Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware, Trojans, PopUps [RESOLVED]


  • This topic is locked This topic is locked

#1
MelR2

MelR2

    Member

  • Member
  • PipPip
  • 20 posts
I don't know how it got to this point, but I can't get rid of these annoying popups. I ran all the tests and procedures before posting a highjack log and I'm still coming up with pop ups that are distracting, and slowing down my computer, help pleassee

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:22 AM, on 2/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\Program Files\Common Files\AOL\1128345755\ee\AOLServiceHost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\System32\pcntplwb.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.

bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo

.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: {fde5f5f6-6c5c-c71b-efd4-5ac1d0412591} - {1952140d-1ca5-4dfe-b17c-c5c66f5f5

edf} - C:\WINDOWS\System32\rvridyok.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1

\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AB749044-085B-4027-82F1-3F3F3AFEA2D8} - C:\WINDOWS\System32

\sstts.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32

\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1

\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx

.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.

exe"
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.

exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128345755

\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec

Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.

exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert

Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P

HelpCenter
O4 - HKLM\..\Run: [Workflow] E:\installs\Workflow.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5

\avgas.exe" /minimized
O4 - HKLM\..\Run: [{E9-91-11-1A-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pcntplwb.exe DWram
O4 - HKLM\..\Run: [5cde91b5] rundll32.exe "C:\WINDOWS\System32\suwuajeo.dll",b
O4 - HKLM\..\Run: [BM5feda229] Rundll32.exe "C:\WINDOWS\System32\rqxchetk.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1

\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware

.exe
O4 - HKCU\..\Run: [Kopzmag] C:\WINDOWS\system32\?dobe\s?ool32.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony

Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntplwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.

0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2f...menusearch.html?

p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1

\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program

Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program

Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI

1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:

\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bellsouth.net/

sdccommon/download/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://

lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http

://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: evovbhsl - evovbhsl.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx

.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:

\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:

\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1

\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:

\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\My Pictures\untitled.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\My Pictures\tomw3.bmp
O24 - Desktop Component 10: (no name) - http://myspace-155.v...et/00190/55/12/

190522155_l.jpg
O24 - Desktop Component 11: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\Melly's\icons\pictures\thuglife.JPG
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\Melly's\icons\emoicons\th_2csdwjr.gif
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\My Pictures\cartoon1.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\My Pictures\da3.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\Mellys\My Pictures\stars.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\Mellys\My Pictures\bubbles.gif
O24 - Desktop Component 6: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\Mellys\My Pictures\tink2.gif
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\Mellys\mierda\OMG.bmp
O24 - Desktop Component 8: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\Mellys\mierda\bubbles.gif
O24 - Desktop Component 9: (no name) - C:\Documents and Settings\Melinda Roman\My

Documents\peace.JPG

--
End of file - 11911 bytes
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there. First could I ask you to ensure that wordwrap is not checked in notepad when you post any log as it makes it difficult to read

So to begin

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: {fde5f5f6-6c5c-c71b-efd4-5ac1d0412591} - {1952140d-1ca5-4dfe-b17c-c5c66f5f5edf} - C:\WINDOWS\System32\rvridyok.dll
O4 - HKLM\..\Run: [{E9-91-11-1A-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pcntplwb.exe DWram
O4 - HKLM\..\Run: [5cde91b5] rundll32.exe "C:\WINDOWS\System32\suwuajeo.dll",b
O4 - HKLM\..\Run: [BM5feda229] Rundll32.exe "C:\WINDOWS\System32\rqxchetk.dll",s
O4 - HKCU\..\Run: [Kopzmag] C:\WINDOWS\system32\?dobe\s?ool32.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntplwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O20 - Winlogon Notify: evovbhsl - evovbhsl.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\windows\system32\rwwnw64d.exe
    C:\WINDOWS\System32\pcntplwb.exe
    C:\WINDOWS\System32\rvridyok.dll
    C:\WINDOWS\System32\suwuajeo.dll
    C:\WINDOWS\System32\rqxchetk.dll
    C:\Program Files\JavaCore
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix
  • 0

#3
MelR2

MelR2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ok, i did the move it first, and then the combo but the combo logged me off before i had a chance to save the move it. so i did it again and pasted after the computer was rebooted.


File/Folder C:\windows\system32\rwwnw64d.exe not found.
File/Folder C:\WINDOWS\System32\pcntplwb.exe not found.
File/Folder C:\WINDOWS\System32\rvridyok.dll not found.
File/Folder C:\WINDOWS\System32\suwuajeo.dll not found.
File/Folder C:\WINDOWS\System32\rqxchetk.dll not found.
File/Folder C:\Program Files\JavaCore not found.
[Custom Input]
< Purity >

OTMoveIt2 v1.0.20 log created on 03012008_151517





ComboFix 08-03-01 - Melinda Roman 2008-02-29 14:34:16.3 - NTFSx86
Running from: C:\Documents and Settings\Melinda Roman\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Melinda Roman\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Melinda Roman\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Melinda Roman\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b152.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\c2
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\c4\np89104.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tdii.sys
C:\WINDOWS\system32\evovbhsl.dllbox
C:\WINDOWS\system32\fkjitpxm.dll
C:\WINDOWS\system32\mdfnnphf.ini
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\oejauwus.ini
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\r2\renabcom4.exe
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\s7\gbsu011.exe
C:\WINDOWS\system32\scgyfxrm.dll
C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\urqrsst.dll
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\x3
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_TDII
-------\tdii


((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-03-01 15:01 . 2008-03-01 15:01 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-01 14:34 . 2008-03-01 14:34 1,241,088 --a------ C:\WINDOWS\system32\oejauwus.tmp
2008-02-29 14:24 . 2008-02-29 14:24 <DIR> d-------- C:\_OTMoveIt
2008-02-29 08:38 . 2008-02-29 08:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 00:06 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-28 22:11 . 2008-02-28 22:11 26,048 --a------ C:\WINDOWS\system32\urqpmmj.dll
2008-02-28 14:08 . 2008-02-29 08:46 21 --a------ C:\WINDOWS\pskt.ini
2008-02-28 14:05 . 2008-02-28 14:05 49,174 --a------ C:\WINDOWS\system32\kownw64p.exe
2008-02-28 13:51 . 2008-02-29 01:43 <DIR> d-------- C:\WINDOWS\system32\iDlo01
2008-02-28 13:51 . 2008-02-28 13:51 <DIR> d-------- C:\temp\sanR24
2008-02-28 13:51 . 2008-02-28 13:51 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-20 15:09 . 2008-02-20 15:09 0 --a------ C:\WINDOWS\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 13:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 06:28 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-29 06:28 --------- d-----w C:\Program Files\QuickTime
2008-02-29 06:28 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-29 06:25 --------- d-----w C:\Program Files\Lexmark 2200 Series
2008-02-29 06:24 --------- d-----w C:\Program Files\iTunes
2008-02-29 06:22 --------- d-----w C:\Program Files\dvd43
2008-02-29 06:21 --------- d-----w C:\Program Files\blstoolbar
2008-02-29 06:21 --------- d-----w C:\Program Files\BigFix
2006-12-16 20:09 9,055 ----a-w C:\Program Files\hijackthis.log
2006-12-16 20:08 218,112 ----a-w C:\Program Files\HijackThis.exe
2003-01-04 01:30 32 --sha-w C:\WINDOWS\{58AB95BA-30FC-4911-ABF6-5C102DD5084A}.dat
2007-08-24 06:29 1,600,217 --sh--w C:\WINDOWS\system32\xybeg.bak2
2003-01-04 01:30 32 --sha-w C:\WINDOWS\system32\{86076D48-0C9C-4BDA-B6F1-352360A61506}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB749044-085B-4027-82F1-3F3F3AFEA2D8}]
C:\WINDOWS\System32\sstts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 15:04 196608]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-16 20:02 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 23:10 335872]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 18:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 18:11 58392]
"showicon2k"="C:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [2003-07-04 12:55 135168]
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 08:08 57344]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-10-07 00:41 100056]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2005-02-18 00:44 784896]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-04-23 05:49 1298554]
"HostManager"="C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe" [2005-08-02 14:33 159832]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 19:59 218240]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 17:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-26 19:01 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 05:03 49263]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe" [2006-01-10 19:56 1896448]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-01-03 19:17 26112]
"HelpCenter"="C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe" [2006-10-30 11:00 192512]
"Workflow"="E:\installs\Workflow.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"BM5feda229"="C:\WINDOWS\System32\rqxchetk.dll" [ ]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\untitled.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\tomw3.bmp
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\11]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\pictures\thuglife.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\12]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\emoicons\th_2csdwjr.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\cartoon1.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\da3.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\stars.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\bubbles.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\tink2.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\OMG.bmp
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\8]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\bubbles.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\9]
Source= C:\Documents and Settings\Melinda Roman\My Documents\peace.JPG
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-07-16 20:02 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:00:22 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-29 17:18:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 15:10:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-01 15:13:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-01 20:13:10
ComboFix2.txt 2007-09-17 12:17:13
.
2008-03-01 20:01:12 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:12 PM, on 3/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AB749044-085B-4027-82F1-3F3F3AFEA2D8} - C:\WINDOWS\System32\sstts.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [Workflow] E:\installs\Workflow.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM5feda229] Rundll32.exe "C:\WINDOWS\System32\rqxchetk.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bel...oad/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\untitled.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\tomw3.bmp
O24 - Desktop Component 10: (no name) - http://myspace-155.v...190522155_l.jpg
O24 - Desktop Component 11: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\pictures\thuglife.JPG
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\emoicons\th_2csdwjr.gif
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\cartoon1.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\da3.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\stars.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\bubbles.gif
O24 - Desktop Component 6: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\tink2.gif
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\OMG.bmp
O24 - Desktop Component 8: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\bubbles.gif
O24 - Desktop Component 9: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\peace.JPG

--
End of file - 9931 bytes
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Still a few to clear yet but getting there :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\oejauwus.tmp
C:\WINDOWS\system32\urqpmmj.dll
C:\WINDOWS\system32\kownw64p.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\ativpsrm.bin
C:\WINDOWS\{58AB95BA-30FC-4911-ABF6-5C102DD5084A}.dat
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\{86076D48-0C9C-4BDA-B6F1-352360A61506}.dat
C:\WINDOWS\System32\sstts.dll
C:\WINDOWS\System32\rqxchetk.dll

Folder::
C:\WINDOWS\system32\iDlo01
C:\temp\sanR24

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB749044-085B-4027-82F1-3F3F3AFEA2D8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM5feda229"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
MelR2

MelR2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ComboFix 08-03-01 - Melinda Roman 2008-03-01 17:29:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.239 [GMT -5:00]
Running from: C:\Documents and Settings\Melinda Roman\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\Melinda Roman\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-03-01 15:01 . 2008-03-01 15:01 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-01 14:34 . 2008-03-01 14:34 1,241,088 --a------ C:\WINDOWS\system32\oejauwus.tmp
2008-02-29 14:24 . 2008-02-29 14:24 <DIR> d-------- C:\_OTMoveIt
2008-02-29 08:38 . 2008-02-29 08:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 00:06 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-28 22:11 . 2008-02-28 22:11 26,048 --a------ C:\WINDOWS\system32\urqpmmj.dll
2008-02-28 14:08 . 2008-02-29 08:46 21 --a------ C:\WINDOWS\pskt.ini
2008-02-28 14:05 . 2008-02-28 14:05 49,174 --a------ C:\WINDOWS\system32\kownw64p.exe
2008-02-28 13:51 . 2008-02-29 01:43 <DIR> d-------- C:\WINDOWS\system32\iDlo01
2008-02-28 13:51 . 2008-02-28 13:51 <DIR> d-------- C:\temp\sanR24
2008-02-28 13:51 . 2008-02-28 13:51 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-20 15:09 . 2008-02-20 15:09 0 --a------ C:\WINDOWS\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 13:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 06:28 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-29 06:28 --------- d-----w C:\Program Files\QuickTime
2008-02-29 06:28 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-29 06:25 --------- d-----w C:\Program Files\Lexmark 2200 Series
2008-02-29 06:24 --------- d-----w C:\Program Files\iTunes
2008-02-29 06:22 --------- d-----w C:\Program Files\dvd43
2008-02-29 06:21 --------- d-----w C:\Program Files\blstoolbar
2008-02-29 06:21 --------- d-----w C:\Program Files\BigFix
2006-12-16 20:09 9,055 ----a-w C:\Program Files\hijackthis.log
2006-12-16 20:08 218,112 ----a-w C:\Program Files\HijackThis.exe
2003-01-04 01:30 32 --sha-w C:\WINDOWS\{58AB95BA-30FC-4911-ABF6-5C102DD5084A}.dat
2007-08-24 06:29 1,600,217 --sh--w C:\WINDOWS\system32\xybeg.bak2
2003-01-04 01:30 32 --sha-w C:\WINDOWS\system32\{86076D48-0C9C-4BDA-B6F1-352360A61506}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB749044-085B-4027-82F1-3F3F3AFEA2D8}]
C:\WINDOWS\System32\sstts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 15:04 196608]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-16 20:02 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 23:10 335872]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 18:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 18:11 58392]
"showicon2k"="C:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [2003-07-04 12:55 135168]
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 08:08 57344]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-10-07 00:41 100056]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2005-02-18 00:44 784896]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-04-23 05:49 1298554]
"HostManager"="C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe" [2005-08-02 14:33 159832]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 19:59 218240]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 17:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-26 19:01 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 05:03 49263]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe" [2006-01-10 19:56 1896448]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-01-03 19:17 26112]
"HelpCenter"="C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe" [2006-10-30 11:00 192512]
"Workflow"="E:\installs\Workflow.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"BM5feda229"="C:\WINDOWS\System32\rqxchetk.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2003-01-03 20:31:01 1742384]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-08-22 02:11:13 106560]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\untitled.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\tomw3.bmp
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\11]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\pictures\thuglife.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\12]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\emoicons\th_2csdwjr.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\cartoon1.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\da3.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\stars.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\bubbles.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\tink2.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\OMG.bmp
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\8]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\bubbles.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\9]
Source= C:\Documents and Settings\Melinda Roman\My Documents\peace.JPG
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-07-16 20:02 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido\security suite\guard.sys [2004-11-22 09:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:00:22 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-03-01 21:18:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 17:30:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 17:31:07
ComboFix-quarantined-files.txt 2008-03-01 22:30:59
ComboFix2.txt 2008-03-01 20:13:14
ComboFix3.txt 2007-09-17 12:17:13
.
2008-03-01 20:01:12 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:25 PM, on 3/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AB749044-085B-4027-82F1-3F3F3AFEA2D8} - C:\WINDOWS\System32\sstts.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [Workflow] E:\installs\Workflow.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM5feda229] Rundll32.exe "C:\WINDOWS\System32\rqxchetk.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bel...oad/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\untitled.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\tomw3.bmp
O24 - Desktop Component 10: (no name) - http://myspace-155.v...190522155_l.jpg
O24 - Desktop Component 11: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\pictures\thuglife.JPG
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\emoicons\th_2csdwjr.gif
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\cartoon1.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\da3.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\stars.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\bubbles.gif
O24 - Desktop Component 6: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\tink2.gif
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\OMG.bmp
O24 - Desktop Component 8: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\bubbles.gif
O24 - Desktop Component 9: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\peace.JPG

--
End of file - 9931 bytes
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Can you confirm that is the right combofix log and that you did drag and drop the cfscript as all the files are still there
  • 0

#7
MelR2

MelR2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
yes, and just in case i did it again

ComboFix 08-03-01 - Melinda Roman 2008-03-01 18:52:25.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.222 [GMT -5:00]
Running from: C:\Documents and Settings\Melinda Roman\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\Melinda Roman\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-03-01 18:51 . 2008-03-01 18:51 0 --a------ C:\Documents and Settings\Melinda Roman\.exe
2008-03-01 15:01 . 2008-03-01 15:01 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-01 14:34 . 2008-03-01 14:34 1,241,088 --a------ C:\WINDOWS\system32\oejauwus.tmp
2008-02-29 14:24 . 2008-02-29 14:24 <DIR> d-------- C:\_OTMoveIt
2008-02-29 08:38 . 2008-02-29 08:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 00:06 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-28 22:11 . 2008-02-28 22:11 26,048 --a------ C:\WINDOWS\system32\urqpmmj.dll
2008-02-28 14:08 . 2008-02-29 08:46 21 --a------ C:\WINDOWS\pskt.ini
2008-02-28 14:05 . 2008-02-28 14:05 49,174 --a------ C:\WINDOWS\system32\kownw64p.exe
2008-02-28 13:51 . 2008-02-29 01:43 <DIR> d-------- C:\WINDOWS\system32\iDlo01
2008-02-28 13:51 . 2008-02-28 13:51 <DIR> d-------- C:\temp\sanR24
2008-02-28 13:51 . 2008-02-28 13:51 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-20 15:09 . 2008-02-20 15:09 0 --a------ C:\WINDOWS\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 23:51 0 ----a-w C:\Documents and Settings\Melinda Roman\.exe
2008-02-29 13:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 06:28 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-29 06:28 --------- d-----w C:\Program Files\QuickTime
2008-02-29 06:28 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-29 06:25 --------- d-----w C:\Program Files\Lexmark 2200 Series
2008-02-29 06:24 --------- d-----w C:\Program Files\iTunes
2008-02-29 06:22 --------- d-----w C:\Program Files\dvd43
2008-02-29 06:21 --------- d-----w C:\Program Files\blstoolbar
2008-02-29 06:21 --------- d-----w C:\Program Files\BigFix
2006-12-16 20:09 9,055 ----a-w C:\Program Files\hijackthis.log
2006-12-16 20:08 218,112 ----a-w C:\Program Files\HijackThis.exe
2003-01-04 01:30 32 --sha-w C:\WINDOWS\{58AB95BA-30FC-4911-ABF6-5C102DD5084A}.dat
2007-08-24 06:29 1,600,217 --sh--w C:\WINDOWS\system32\xybeg.bak2
2003-01-04 01:30 32 --sha-w C:\WINDOWS\system32\{86076D48-0C9C-4BDA-B6F1-352360A61506}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB749044-085B-4027-82F1-3F3F3AFEA2D8}]
C:\WINDOWS\System32\sstts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 15:04 196608]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-16 20:02 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 23:10 335872]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 18:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 18:11 58392]
"showicon2k"="C:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [2003-07-04 12:55 135168]
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 08:08 57344]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-10-07 00:41 100056]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2005-02-18 00:44 784896]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-04-23 05:49 1298554]
"HostManager"="C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe" [2005-08-02 14:33 159832]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 19:59 218240]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 17:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-26 19:01 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 05:03 49263]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe" [2006-01-10 19:56 1896448]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-01-03 19:17 26112]
"HelpCenter"="C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe" [2006-10-30 11:00 192512]
"Workflow"="E:\installs\Workflow.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"BM5feda229"="C:\WINDOWS\System32\rqxchetk.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2003-01-03 20:31:01 1742384]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-08-22 02:11:13 106560]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\untitled.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\tomw3.bmp
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\11]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\pictures\thuglife.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\12]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\emoicons\th_2csdwjr.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\cartoon1.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\da3.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\stars.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\bubbles.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\tink2.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\OMG.bmp
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\8]
Source= C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\bubbles.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\9]
Source= C:\Documents and Settings\Melinda Roman\My Documents\peace.JPG
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-07-16 20:02 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido\security suite\guard.sys [2004-11-22 09:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:00:22 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-03-01 21:18:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 18:53:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 18:53:31
ComboFix-quarantined-files.txt 2008-03-01 23:53:23
ComboFix2.txt 2008-03-01 22:31:08
ComboFix3.txt 2008-03-01 20:13:14
ComboFix4.txt 2007-09-17 12:17:13
.
2008-03-01 20:01:12 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:45 PM, on 3/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {AB749044-085B-4027-82F1-3F3F3AFEA2D8} - C:\WINDOWS\System32\sstts.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [Workflow] E:\installs\Workflow.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM5feda229] Rundll32.exe "C:\WINDOWS\System32\rqxchetk.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bel...oad/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\untitled.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\tomw3.bmp
O24 - Desktop Component 10: (no name) - http://myspace-155.v...190522155_l.jpg
O24 - Desktop Component 11: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\pictures\thuglife.JPG
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\emoicons\th_2csdwjr.gif
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\cartoon1.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\da3.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\stars.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\bubbles.gif
O24 - Desktop Component 6: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\tink2.gif
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\OMG.bmp
O24 - Desktop Component 8: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\bubbles.gif
O24 - Desktop Component 9: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\peace.JPG

--
End of file - 9931 bytes
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK more than one way to skin a cat :)

  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\oejauwus.tmp
    C:\WINDOWS\system32\urqpmmj.dll
    C:\WINDOWS\system32\kownw64p.exe
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\mrofinu572.exe.tmp
    C:\WINDOWS\ativpsrm.bin
    C:\WINDOWS\{58AB95BA-30FC-4911-ABF6-5C102DD5084A}.dat
    C:\WINDOWS\system32\xybeg.bak2
    C:\WINDOWS\system32\{86076D48-0C9C-4BDA-B6F1-352360A61506}.dat
    C:\WINDOWS\System32\sstts.dll
    C:\WINDOWS\System32\rqxchetk.dll
    C:\WINDOWS\system32\iDlo01
    C:\temp\sanR24
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#9
MelR2

MelR2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
C:\WINDOWS\system32\oejauwus.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\urqpmmj.dll
C:\WINDOWS\system32\urqpmmj.dll NOT unregistered.
C:\WINDOWS\system32\urqpmmj.dll moved successfully.
C:\WINDOWS\system32\kownw64p.exe moved successfully.
C:\WINDOWS\pskt.ini moved successfully.
C:\WINDOWS\mrofinu572.exe.tmp moved successfully.
C:\WINDOWS\ativpsrm.bin moved successfully.
C:\WINDOWS\{58AB95BA-30FC-4911-ABF6-5C102DD5084A}.dat moved successfully.
C:\WINDOWS\system32\xybeg.bak2 moved successfully.
C:\WINDOWS\system32\{86076D48-0C9C-4BDA-B6F1-352360A61506}.dat moved successfully.
File/Folder C:\WINDOWS\System32\sstts.dll not found.
File/Folder C:\WINDOWS\System32\rqxchetk.dll not found.
C:\WINDOWS\system32\iDlo01 moved successfully.
C:\temp\sanR24 moved successfully.

OTMoveIt2 v1.0.20 log created on 03022008_140327

Attached Files


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
A quick run with Winpfind and then we shall see how your system is running now

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> BM5feda229 -> %SystemRoot%\System32\rqxchetk.DLL
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {AB749044-085B-4027-82F1-3F3F3AFEA2D8} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\sstts.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YY -> {231F6FAB-ECED-4975-9EF2-C0C7BC81927B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\ISM\BndDrive.dll [Internet Speed Monitor]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YY -> {231F6FAB-ECED-4975-9EF2-C0C7BC81927B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\ISM\BndDrive.dll [Internet Speed Monitor]
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-1214970204-3266471654-2512236806-1006\] > -> HKEY_USERS\S-1-5-21-1214970204-3266471654-2512236806-1006\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YY -> {231F6FAB-ECED-4975-9EF2-C0C7BC81927B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\ISM\BndDrive.dll [Internet Speed Monitor]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
YY -> .exe -> %UserProfile%\Desktop\.exe
[Files/Folders - Modified Within 90 days]
YY -> 43ef6b9552b2f49dbd9145f8 -> %SystemDrive%\43ef6b9552b2f49dbd9145f8
YY -> SnVhbiBSb21hbg -> %SystemRoot%\SnVhbiBSb21hbg
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

Advertisements


#11
MelR2

MelR2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ok so i did it twice, and both times it asked to reboot my computer and there was never a log that popped up that i could copy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:10 PM, on 3/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1128345755\ee\AOLServiceHost.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128345755\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [Workflow] E:\installs\Workflow.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bel...oad/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\untitled.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\tomw3.bmp
O24 - Desktop Component 10: (no name) - http://myspace-155.v...190522155_l.jpg
O24 - Desktop Component 11: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\pictures\thuglife.JPG
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Melly's\icons\emoicons\th_2csdwjr.gif
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\cartoon1.gif
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\My Pictures\da3.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\stars.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\bubbles.gif
O24 - Desktop Component 6: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\My Pictures\tink2.gif
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\OMG.bmp
O24 - Desktop Component 8: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\Mellys\mierda\bubbles.gif
O24 - Desktop Component 9: (no name) - C:\Documents and Settings\Melinda Roman\My Documents\peace.JPG

--
End of file - 11008 bytes
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
It looks to have worked - How is your system now ?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4 and save it to your desktop.
  • Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

  • 0

#13
MelR2

MelR2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
its alot better now, no pop ups or anything, thank you so much, i really appreciate all of your help
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Now the best part of the day ----- Your log now appears clean :)

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself



Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#15
MelR2

MelR2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
thanks again :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP