Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

post-Outerinfo pop-ups-removal checkup of HiJackThis, SAS, ComboFix, a

Started by shippouchan , Apr 12 2008 11:05 PM

This topic is locked

#1
shippouchan

Posted 12 April 2008 - 11:05 PM

Member

Member
21 posts

Hello! I was afflicted with the Outerinfo pop-ups (they kept popping up in IE while I only use Firefox, so it was really obvious), and I followed all directions on the following pages before posting this entry:
1. http://www.geekstogo...IN-t134763.html
2. http://www.geekstogo...-Log-t2852.html

For some reason, the Panda ActiveScan does not seem to want to cooperate with my computer, so I have left it blank.

Here are my logfiles of the various scans, so if someone could take a looksee and tell me what crap I need to get rid of on my computer, it would be greatly appreciated!! Thanks so much in advance!

-----

HIJACKTHIS LOG (from 4.13.08)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:03 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\tmps\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Owner/Desktop/homepage2/links.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\h5gszwhx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\h5gszwhx.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DFC9CF82-DC62-4F3E-A5D4-5AA200F6CB34} - C:\WINDOWS\system32\urqoOiIy.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB003" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Planex Wireless Utility.lnk = C:\Program Files\Planex\Common\RaUI.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.usmd.edu/...er/tdserver.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {41649A90-B484-11D1-8D75-00C04FC24EE6} (WebEQ Browser Controls) - http://phga.pearsonc...ebEQInstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors...ocx/plotwon.ocx
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.log...1/bin/imvid.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 11106 bytes

-----

HIJACKTHIS UNINSTALL LIST
ABBYY FineReader 5.0 Sprint Plus
Ad-aware 6 Personal
Ad-aware 6 Professional
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Illustrator 10
Adobe InDesign CS
Adobe Photoshop 6.0
Adobe Photoshop 7.0
Adobe Reader 6.0
Adobe SVG Viewer 3.0
Advanced WMA Workshop version 2.01
AnswerWorks Runtime
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
BlasterBall Wild from Compaq (remove only)
Bonjour
Canon Camera Window for ZoomBrowser EX
Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver
Canon PhotoRecord
Canon Utilities FileViewerUtility 1.0
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.6
Canon Utilities ZoomBrowser EX
Compaq Connections
Corel Applications
Dark Orbit from Compaq (remove only)
DC++ 0.681
DeadAIM
Disc2Phone
Disney`s Lilo and Stitch Pinball from Compaq (remove only)
DivX Content Uploader
DivX Player
DivX Pro Codec Adware
DivX Web Player
Easy CD Creator 5 Platinum
easy Internet sign-up
Enhanced Multimedia Keyboard Solution
EPSON Copy Utility
EPSON EIC CX5400
EPSON Photo Print
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
Excavation from Compaq (remove only)
Flash File Recovery v1.5
Free iPod Video Converter 1.26
GemMaster 3 from Compaq (remove only)
GiPo@MoveOnBoot 1.9.5
GOM Player
GunBound
Gunbound Revolution
HijackThis 2.0.2
hp deskjet 3820 series (Remove only)
HP Deskjet printer preloaded drivers
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
Instant Support
Intel® Extreme Graphics 2 Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iolo technologies' Search and Recover 3
iPod for Windows 2005-02-22
iPod for Windows 2005-09-06
iScrobbler
iTunes
Java 2 Runtime Environment, SE v1.4.1_01
Java Web Start
K-Lite Codec Pack 2.20 Full
Last.fm Player 1.0.4
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Mathathon
MaxBlast 3
Men In Black II CROSSFIRE from Compaq (remove only)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office XP Standard for Students and Teachers
Microsoft Windows Journal Viewer
Microsoft Works 7.0
Move Networks Player for Firefox
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
Nero 6 Ultra Edition
Netscape (7.1)
Netscape Browser (remove only)
NJStar Chinese Word Processor
Norton AntiVirus 2003
NVIDIA Windows 2000/XP Display Drivers
OmniPass
Opera
overland
Paint Shop Pro 6.0 (ESD)
Panda ActiveScan 2.0
PC Inspector smart recovery
PC-Doctor for Windows
PCI GW-US54Mini2
Photo Loader 3.0E
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
QuickTime
Ragnarok Online
Ragnarok Sakray Pack
RealPlayer
RecordNow
RingMaster from Compaq (remove only)
S3Display
S3Gamma2
S3Info2
S3Overlay
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Semagic (remove only)
Shockwave
ShowBiz DVD
Shutterfly Plugin
Simple Installer - Multilanguage Version
Skype 1.1
SnadBoy's Revelation v2
Snowboard Extreme from Compaq (remove only)
Sonic Update Manager
Sony Ericsson PC Suite 1.10.21
Space Rocks from Compaq (remove only)
SpamSubtract
Starcraft
StepMania (remove only)
SUPERAntiSpyware Free Edition
SuperjoyBox Game Controller Version 3.0
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VAIOSoft Recovery Manager
Viewpoint Media Player
Virtual Warfare from Compaq (remove only)
VobSub v2.23 (Remove Only)
VPN Client
Wacom Tablet
WeatherBug
WebEQ Browser Controls
Weblink
WildTangent GameChannel (remove only)
Winamp
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WordPerfect Office 2002 Trial
WordPerfect Office 2002 Trial
XviD-1.0-RC1 Video Codec 25012004 (Koepi's developer build)
Yahoo! Companion
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Zoomquilt Screensaver

-----

SAS SCAN LOG

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/11/2008 at 05:12 AM

Application Version : 4.0.1154

Core Rules Database Version : 3436
Trace Rules Database Version: 1428

Scan type : Complete Scan
Total Scan Time : 03:14:54

Memory items scanned : 594
Memory threats detected : 7
Registry items scanned : 6526
Registry threats detected : 84
File items scanned : 200909
File threats detected : 340

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\SSQNGYPG.DLL
C:\WINDOWS\SYSTEM32\SSQNGYPG.DLL
C:\WINDOWS\SYSTEM32\OPNKHHBY.DLL
C:\WINDOWS\SYSTEM32\OPNKHHBY.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ssqNGYPG

Adware.Adservs
C:\WINDOWS\IA\ASAPPSRV.DLL
C:\WINDOWS\IA\ASAPPSRV.DLL
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\SYSTEM32\EXTMP\BMV35GUI.EXE

Trojan.Downloader-SVCHost/Fake
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\SVCHOST.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\SVCHOST.EXE

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\URQOOIIY.DLL
C:\WINDOWS\SYSTEM32\URQOOIIY.DLL

Trojan.NetMon/DNSChange
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control#ActiveService
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
C:\Program Files\Network Monitor
C:\WINDOWS\Prefetch\NETMON.EXE-132C1012.pf

Unclassified.Unknown Origin
C:\WINDOWS\IA\COMMAND.EXE
C:\WINDOWS\IA\COMMAND.EXE
C:\WINDOWS\Prefetch\COMMAND.EXE-2109946C.pf

Trojan.Downloader-Gen/MROFIN
[runner1] C:\WINDOWS\MROFINU572.EXE
C:\WINDOWS\MROFINU572.EXE
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU572.EXE.TMP

Trojan.Unclassified/BrowserDriver
[{CD-DD-DC-C1-DW}] C:\WINDOWS\SYSTEM32\PINZ1\CEGMGR76.EXE
C:\WINDOWS\SYSTEM32\PINZ1\CEGMGR76.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{24E9519B-3F70-429B-99BC-4B2B49B96F66}
HKCR\CLSID\{24E9519B-3F70-429B-99BC-4B2B49B96F66}
HKCR\CLSID\{24E9519B-3F70-429B-99BC-4B2B49B96F66}\InprocServer32
HKCR\CLSID\{24E9519B-3F70-429B-99BC-4B2B49B96F66}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{24E9519B-3F70-429B-99BC-4B2B49B96F66}
HKCR\CLSID\{24E9519B-3F70-429B-99BC-4B2B49B96F66}

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{529E80D3-C0E3-4AC7-8C58-C4C322A0171B}
HKCR\CLSID\{529E80D3-C0E3-4AC7-8C58-C4C322A0171B}
HKCR\CLSID\{529E80D3-C0E3-4AC7-8C58-C4C322A0171B}\InprocServer32
HKCR\CLSID\{529E80D3-C0E3-4AC7-8C58-C4C322A0171B}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@windowsmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@warning_camp[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@i[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxxtoolbar[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyopdpkfqaydj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Cookies\owner@dcsew60m1oifwznbkznc6j9ix_5x7j[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@indiads[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@clickagents[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@S130346[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrenaline[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@S130343[1].txt
C:\Documents and Settings\Owner\Cookies\owner@33680702[2].txt
C:\Documents and Settings\Owner\Cookies\owner@S113245[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adorigin[2].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt
C:\Documents and Settings\Owner\Cookies\owner@commission-junction[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad-indicator[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@stats[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@a[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@centralmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@maxserving[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@media[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@nextag[2].txt
C:\Documents and Settings\Owner\Cookies\owner@internetfuel[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@hotlog[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@inet-traffic[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@targetnet[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpress[2].txt
C:\Documents and Settings\Owner\Cookies\owner@pro-market[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficgate[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@dcswf5cldoifwz3g60guj0xa5_7m4v[1].txt
C:\Documents and Settings\Owner\Cookies\owner@web-stat[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@kanoodle[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@keywordmax[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad-rag[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@metareward[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@partypoker[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[4].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@qnsr[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@linksynergy[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@banner[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adnetserver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@S150194[1].txt
C:\Documents and Settings\Owner\Cookies\owner@S130520[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@74613876[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@clickability[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@adknowledge[1].txt
C:\Documents and Settings\Owner\Cookies\owner@gostats[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@clickomania[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificpop[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@exitexchange[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@S152071[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@mb[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@288_[2].txt
C:\Documents and Settings\Owner\Cookies\owner@roiservice[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@adecn[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@bannerspace[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@falkag[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad[3].txt
C:\Documents and Settings\Owner\Cookies\owner@cancerbacup[1].txt
C:\Documents and Settings\Owner\Cookies\owner@partner2profit[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt
C:\Documents and Settings\Owner\Cookies\owner@rightmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bizrate[2].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@easy-hit-counters[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@avsystemcare[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@24218[1].txt
C:\Documents and Settings\Owner\Cookies\owner@antispywaremaster[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ex=5_[2].txt
C:\Documents and Settings\Owner\Cookies\owner@288_[3].txt
C:\Documents and Settings\Owner\Cookies\owner@trustedantivirus[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@accounts[1].txt
C:\Documents and Settings\Owner\Cookies\owner@accounts[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@accounts[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@accounts[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adlegend[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[3].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adserver[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@banner[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@bfast[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@bizrate[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@easy-hit-counters[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@falkag[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@insightexpressai[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@kanoodle[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@keywordmax[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@linksynergy[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@maxserving[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@nextag[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@overture[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@qksrv[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@qnsr[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@roiservice[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@statcounter[1].tx

#2
greyknight17

Posted 15 April 2008 - 10:47 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\h5gszwhx.slt\prefs.js)
O2 - BHO: (no name) - {DFC9CF82-DC62-4F3E-A5D4-5AA200F6CB34} - C:\WINDOWS\system32\urqoOiIy.dll (file missing)

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

#3
shippouchan

Posted 16 April 2008 - 06:29 AM

Member

Topic Starter
Member
21 posts

okay, thanks! i'll try it out~

#4
greyknight17

Posted 19 April 2008 - 03:40 PM

Malware Expert

Visiting Consultant
16,560 posts

Any update on this?

#5
shippouchan

Posted 20 April 2008 - 07:29 AM

Member

Topic Starter
Member
21 posts

Hi there.. I was actually just trying to fix it last night, and for some reason, when I "fix checked" for the ones you mentioned, outerinfo popped up again. i don't know if it was because my computer was re-infected, but I'm in the middle of re-running SAS. I'll post that logfile when I'm done scanning. In the meantime, here is my ComboFix log:

ComboFix 08-04-12.5 - Owner 2008-04-19 16:51:53.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\PPPATC~1
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\IA
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\ndisuioo.sys
C:\WINDOWS\system32\jnoxuaiq.ini
C:\WINDOWS\system32\lsvo.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\noqtwvut.ini
C:\WINDOWS\system32\noqtwvut.ini2
C:\WINDOWS\system32\ntslvgdl.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qiauxonj.dll
C:\WINDOWS\system32\tuvwtqon.dll
C:\WINDOWS\system32\uqrvkmmk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor
-------\Legacy_ndisuioo
-------\ndisuioo

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 16:39 . 2008-04-19 16:39 109,738 --a------ C:\WINDOWS\BM935feef2.xml
2008-04-19 16:36 . 2008-04-19 16:36 <DIR> d-------- C:\Program Files\AntiSpywareMaster
2008-04-19 16:36 . 2008-04-19 16:36 34,099 --a------ C:\WINDOWS\system32\fccyvwuu.dll
2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\WINDOWS\system32\trcTMP
2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\WINDOWS\system32\slNew
2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\WINDOWS\system32\iTmp
2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\temp\berDrv11
2008-04-19 16:33 . 2008-04-19 16:33 34,099 --a------ C:\WINDOWS\system32\ddcdbxxu.dll
2008-04-13 09:33 . 2008-04-13 09:33 155 --a------ C:\DelUS.bat
2008-04-13 00:30 . 2008-04-13 00:30 <DIR> d-------- C:\Program Files\Panda Security
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 23:56 . 2008-04-11 23:56 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-11 01:45 . 2008-04-11 23:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-11 01:45 . 2008-04-11 01:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-11 01:45 . 2008-04-11 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-11 01:42 . 2008-04-11 01:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 00:17 . 2008-04-11 07:31 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-11 00:17 . 2008-04-11 00:17 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-11 00:17 . 2008-04-11 07:31 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-11 00:16 . 2008-04-11 00:16 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-11 00:16 . 2008-04-11 00:17 <DIR> d-------- C:\temp\wdlw14

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 21:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-04-19 21:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-04-13 13:33 --------- d-----w C:\Program Files\AWS
2008-04-13 13:32 --------- d-----w C:\Program Files\Semagic
2008-04-13 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-12 12:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-12 03:53 --------- d-----w C:\Program Files\STOPzilla!
2008-04-12 03:53 --------- d-----w C:\Program Files\Common Files\STOPzilla!
2008-04-11 11:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\wingf
2008-03-14 02:40 --------- d-----w C:\Program Files\AIM
2008-03-06 12:51 --------- d-----w C:\Program Files\iTunes
2008-03-06 12:50 --------- d-----w C:\Program Files\iPod
2008-03-06 12:47 --------- d-----w C:\Program Files\QuickTime
2007-01-29 01:41 88,592 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-04-10 10:51 32 --sha-w C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2004-09-06 18:13 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2003-04-10 10:51 32 --sha-w C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-12_23.35.43.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-30 05:14:42 17,596 ----a-w C:\WINDOWS\mozver.dat
+ 2008-04-13 04:30:33 18,870 ----a-w C:\WINDOWS\mozver.dat
+ 2004-08-04 07:56:42 1,028,096 -c--a-w C:\WINDOWS\system32\dllcache\mfc42.dll
+ 2007-08-14 21:22:50 25,105 ----a-w C:\WINDOWS\system32\iTmp\vba35gui.exe
- 2008-03-21 14:07:13 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-16 03:14:53 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-21 14:07:13 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-16 03:14:53 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-20 05:06:04 49,169 ----a-w C:\WINDOWS\system32\rwwnw64d.exe
+ 2008-04-04 21:31:58 126,976 ----a-w C:\WINDOWS\system32\slNew\gpedire1.exe
- 2008-04-13 02:51:37 29,198 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-19 21:07:47 29,198 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-02-14 14:42:16 49,152 ----a-w C:\WINDOWS\system32\trcTMP\kmdmns2.exe
+ 2008-04-13 12:42:44 32,768 ----a-w C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFC9CF82-DC62-4F3E-A5D4-5AA200F6CB34}]
C:\WINDOWS\system32\urqoOiIy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
2008-04-19 16:33 34099 --a------ C:\WINDOWS\system32\ddcdbxxu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 07:41 288576]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"QuickFinder Scheduler"="C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-01 21:36 77887]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-22 01:28 188416]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:31 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2003-02-24 17:11 266313]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 16:00 99840]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-05 22:13 95960]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 11:01 155648]
"{CD-DD-DC-C1-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-20 01:06 49169]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-20 01:06:04 49169]
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 06:53:45 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-27 23:04:27 110592]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2004-09-20 13:31:48 1466384]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-04-10 07:08:26 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-10-05 23:27:50 229376]
Planex Wireless Utility.lnk - C:\Program Files\Planex\Common\RaUI.exe [2007-08-26 21:56:14 688128]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2005-04-28 22:06:59 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\ddcdbxxu.dll [2008-04-19 16:33 34099]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdbxxu]
ddcdbxxu.dll 2008-04-19 16:33 34099 C:\WINDOWS\system32\ddcdbxxu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-21 00:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Semagic.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Semagic.lnk
backup=C:\WINDOWS\pss\Semagic.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a--c--- 2002-01-23 10:20 675840 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2003-08-01 11:31 61440 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2005-01-29 17:32 12598440 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra--c--- 2005-08-09 20:14 155648 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla]
C:\Program Files\STOPzilla!\Stopzilla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\tmps\\PDMan%5FClient13.exe"=
"C:\\WINDOWS\\system32\\fscagent.exe"=
"C:\\WINDOWS\\system32\\clubbox.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 02:14]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 17:04]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 17:04]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 17:04]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 17:04]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 17:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 23:42:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2003-08-26 00:36:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 01:05:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [36588]
? [37668]
? [37956]
? [37968]
? [38016]
? [38224]
? [38252]
? [38264]
? [38300]
? [38312]
? [38320]
? [38356]
? [38376]
? [38412]
? [38744]
? [38892]
? [32888]
? [37108]
? [37216]
? [37380]
? [37488]
? [37556]
? [37884]
? [38840]
? [37428]
? [36728]
? [36612]
? [38660]
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
-> C:\WINDOWS\system32\ddcdbxxu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\hpzipm12.exe
.
**************************************************************************
.
Completion time: 2008-04-20 1:15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 05:14:42
ComboFix2.txt 2008-04-13 03:36:23
Pre-Run: 26,087,383,040 bytes free
Post-Run: 26,647,916,544 bytes free
.
2008-04-12 12:43:10 --- E O F ---

Thanks.

#6
greyknight17

Posted 20 April 2008 - 10:50 AM

Malware Expert

Visiting Consultant
16,560 posts

Uninstall AntiSpywareMaster via the Add/Remove Programs panel.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\BM935feef2.xml
C:\WINDOWS\system32\fccyvwuu.dll
C:\WINDOWS\system32\ddcdbxxu.dll
C:\DelUS.bat
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\urqoOiIy.dll
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
Folder::
C:\Program Files\AntiSpywareMaster
C:\WINDOWS\system32\xcsDd01
C:\WINDOWS\system32\trcTMP
C:\WINDOWS\system32\slNew
C:\WINDOWS\system32\iTmp
C:\temp\berDrv11
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\bharebio01
C:\temp\wdlw14
C:\Documents and Settings\Owner\Application Data\wingf
C:\WINDOWS\system32\slNew\
C:\WINDOWS\system32\slNew\
C:\WINDOWS\system32\trcTMP\
C:\WINDOWS\system32\xcsDd01\
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFC9CF82-DC62-4F3E-A5D4-5AA200F6CB34}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{CD-DD-DC-C1-DW}"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdbxxu]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?

#7
shippouchan

Posted 20 April 2008 - 06:29 PM

Member

Topic Starter
Member
21 posts

Hey again,

My computer, upon restart, showed an error and could not find C:\WINDOWS\system32\sbgcpmua.dll and C:\WINDOWS\system32\xtfqvdkf.dll . I am not sure if this is directly linked or not to what's been going on so far... Other than that, I haven't had any pop ups yet after this startup.

I've done what you said to do in your last post (making the CFScript) and will post up a ComboFix report after it finishes.

Thanks!

#8
greyknight17

Posted 20 April 2008 - 06:58 PM

Malware Expert

Visiting Consultant
16,560 posts

I'm sure it's some other thing that popped up. We'll take a look at the log and fix that up also. Should be near complete now with some final touches.

#9
shippouchan

Posted 20 April 2008 - 10:25 PM

Member

Topic Starter
Member
21 posts

Here's my ComboFix log~ Thankee

:

ComboFix 08-04-12.5 - Owner 2008-04-20 20:31:25.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.236 [GMT -4:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\DelUS.bat
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\BM935feef2.xml
C:\WINDOWS\system32\ddcdbxxu.dll
C:\WINDOWS\system32\fccyvwuu.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\urqoOiIy.dll
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DelUS.bat
C:\Documents and Settings\Owner\Application Data\wingf
C:\Documents and Settings\Owner\Application Data\wingf\dict.dat
C:\Documents and Settings\Owner\Application Data\wingf\keywords.dat
C:\Documents and Settings\Owner\Application Data\wingf\msiesh.dll
C:\Documents and Settings\Owner\Application Data\wingf\submit2.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
C:\temp\berDrv11
C:\temp\berDrv11\fxpNbu.log
C:\temp\wdlw14
C:\temp\wdlw14\maxN1bo.log
C:\WINDOWS\BM935feef2.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bharebio01
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\iTmp
C:\WINDOWS\system32\mpsvwxyb.ini
C:\WINDOWS\system32\mpsvwxyb.ini2
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\slNew
C:\WINDOWS\system32\trcTMP
C:\WINDOWS\system32\xcsDd01
C:\WINDOWS\system32\xcsDd01\\xcsDd011065.exe
C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 17:25 . 2008-04-20 17:25 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-20 13:25 . 2008-04-20 13:25 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-20 09:38 . 2008-04-20 09:41 1,540,617 ---hs---- C:\WINDOWS\system32\fkdvqftx.ini
2008-04-20 09:25 . 2008-04-20 09:25 850 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-13 00:30 . 2008-04-13 00:30 <DIR> d-------- C:\Program Files\Panda Security
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 23:56 . 2008-04-11 23:56 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-11 01:45 . 2008-04-20 20:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-11 01:45 . 2008-04-20 20:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-11 01:45 . 2008-04-11 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 00:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-04-21 00:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-04-13 13:33 --------- d-----w C:\Program Files\AWS
2008-04-13 13:32 --------- d-----w C:\Program Files\Semagic
2008-04-13 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-12 12:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-12 03:53 --------- d-----w C:\Program Files\STOPzilla!
2008-04-12 03:53 --------- d-----w C:\Program Files\Common Files\STOPzilla!
2008-03-14 02:40 --------- d-----w C:\Program Files\AIM
2008-03-06 12:51 --------- d-----w C:\Program Files\iTunes
2008-03-06 12:50 --------- d-----w C:\Program Files\iPod
2008-03-06 12:47 --------- d-----w C:\Program Files\QuickTime
2007-01-29 01:41 88,592 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-04-10 10:51 32 --sha-w C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2004-09-06 18:13 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2003-04-10 10:51 32 --sha-w C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-12_23.35.43.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-30 05:14:42 17,596 ----a-w C:\WINDOWS\mozver.dat
+ 2008-04-13 04:30:33 18,870 ----a-w C:\WINDOWS\mozver.dat
+ 2004-08-04 07:55:59 63,488 -c--a-w C:\WINDOWS\system32\dllcache\browselc.dll
+ 2004-08-04 07:56:50 93,184 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2004-08-04 07:56:42 1,028,096 -c--a-w C:\WINDOWS\system32\dllcache\mfc42.dll
- 2008-03-21 14:07:13 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-16 03:14:53 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-21 14:07:13 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-16 03:14:53 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-13 02:51:37 29,198 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-21 00:42:27 29,198 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC2E3713-236F-46ED-9825-EB9D9F4168BA}]
C:\WINDOWS\system32\byxwvspm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 07:41 288576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"QuickFinder Scheduler"="C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-01 21:36 77887]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-22 01:28 188416]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:31 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2003-02-24 17:11 266313]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 16:00 99840]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-05 22:13 95960]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 11:01 155648]
"BM935feef2"="C:\WINDOWS\system32\sbgcpmua.dll" [ ]
"906cdd6e"="C:\WINDOWS\system32\xtfqvdkf.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 06:53:45 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-27 23:04:27 110592]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2004-09-20 13:31:48 1466384]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-04-10 07:08:26 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-10-05 23:27:50 229376]
Planex Wireless Utility.lnk - C:\Program Files\Planex\Common\RaUI.exe [2007-08-26 21:56:14 688128]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2005-04-28 22:06:59 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-21 00:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Semagic.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Semagic.lnk
backup=C:\WINDOWS\pss\Semagic.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a--c--- 2002-01-23 10:20 675840 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2003-08-01 11:31 61440 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2005-01-29 17:32 12598440 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra--c--- 2005-08-09 20:14 155648 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla]
C:\Program Files\STOPzilla!\Stopzilla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\tmps\\PDMan%5FClient13.exe"=
"C:\\WINDOWS\\system32\\fscagent.exe"=
"C:\\WINDOWS\\system32\\clubbox.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 02:14]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 17:04]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 17:04]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 17:04]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 17:04]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 17:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 23:42:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2003-08-26 00:36:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 20:43:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hpzipm12.exe
.
**************************************************************************
.
Completion time: 2008-04-20 20:52:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 00:52:32
ComboFix2.txt 2008-04-20 05:15:07
ComboFix3.txt 2008-04-13 03:36:23
Pre-Run: 26,583,957,504 bytes free
Post-Run: 26,525,925,376 bytes free
.
2008-04-12 12:43:10 --- E O F ---

#10
greyknight17

Posted 21 April 2008 - 04:16 PM

Malware Expert

Visiting Consultant
16,560 posts

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\system32\vaio3-011.ico
C:\WINDOWS\system32\iphone-6y.ico
C:\WINDOWS\system32\fkdvqftx.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\byxwvspm.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC2E3713-236F-46ED-9825-EB9D9F4168BA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM935feef2"=-
"906cdd6e"=-

#11
shippouchan

Posted 21 April 2008 - 08:50 PM

Member

Topic Starter
Member
21 posts

For some reason, no log popped up. Should I re-run ComboFix?

And i'm still getting the messages at startup saying that there's an error loading C:\WINDOWS\system32\sbgcpmua.dll and C:\WINDOWS\system32\xtfqvdkf.dll and that "The specified module could not be found". I guess that's something else?

#12
shippouchan

Posted 21 April 2008 - 08:52 PM

Member

Topic Starter
Member
21 posts

Oh, but I haven't had any pop-ups, so that's excellent ^__^

#13
greyknight17

Posted 22 April 2008 - 04:03 PM

Malware Expert

Visiting Consultant
16,560 posts

Follow the same steps again from my last reply to run it to get the log.

#14
shippouchan

Posted 25 April 2008 - 11:10 PM

Member

Topic Starter
Member
21 posts

Here's my newest ComboFix log:

ComboFix 08-04-24.1 - Owner 2008-04-26 0:43:12.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.221 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\byxwvspm.dll
C:\WINDOWS\system32\fkdvqftx.ini
C:\WINDOWS\system32\iphone-6y.ico
C:\WINDOWS\system32\vaio3-011.ico
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\fkdvqftx.ini
C:\WINDOWS\system32\iphone-6y.ico
C:\WINDOWS\system32\vaio3-011.ico
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-13 00:30 . 2008-04-13 00:30 <DIR> d-------- C:\Program Files\Panda Security
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-11 23:57 . 2008-04-11 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 23:56 . 2008-04-11 23:56 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-11 01:45 . 2008-04-20 20:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-11 01:45 . 2008-04-20 20:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-11 01:45 . 2008-04-11 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 04:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-04-23 11:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-04-13 13:33 --------- d-----w C:\Program Files\AWS
2008-04-13 13:32 --------- d-----w C:\Program Files\Semagic
2008-04-13 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-12 12:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-12 03:53 --------- d-----w C:\Program Files\STOPzilla!
2008-04-12 03:53 --------- d-----w C:\Program Files\Common Files\STOPzilla!
2008-04-11 11:40 182,784 ----a-w C:\WINDOWS\system32\msdll.dll
2008-03-24 11:10 183,296 ----a-w C:\WINDOWS\system32\dlyy.dll
2008-03-24 11:10 139,264 ----a-w C:\WINDOWS\system32\PDLL.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 02:40 --------- d-----w C:\Program Files\AIM
2008-03-06 12:51 --------- d-----w C:\Program Files\iTunes
2008-03-06 12:50 --------- d-----w C:\Program Files\iPod
2008-03-06 12:47 --------- d-----w C:\Program Files\QuickTime
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-01-29 01:41 88,592 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-04-10 10:51 32 --sha-w C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2004-09-06 18:13 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2003-04-10 10:51 32 --sha-w C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-12_23.35.43.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-08-27 16:05:05 2,678 -c----w C:\WINDOWS\$NtServicePackUninstall$\4rdjfhzt.dat
+ 2003-08-27 16:05:05 2,678 -c----w C:\WINDOWS\$NtServicePackUninstall$\757ztb79.dat
+ 2003-08-27 16:05:09 2,678 -c----w C:\WINDOWS\$NtServicePackUninstall$\c44p7dfv.dat
+ 2002-08-29 12:00:00 1,740 -c----w C:\WINDOWS\$NtServicePackUninstall$\dcache.bin
+ 2002-08-29 08:32:34 2,816 -c----w C:\WINDOWS\$NtServicePackUninstall$\drmkaud.sys
+ 2003-08-27 16:05:05 2,678 -c----w C:\WINDOWS\$NtServicePackUninstall$\tvxjv9b1.dat
+ 2003-08-27 16:05:06 2,678 -c----w C:\WINDOWS\$NtServicePackUninstall$\yi3735br.dat
+ 2003-08-27 16:08:56 1,992 -c--a-w C:\WINDOWS\$NtUninstallQ810565$\spuninst\spuninst.bat
+ 2008-04-26 04:04:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2002-08-29 19:00:00 2,589 -c----w C:\WINDOWS\I386\RUNW32.BAT
+ 2003-08-27 17:22:45 2,560 -c--a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2003-11-19 23:01:42 2,862 -c--a-r C:\WINDOWS\Installer\{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}\Readme_icon.exe
+ 2003-11-19 23:01:42 2,862 -c--a-r C:\WINDOWS\Installer\{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}\Uninstall_icon.exe
+ 2003-04-10 10:59:49 2,238 -c--a-r C:\WINDOWS\Installer\{F61F2821-694C-475F-99AB-6AF2EFDF40FD}\NUEShortcut.exe
+ 2003-08-27 16:05:05 2,678 -c--a-w C:\WINDOWS\java\Packages\Data\4RDJFHZT.DAT
+ 2003-08-27 16:05:05 2,678 -c--a-w C:\WINDOWS\java\Packages\Data\757ZTB79.DAT
+ 2003-08-27 16:05:09 2,678 -c--a-w C:\WINDOWS\java\Packages\Data\C44P7DFV.DAT
+ 2003-08-27 16:05:05 2,678 -c--a-w C:\WINDOWS\java\Packages\Data\TVXJV9B1.DAT
+ 2003-08-27 16:05:06 2,678 -c--a-w C:\WINDOWS\java\Packages\Data\YI3735BR.DAT
- 2008-01-30 05:14:42 17,596 ----a-w C:\WINDOWS\mozver.dat
+ 2008-04-13 04:30:33 18,870 ----a-w C:\WINDOWS\mozver.dat
+ 2003-09-16 17:25:26 1,783 -c--a-w C:\WINDOWS\nsreg.dat
+ 2004-08-04 08:07:21 1,788 -c----w C:\WINDOWS\ServicePackFiles\i386\dcache.bin
+ 2004-08-04 06:07:57 2,944 -c----w C:\WINDOWS\ServicePackFiles\i386\drmkaud.sys
+ 2002-08-29 12:00:00 2,000 -c--a-w C:\WINDOWS\system\KEYBOARD.DRV
+ 2002-08-29 12:00:00 2,032 -c--a-w C:\WINDOWS\system\MOUSE.DRV
+ 2002-08-29 12:00:00 1,744 -c--a-w C:\WINDOWS\system\SOUND.DRV
+ 2002-08-29 12:00:00 2,176 -c--a-w C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 08:07:21 1,788 -c--a-w C:\WINDOWS\system32\dcache.bin
+ 2004-08-04 07:55:59 63,488 -c--a-w C:\WINDOWS\system32\dllcache\browselc.dll
+ 2004-08-04 07:56:50 93,184 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2002-08-29 12:00:00 2,000 -c--a-w C:\WINDOWS\system32\dllcache\keyboard.drv
+ 2002-08-29 12:00:00 2,560 -c--a-w C:\WINDOWS\system32\dllcache\lz32.dll
+ 2004-08-04 07:56:42 1,028,096 -c--a-w C:\WINDOWS\system32\dllcache\mfc42.dll
+ 2002-08-29 12:00:00 2,032 -c--a-w C:\WINDOWS\system32\dllcache\mouse.drv
+ 2002-08-29 12:00:00 2,944 -c--a-w C:\WINDOWS\system32\dllcache\null.sys
+ 2002-08-29 12:00:00 1,744 -c--a-w C:\WINDOWS\system32\dllcache\sound.drv
+ 2002-08-29 12:00:00 2,176 -c--a-w C:\WINDOWS\system32\dllcache\vga.drv
+ 2002-08-29 12:00:00 2,864 -c--a-w C:\WINDOWS\system32\dllcache\winsock.dll
+ 2002-08-29 12:00:00 2,112 -c--a-w C:\WINDOWS\system32\dllcache\winspool.exe
+ 2002-08-29 12:00:00 2,736 -c--a-w C:\WINDOWS\system32\dllcache\wowdeb.exe
+ 2004-08-04 06:07:57 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2002-08-29 12:00:00 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
+ 2005-11-30 15:33:08 2,048 ----a-w C:\WINDOWS\system32\drivers\rt73.bin
+ 2002-08-29 12:00:00 2,000 ----a-w C:\WINDOWS\system32\keyboard.drv
+ 2002-08-29 12:00:00 2,560 ----a-w C:\WINDOWS\system32\lz32.dll
+ 2002-08-29 12:00:00 2,032 ----a-w C:\WINDOWS\system32\mouse.drv
- 2008-03-21 14:07:13 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-16 03:14:53 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-21 14:07:13 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-16 03:14:53 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2002-08-29 12:00:00 1,744 ----a-w C:\WINDOWS\system32\sound.drv
+ 2003-04-15 20:00:00 2,429 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_A4X2G1.DAT
+ 2003-04-15 20:00:00 2,429 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\E_A4X2G1.DAT
+ 2004-05-09 01:46:13 2,368 ----a-w C:\WINDOWS\system32\STEC3.sys
- 2008-04-13 02:51:37 29,198 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-26 04:04:46 29,198 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2002-08-29 12:00:00 2,176 ----a-w C:\WINDOWS\system32\vga.drv
+ 2002-08-29 12:00:00 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
+ 2002-08-29 12:00:00 2,112 ----a-w C:\WINDOWS\system32\winspool.exe
+ 2002-08-29 12:00:00 2,736 ----a-w C:\WINDOWS\system32\wowdeb.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 07:41 288576]
"AIM"="C:\Program Files\AIM\aim.exe" [2003-08-01 11:31 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"QuickFinder Scheduler"="C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-01 21:36 77887]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-22 01:28 188416]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:31 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2003-02-24 17:11 266313]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 16:00 99840]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-05 22:13 95960]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 11:01 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 06:53:45 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-27 23:04:27 110592]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2004-09-20 13:31:48 1466384]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-04-10 07:08:26 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-10-05 23:27:50 229376]
Planex Wireless Utility.lnk - C:\Program Files\Planex\Common\RaUI.exe [2007-08-26 21:56:14 688128]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2005-04-28 22:06:59 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-21 00:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Semagic.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Semagic.lnk
backup=C:\WINDOWS\pss\Semagic.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a--c--- 2002-01-23 10:20 675840 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2003-08-01 11:31 61440 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2005-01-29 17:32 12598440 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra--c--- 2005-08-09 20:14 155648 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla]
C:\Program Files\STOPzilla!\Stopzilla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\tmps\\PDMan%5FClient13.exe"=
"C:\\WINDOWS\\system32\\fscagent.exe"=
"C:\\WINDOWS\\system32\\clubbox.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 02:14]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 17:04]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 17:04]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 17:04]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 17:04]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 17:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 23:42:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2003-08-26 00:36:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 00:50:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-04-26 0:56:23
ComboFix-quarantined-files.txt 2008-04-26 04:55:19
ComboFix2.txt 2008-04-21 00:52:41
ComboFix3.txt 2008-04-20 05:15:07
ComboFix4.txt 2008-04-13 03:36:23

Pre-Run: 23,512,666,112 bytes free
Post-Run: 23,505,694,720 bytes free

263 --- E O F --- 2008-04-12 12:43:10

#15
greyknight17

Posted 26 April 2008 - 05:40 PM

Malware Expert

Visiting Consultant
16,560 posts

Do you still get those startup error messages?

Open up c:\windows\wininit.ini in notepad and copy/paste the contents of that file here.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below: