Backups\utfsnjjn.exe.bad
C:\VundoFix Backups\uxiypgqo.dll.bad
C:\VundoFix Backups\uyqgbfoy.exe.bad
C:\VundoFix Backups\vayuwymr.ini.bad
C:\VundoFix Backups\vboaxtxc.exe.bad
C:\VundoFix Backups\vmqjgpri.dll.bad
C:\VundoFix Backups\vnskijvx.exe.bad
C:\VundoFix Backups\vrbxgiml.exe.bad
C:\VundoFix Backups\vrcdugls.exe.bad
C:\VundoFix Backups\vxngwplw.ini.bad
C:\VundoFix Backups\vxrilxnh.exe.bad
C:\VundoFix Backups\wdvnurfs.exe.bad
C:\VundoFix Backups\wlpwgnxv.dll.bad
C:\VundoFix Backups\woyaqhvs.exe.bad
C:\VundoFix Backups\wryhwchm.exe.bad
C:\VundoFix Backups\wvmsbwpo.exe.bad
C:\VundoFix Backups\xbefjoxi.exe.bad
C:\VundoFix Backups\xegtbeln.dll.bad
C:\VundoFix Backups\xhrmwdqp.exe.bad
C:\VundoFix Backups\xptabtjs.dll.bad
C:\VundoFix Backups\xrivnbpf.ini.bad
C:\VundoFix Backups\xvaqqcja.exe.bad
C:\VundoFix Backups\xvavwgcs.exe.bad
C:\VundoFix Backups\xyvpodpf.exe.bad
C:\VundoFix Backups\yanyqqvc.dll.bad
C:\VundoFix Backups\yauktgqv.exe.bad
C:\VundoFix Backups\yehpbdtm.dll.bad
C:\VundoFix Backups\ygrcyqvw.dll.bad
C:\VundoFix Backups\yibjtkmf.exe.bad
C:\VundoFix Backups\yiennjni.exe.bad
C:\VundoFix Backups\ykuosasm.exe.bad
C:\VundoFix Backups\ylbshdlo.exe.bad
C:\VundoFix Backups\ylubskav.dll.bad
C:\VundoFix Backups\yvperyss.dll.bad
C:\VundoFix Backups\yyfwqjyh.dll.bad
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 07:15 . 2008-02-17 06:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-17 07:15 . 2008-02-17 07:15 3,443 --a------ C:\WINDOWS\unins000.dat
2008-02-17 06:24 . 2008-02-17 06:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Business Logic
2008-02-12 21:28 . 2008-02-12 21:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-02-12 21:20 . 2008-02-12 21:20 <DIR> d-------- C:\Program Files\Atari
2008-01-22 18:10 . 2008-01-22 18:11 30,600 --a------ C:\WINDOWS\System32YG6U.SHD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 12:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 12:13 --------- d-----w C:\Program Files\RegistryFix
2008-02-17 11:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 03:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\HPAppData
2008-02-13 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 19:59 --------- d-----w C:\Program Files\America Online 9.0
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-12-02 15:45 229,704 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-11-09 14:28 11,446 ----a-w C:\WINDOWS\Fonts\LMSPPHats.zip
2006-11-09 14:17 100,104 ----a-w C:\WINDOWS\Fonts\4yeothanks.zip
2006-11-09 14:16 7,884 ----a-w C:\WINDOWS\Fonts\Pffall.zip
2006-05-25 14:40 5,115,704 ----a-w C:\Program Files\Firefox Setup 1.5.0.3.exe
2005-10-31 12:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-02-03 20:14 16,064 ----a-w C:\WINDOWS\Fonts\bloodomen.zip
2005-02-03 20:09 27,841 ----a-w C:\WINDOWS\Fonts\darkgarden.zip
2005-02-03 20:02 71,645 ----a-w C:\WINDOWS\Fonts\claw.zip
2005-01-04 23:32 29,219 ----a-w C:\WINDOWS\Fonts\clrv.zip
2005-01-04 23:29 42,865 ----a-w C:\WINDOWS\Fonts\crma.zip
2005-01-04 23:25 97,754 ----a-w C:\WINDOWS\Fonts\anfa.zip
2004-11-20 22:18 25,049 ----a-w C:\WINDOWS\Fonts\toxicwaist.zip
2004-11-20 22:17 46,678 ----a-w C:\WINDOWS\Fonts\techclastic.zip
2004-11-20 22:17 10,201 ----a-w C:\WINDOWS\Fonts\thirteenoclock.zip
2004-11-20 22:16 91,381 ----a-w C:\WINDOWS\Fonts\teazer.zip
2004-11-20 22:12 47,781 ----a-w C:\WINDOWS\Fonts\angry[bleep].zip
2004-11-20 22:11 39,447 ----a-w C:\WINDOWS\Fonts\angelica.zip
2004-11-20 22:09 17,292 ----a-w C:\WINDOWS\Fonts\abode.zip
2004-11-20 22:08 30,926 ----a-w C:\WINDOWS\Fonts\ajaxsurealfreak.zip
2003-07-22 21:09 178 -c--a-w C:\Program Files\INSTALL.LOG
2003-07-18 19:57 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 15:52 1298024 -ra------ C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 15:52 177768 -ra------ C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 13:44 831557 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 10:01 392832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 19:11 114688]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 13:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 13:44 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-22 00:28 188416]
"HostManager"="C:\Program Files\Common Files\AOL\1124477354\ee\AOLHostManager.exe" [2005-08-02 14:33 159832]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-20 19:03 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-11 20:34 49152]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Dora Fairytale Adventures Registration.lnk - E:\ATR1.exe [2007-03-09 15:24:00 4943872]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-03-11 20:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2002-05-10 00:24 1011712 C:\Program Files\ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
--a------ 2006-09-19 18:10 190024 C:\Program Files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MOD]
C:\Program Files\Microangelo\muamgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 09:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBHC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-05-01 11:05]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-05-10 00:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2004-06-15 08:10:00 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2003-07-21 12:00:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:50:07
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQuerySystemInformation

scanning hidden processes ...

C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe [1468]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-02-17 13:51:05
ComboFix-quarantined-files.txt 2008-02-17 18:51:01
ComboFix2.txt 2008-02-17 17:19:13
.
2008-02-13 10:09:53 --- E O F ---
  • 0

#28
miekiemoes
Posted 17 February 2008 - 01:10 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Can you look in your Combofix log present on your C:\ and tell me what exact word it says there under the
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) part..

You'll see these lines there:

2004-11-20 22:17 10,201 ----a-w C:\WINDOWS\Fonts\thirteenoclock.zip
2004-11-20 22:16 91,381 ----a-w C:\WINDOWS\Fonts\teazer.zip
2004-11-20 22:12 47,781 ----a-w C:\WINDOWS\Fonts\angry[bleep].zip <== I need to know what it says there instead of bleep
2004-11-20 22:11 39,447 ----a-w C:\WINDOWS\Fonts\angelica.zip
2004-11-20 22:09 17,292 ----a-w C:\WINDOWS\Fonts\abode.zip
2004-11-20 22:08 30,926 ----a-w C:\WINDOWS\Fonts\ajaxsurealfreak.zip

Look at the entry I made bold. It's most probably a nasty word, that's why the forumsoftware replaces it with [bleep]
So let me know in your next reply what word it is. Use spaces in the word. For example w o r d

Also, I see the iolo firewall and Authentium is still present. Please uninstall both.
  • 0

#29
Cygnus
Posted 17 February 2008 - 01:34 PM

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
I have alraedy removed Iolo... I guess I will have to delete the Authentium folder.

The missing word is b1tch

Odd.... I should not have zip files in my font folder.

I likely D/L'ed the fonts as I do a lot of graphic stuff for the web and whatnot, but I do not recall putting .zip files in there... I will see if the font is there and if so, remove the .zips

[Edit]
No .zip files, only font files and nothing hidden...

Edited by Cygnus, 17 February 2008 - 01:39 PM.

  • 0

#30
miekiemoes
Posted 17 February 2008 - 01:39 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok, I'll attach the next CFScript for you, because if I post it, the word will be munged as well. :)

Attached File  CFScript.txt   536bytes   88 downloads

Download the CFScript and drag it into Combofix as you did before.

Also, don't delete the Authentium folder yet. There should be an uninstaller in add/remove programs though.
So please do next as well..

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post as well.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP