Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan infection suspected - need help [CLOSED]


  • This topic is locked This topic is locked

#1
AlsoAlsoWik

AlsoAlsoWik

    Member

  • Member
  • PipPip
  • 20 posts
I've got a computer with what i suspect to be a trojan. It's nearly impossible to operate the computer, and things such as the process manager don't seem to be operational anymore. Here's my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:58 PM, on 4/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\IA\command.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\REGEDIT.EXE
C:\Program Files\WinIFixer\WinIFixer.exe
C:\WINDOWS\TEMP\winlogan.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Twain\Twain.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Bat\X_Bat.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\~nsu.tmp\Au_.exe
K:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getbackpa.../www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://asecureforum.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A004662EA4EBF
968951185EFC412806867680AEDE604D64C2661375FB0FB68AD6
O4 - HKLM\..\Run: [enmvcbgz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\enmvcbgz.dll"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [dgfetcne] rundll32.exe "C:\DOCUME~1\Owner\LOCALS~1\Temp\dcbelcfqd.sys" WLEntryPoint
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\System32\alt.exe.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\System32\wbem\csrss.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Owner\LOCALS~1\Temp\7CBE.tmp/r
O4 - HKLM\..\Run: [vorchufi] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vorchufi.dll"
O4 - HKLM\..\Run: [oafwkvob] C:\Program Files\Smhsggyd\oafwkvob.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [mlkbsdmz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mlkbsdmz.dll"
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [BM2bc88837] Rundll32.exe "C:\WINDOWS\System32\lllwvqrs.dll",s
O4 - HKLM\..\Run: [28fbbbab] rundll32.exe "C:\WINDOWS\System32\rimplkab.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.37.0\Weather.exe" -auto
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\STEM~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [sddoudhd] C:\WINDOWS\system32\gvenwhkr.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Laprdiyi] "C:\Documents and Settings\Owner\My Documents\??stem\?vchost.exe"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
O4 - HKLM\..\Policies\Explorer\Run: [XMMBebwjr0] C:\Documents and Settings\All Users\Application Data\rcbqjcdi\zqnudsjg.exe
O4 - HKLM\..\Policies\Explorer\Run: [qhkjqtkj] rundll32.exe "C:\WINDOWS\System32\hkfqpkbat.drv" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [dxhekpao] C:\WINDOWS\system32\dmtylurg.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: AutoTBar.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PC Monitor.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: videotype.vbs
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ofepcrmh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ofepcrmh.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE988B94-55A3-49CA-8903-2050466A43B4}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF74278B-F644-4BD0-80E3-EF34E886B1AB}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O21 - SSODL: DnXanbNcc - {28FBBB05-8251-11AF-97E3-741A5E13E054} - C:\WINDOWS\system32\ttoo.dll
O21 - SSODL: VolumeChk - {01c47d05-58c4-4b71-b47c-a3353b5293e0} - C:\WINDOWS\Resources\VolumeChk.dll
O21 - SSODL: zip - {59b056b5-a271-404d-8126-bcdfc4b9ab68} - C:\WINDOWS\Installer\{59b056b5-a271-404d-8126-bcdfc4b9ab68}\zip.dll
O21 - SSODL: ChkVolume - {4b317158-692f-453d-b820-c55e2403109d} - C:\WINDOWS\Resources\ChkVolume.dll
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\System32\dcggain.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - C:\WINDOWS\System32\bubbj.dll
O23 - Service: apcsvra32 - Unknown owner - C:\Program Files\Common Files\System\apcsvra.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14707 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install. Make sure Run fixit is checked and click Finish. The fix will begin. Follow the prompts. You will be asked to reboot your computer. Your system may take longer than usual to load - this is normal.

Wait until your desktop loads. A notepad file called report.txt should open up. Post that log here along with a new HijackThis log.


Download Malwarebytes' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html

Double-click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here along with a new HijackThis log.
  • 0

#3
AlsoAlsoWik

AlsoAlsoWik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Fixwareout report:

Username "Owner" - 04/20/2008 11:38:49 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.118 85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BE988B94-55A3-49CA-8903-2050466A43B4}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CF74278B-F644-4BD0-80E3-EF34E886B1AB}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BBE5F2B8-3FC1-48B5-9293-069A8A747AB1}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CF74278B-F644-4BD0-80E3-EF34E886B1AB}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdllu.exe"
....
....
~~~~~ Misc files.
C:\WINDOWS\System32\atmtd.dll Deleted
C:\WINDOWS\System32\atmtd.dll._ Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"HP Software Update"="\"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"ZangoOE"="C:\\Program Files\\Zango\\bin\\10.3.37.0\\OEAddOn.exe"
"ZangoSA"="\"C:\\Program Files\\Zango\\bin\\10.3.37.0\\ZangoSA.exe\""
"runner1"="C:\\WINDOWS\\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A004662EA4EBF
968951185EFC412806867680AEDE604D64C2661375FB0FB68AD6 "
"enmvcbgz"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\enmvcbgz.dll\""
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Owner\\cftmon.exe"
"BluetoothAuthorizationAgent"="C:\\WINDOWS\\System32\\BluetoothAuthorizationAgent.exe"
"ctfmona"="C:\\WINDOWS\\System32\\ctfmona.exe"
"dgfetcne"="rundll32.exe \"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\dcbelcfqd.sys\" WLEntryPoint"
"PromoReg"="C:\\WINDOWS\\System32\\alt.exe.exe"
"csrss"="C:\\WINDOWS\\System32\\wbem\\csrss.exe"
"advap32"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\7CBE.tmp/r"
"vorchufi"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\vorchufi.dll\""
"oafwkvob"="C:\\Program Files\\Smhsggyd\\oafwkvob.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"WinIFixer"="C:\\Program Files\\WinIFixer\\WinIFixer.exe"
"jdgf894jrghoiiskd"="C:\\WINDOWS\\TEMP\\winlogan.exe"
"mlkbsdmz"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\mlkbsdmz.dll\""
"antiviirus"="C:\\Program Files\\antiviirus.exe"
"BM2bc88837"="Rundll32.exe \"C:\\WINDOWS\\System32\\lllwvqrs.dll\",s"
"28fbbbab"="rundll32.exe \"C:\\WINDOWS\\System32\\rimplkab.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\backupnotify.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"WeatherDPA"="\"C:\\Program Files\\Zango\\bin\\10.3.37.0\\Weather.exe\" -auto"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"Notn"="\"C:\\DOCUME~1\\Owner\\MYDOCU~1\\STEM~1\\netdde.exe\" -vt yazb"
"sddoudhd"="C:\\WINDOWS\\system32\\gvenwhkr.exe"
"Microsoft Windows Installer"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\ie.exe"
"QdrModule15"="\"C:\\Program Files\\QdrModule\\QdrModule15.exe\""
"Laprdiyi"="\"C:\\Documents and Settings\\Owner\\My Documents\\??stem\\?vchost.exe\""
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Owner\\cftmon.exe"
"aromis"="C:\\WINDOWS\\aromis.exe"
"JavaCore"="C:\\Program Files\\\\JavaCore\\\\JavaCore.exe"
"kavir"="C:\\WINDOWS\\kavir.exe"
"QdrPack15"="\"C:\\Program Files\\QdrPack\\QdrPack15.exe\""
"Twain"="C:\\Program Files\\Twain\\Twain.exe"
"WinTouch"="C:\\Documents and Settings\\Owner\\Application Data\\WinTouch\\WinTouch.exe"
"jdgf894jrghoiiskd"="C:\\WINDOWS\\TEMP\\winlogan.exe"
"Jnskdfmf9eldfd"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\csrssc.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:43 PM, on 4/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\System32\wbem\csrss.exe
C:\WINDOWS\System32\ctfmona.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe
C:\Program Files\Smhsggyd\oafwkvob.exe
C:\WINDOWS\TEMP\winlogan.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Zango\bin\10.3.37.0\Weather.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\gvenwhkr.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
C:\DOCUME~1\Owner\MYDOCU~1\STEM~1\netdde.exe
C:\Program Files\QdrModule\QdrModule15.exe
C:\WINDOWS\aromis.exe
C:\Program Files\QdrPack\QdrPack15.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Twain\Twain.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
K:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getbackpa.../www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://asecureforum.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A004662EA4EBF
968951185EFC412806867680AEDE604D64C2661375FB0FB68AD6
O4 - HKLM\..\Run: [enmvcbgz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\enmvcbgz.dll"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [dgfetcne] rundll32.exe "C:\DOCUME~1\Owner\LOCALS~1\Temp\dcbelcfqd.sys" WLEntryPoint
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\System32\alt.exe.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\System32\wbem\csrss.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Owner\LOCALS~1\Temp\7CBE.tmp/r
O4 - HKLM\..\Run: [vorchufi] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vorchufi.dll"
O4 - HKLM\..\Run: [oafwkvob] C:\Program Files\Smhsggyd\oafwkvob.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [mlkbsdmz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mlkbsdmz.dll"
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [BM2bc88837] Rundll32.exe "C:\WINDOWS\System32\lllwvqrs.dll",s
O4 - HKLM\..\Run: [28fbbbab] rundll32.exe "C:\WINDOWS\System32\rimplkab.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.37.0\Weather.exe" -auto
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\STEM~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [sddoudhd] C:\WINDOWS\system32\gvenwhkr.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Laprdiyi] "C:\Documents and Settings\Owner\My Documents\??stem\?vchost.exe"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [dxhekpao] C:\WINDOWS\system32\dmtylurg.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PC Monitor.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: videotype.vbs
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ofepcrmh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ofepcrmh.dll
O21 - SSODL: DnXanbNcc - {28FBBB05-8251-11AF-97E3-741A5E13E054} - C:\WINDOWS\system32\ttoo.dll
O21 - SSODL: VolumeChk - {01c47d05-58c4-4b71-b47c-a3353b5293e0} - C:\WINDOWS\Resources\VolumeChk.dll
O21 - SSODL: zip - {59b056b5-a271-404d-8126-bcdfc4b9ab68} - C:\WINDOWS\Installer\{59b056b5-a271-404d-8126-bcdfc4b9ab68}\zip.dll
O21 - SSODL: ChkVolume - {4b317158-692f-453d-b820-c55e2403109d} - C:\WINDOWS\Resources\ChkVolume.dll
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\System32\dcggain.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - C:\WINDOWS\System32\bubbj.dll
O23 - Service: apcsvra32 - Unknown owner - C:\Program Files\Common Files\System\apcsvra.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14110 bytes
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You still have not run Combofix yet, please run it as soon as you are finished with HijackThis and deleting the files (see below). We need to run it as soon as possible...but since you posted the HijackThis log again, let's fix those cases first before running it.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Check the box that says I know what I'm doing. Click on ofepcrmh.dll on the left window and then click on the arrow pointing to the right. Click Finish and follow the prompts.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Zango
Viewpoint
WinIFixer
JavaCore
Network Monitor


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getbackpa.../www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://asecureforum.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A004662EA4EBF
968951185EFC412806867680AEDE604D64C2661375FB0FB68AD6
O4 - HKLM\..\Run: [enmvcbgz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\enmvcbgz.dll"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [dgfetcne] rundll32.exe "C:\DOCUME~1\Owner\LOCALS~1\Temp\dcbelcfqd.sys" WLEntryPoint
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\System32\alt.exe.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\System32\wbem\csrss.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Owner\LOCALS~1\Temp\7CBE.tmp/r
O4 - HKLM\..\Run: [vorchufi] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vorchufi.dll"
O4 - HKLM\..\Run: [oafwkvob] C:\Program Files\Smhsggyd\oafwkvob.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [mlkbsdmz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mlkbsdmz.dll"
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [BM2bc88837] Rundll32.exe "C:\WINDOWS\System32\lllwvqrs.dll",s
O4 - HKLM\..\Run: [28fbbbab] rundll32.exe "C:\WINDOWS\System32\rimplkab.dll",b
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.37.0\Weather.exe" -auto
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\STEM~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [sddoudhd] C:\WINDOWS\system32\gvenwhkr.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Laprdiyi] "C:\Documents and Settings\Owner\My Documents\??stem\?vchost.exe"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [dxhekpao] C:\WINDOWS\system32\dmtylurg.exe (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: videotype.vbs
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O21 - SSODL: DnXanbNcc - {28FBBB05-8251-11AF-97E3-741A5E13E054} - C:\WINDOWS\system32\ttoo.dll
O21 - SSODL: VolumeChk - {01c47d05-58c4-4b71-b47c-a3353b5293e0} - C:\WINDOWS\Resources\VolumeChk.dll
O21 - SSODL: zip - {59b056b5-a271-404d-8126-bcdfc4b9ab68} - C:\WINDOWS\Installer\{59b056b5-a271-404d-8126-bcdfc4b9ab68}\zip.dll
O21 - SSODL: ChkVolume - {4b317158-692f-453d-b820-c55e2403109d} - C:\WINDOWS\Resources\ChkVolume.dll
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\System32\dcggain.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - C:\WINDOWS\System32\bubbj.dll
O23 - Service: apcsvra32 - Unknown owner - C:\Program Files\Common Files\System\apcsvra.exe
O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Documents and Settings\All Users\Application Data\enmvcbgz.dll
C:\Documents and Settings\All Users\Application Data\mlkbsdmz.dll
C:\Documents and Settings\All Users\Application Data\vorchufi.dll
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\Owner\Application Data\WinTouch\
C:\Documents and Settings\Owner\cftmon.exe
C:\Program Files\JavaCore\
C:\Program Files\antiviirus.exe
C:\Program Files\Bat\
C:\Program Files\Common Files\System\apcsvra.exe
C:\Program Files\Network Monitor\
C:\Program Files\QdrModule\
C:\Program Files\QdrPack\
C:\Program Files\Smhsggyd\
C:\Program Files\Twain\
C:\Program Files\Viewpoint\
C:\Program Files\WinIFixer\
C:\Program Files\Zango\
C:\WINDOWS\aromis.exe
C:\WINDOWS\Installer\{59b056b5-a271-404d-8126-bcdfc4b9ab68}\
C:\WINDOWS\kavir.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\Resources\ChkVolume.dll
C:\WINDOWS\Resources\VolumeChk.dll
C:\WINDOWS\System32\alt.exe.exe
C:\WINDOWS\System32\bubbj.dll
C:\WINDOWS\System32\ctfmona.exe
C:\WINDOWS\System32\dcggain.dll
C:\WINDOWS\system32\dmtylurg.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\gvenwhkr.exe
C:\WINDOWS\System32\jfiehayd.dll
C:\WINDOWS\System32\lllwvqrs.dll
c:\windows\system32\ofepcrmh.dll
C:\WINDOWS\System32\rimplkab.dll
C:\WINDOWS\system32\ttoo.dll
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\wbem\csrss.exe


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Edited by greyknight17, 20 April 2008 - 11:23 AM.

  • 0

#5
AlsoAlsoWik

AlsoAlsoWik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Heres the Combofix log and a new HijackThis:

ComboFix 08-04-20.1 - Owner 2008-04-20 14:21:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.686 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65\ProfileReg.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\Application Data\WeatherDPA
C:\Documents and Settings\Owner\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Owner\My Documents\SEMBLY~1
C:\Documents and Settings\Owner\My Documents\STEM~1
C:\Documents and Settings\Owner\My Documents\STEM~1\??stem\
C:\Documents and Settings\Owner\My Documents\STEM~1\?vchost.exe
C:\Documents and Settings\Owner\My Documents\STEM~1\netdde.exe
C:\Documents and Settings\Owner\My Documents\TSKS~1
C:\Program Files\asks~1
C:\Program Files\Helper
C:\Program Files\Helper\1208521693.dll
C:\Program Files\mcroso~1
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bptnnfum.dll
C:\WINDOWS\system32\drivers\eianocqy.dat
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\uoou60.sys
C:\WINDOWS\system32\geBromkl.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msram.dll
C:\WINDOWS\system32\ngpawdbq.dll
C:\WINDOWS\system32\nmaxdowd.dll
C:\WINDOWS\system32\os1zn2mO7Z.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tdsefqma.dll
C:\WINDOWS\system32\tsjmtsfalsfmh.dll
C:\WINDOWS\system32\urqRlMgD.dll
C:\WINDOWS\system32\xqcfpcjl.dll
C:\WINDOWS\system32\yayyWqPI.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_cmdservice
-------\Legacy_network_monitor
-------\Legacy_uoou60
-------\Service_ntsazqta
-------\Service_uoou60
-------\Service_zalpqbj
-------\Legacy_ntsazqta
-------\Service_ntsazqta


((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 13:42 . 2008-04-20 13:42 268 --ah----- C:\sqmdata04.sqm
2008-04-20 13:42 . 2008-04-20 13:42 244 --ah----- C:\sqmnoopt04.sqm
2008-04-20 13:36 . 2008-04-20 13:36 268 --ah----- C:\sqmdata03.sqm
2008-04-20 13:36 . 2008-04-20 13:36 244 --ah----- C:\sqmnoopt03.sqm
2008-04-20 12:09 . 2008-04-20 12:09 <DIR> d-------- C:\Program Files\RcvSystem
2008-04-20 12:09 . 2008-04-20 12:09 0 --a------ C:\34.tmp
2008-04-20 12:09 . 2008-04-20 12:09 0 --a------ C:\33.tmp
2008-04-20 12:09 . 2008-04-20 12:09 0 --a------ C:\32.tmp
2008-04-20 12:08 . 2008-04-20 12:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 12:08 . 2008-04-20 12:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-20 12:08 . 2008-04-20 12:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 11:21 . 2008-04-20 11:55 <DIR> d-------- C:\fixwareout
2008-04-19 21:17 . 2008-04-19 21:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 21:50 . 2008-04-18 21:50 268 --ah----- C:\sqmdata02.sqm
2008-04-18 21:50 . 2008-04-18 21:50 244 --ah----- C:\sqmnoopt02.sqm
2008-04-18 21:23 . 2008-04-19 21:08 1,541,389 ---hs---- C:\WINDOWS\system32\prregikx.ini
2008-04-18 21:23 . 2008-04-18 21:23 268 --ah----- C:\sqmdata01.sqm
2008-04-18 21:23 . 2008-04-18 21:23 244 --ah----- C:\sqmnoopt01.sqm
2008-04-18 21:20 . 2008-04-19 21:41 109,734 --a------ C:\WINDOWS\BM2bc88837.xml
2008-04-18 19:12 . 2008-04-18 21:20 1,540,969 ---hs---- C:\WINDOWS\system32\klwwolpa.ini
2008-04-18 17:38 . 2008-04-18 17:38 0 --a------ C:\E.tmp
2008-04-18 17:38 . 2008-04-18 17:38 0 --a------ C:\D.tmp
2008-04-18 17:38 . 2008-04-18 17:38 0 --a------ C:\C.tmp
2008-04-18 17:38 . 2008-04-18 17:38 0 --a------ C:\B.tmp
2008-04-18 08:29 . 2008-04-18 08:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Sonic
2008-04-18 08:27 . 2008-04-18 08:27 <DIR> d-------- C:\WINDOWS\pgrnomcc
2008-04-18 08:27 . 2008-04-20 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rcbqjcdi
2008-04-18 08:27 . 2008-04-18 08:27 58,880 --a------ C:\WINDOWS\grqnydud.dll
2008-04-18 08:27 . 2008-04-18 08:27 58,880 --a------ C:\Documents and Settings\All Users\Application Data\mlkbsdmz.dll
2008-04-18 08:27 . 55,218 C:\WINDOWS\zsqalpdt.sys
2008-04-18 08:27 . 2008-04-18 08:27 35,340 --a------ C:\WINDOWS\ladwtkrw.exe
2008-04-18 08:27 . 2008-04-18 08:29 112 --a------ C:\clean.bat
2008-04-18 08:27 . 2008-04-18 08:27 44 --a------ C:\p2hhr.bat
2008-04-17 10:19 . 2002-08-29 05:00 51,200 --a------ C:\WINDOWS\system32\spoolsv.exe
2008-04-17 10:19 . 2002-08-29 05:00 51,200 --a--c--- C:\WINDOWS\system32\dllcache\spoolsv.exe.new
2008-04-17 10:19 . 2002-08-29 05:00 51,200 --a--c--- C:\WINDOWS\system32\dllcache\spoolsv.exe
2008-04-17 09:51 . 2008-04-17 09:51 245 --a------ C:\WINDOWS\tmp35317468.bat
2008-04-08 00:22 . 2008-04-08 00:20 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-07 08:53 . 2008-04-20 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dalilqtm
2008-04-07 08:52 . 2008-04-20 13:35 <DIR> d-------- C:\Program Files\Smhsggyd
2008-04-07 08:52 . 2008-04-07 08:52 114,688 --a------ C:\WINDOWS\system32\oilqzwfl.dll
2008-04-07 08:52 . 2008-04-07 08:52 114,688 --a------ C:\Documents and Settings\All Users\Application Data\vorchufi.dll
2008-04-07 06:33 . 2008-04-07 06:37 2 --a------ C:\17.tmp
2008-04-07 03:45 . 2008-04-19 20:57 0 --a------ C:\Documents and Settings\Owner\AntiVirusPro.exe.log
2008-04-06 09:53 . 2008-04-06 09:53 29 --a------ C:\WINDOWS\system32\dddquuua.tmp
2008-04-06 09:36 . 2008-04-06 09:36 0 --a------ C:\WINDOWS\system32\lich.dat
2008-04-06 09:35 . 2008-04-18 08:28 120 --a------ C:\tempdel.bat
2008-04-06 09:34 . 2008-04-18 08:27 2 --a------ C:\687586052
2008-04-06 09:32 . 2008-04-18 08:28 32 --a------ C:\smp.bat
2008-04-06 09:30 . 2008-04-06 09:30 12,800 --a------ C:\iW8.exe
2008-04-06 09:04 . 2008-04-20 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ifstyfex
2008-04-06 09:04 . 2008-04-06 09:04 67,584 --a------ C:\WINDOWS\ajeberov.dll
2008-04-06 09:04 . 2008-04-06 09:04 67,584 --a------ C:\Documents and Settings\All Users\Application Data\enmvcbgz.dll
2008-04-06 09:03 . 2008-04-06 09:03 396 --a------ C:\WINDOWS\system32\L7D4B.tmp
2008-04-06 09:03 . 2008-04-06 09:03 396 --a------ C:\WINDOWS\system32\L7BA6.tmp
2008-04-06 09:03 . 2008-04-06 09:03 396 --a------ C:\WINDOWS\system32\L7A9C.tmp
2008-04-06 09:03 . 2008-04-06 09:03 396 --a------ C:\WINDOWS\system32\L7973.tmp
2008-04-06 06:59 . 2008-04-06 06:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-06 06:58 . 2008-04-20 13:45 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-06 06:58 . 2008-04-06 06:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-04-06 06:58 . 2008-04-06 06:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-04-06 06:58 . 2008-04-06 06:58 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-06 04:26 . 2008-04-19 21:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-05 15:23 . 2008-04-05 15:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-04-05 15:08 . 2008-04-05 15:08 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-05 15:08 . 2008-04-20 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-05 15:08 . 2008-04-05 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-05 15:08 . 2008-04-05 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-05 15:00 . 2008-04-05 15:23 <DIR> d-------- C:\Program Files\AIM6
2008-04-05 15:00 . 2008-04-05 15:23 439 --ah----- C:\IPH.PH
2008-04-05 04:56 . 2008-04-05 04:56 8,442 --a------ C:\477.htm
2008-04-05 00:32 . 2002-12-12 03:34 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-03 18:07 . 2008-04-03 18:07 268 --ah----- C:\sqmdata00.sqm
2008-04-03 18:07 . 2008-04-03 18:07 244 --ah----- C:\sqmnoopt00.sqm
2008-04-02 02:45 . 2008-04-02 03:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Zango
2008-03-30 21:53 . 2008-03-30 21:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-30 21:51 . 2008-03-30 21:51 6,039,144 --a------ C:\Firefox Setup 2.0.0.13.exe
2008-03-28 23:11 . 2003-06-18 18:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-28 23:11 . 2008-03-28 23:40 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-28 23:10 . 2008-03-28 23:10 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-28 23:10 . 2008-03-28 23:10 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-28 23:10 . 2008-03-28 23:10 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-28 23:08 . 2008-03-28 23:08 <DIR> dr-h----- C:\MSOCache
2008-03-28 23:03 . 2008-03-28 23:03 <DIR> d-------- C:\Program Files\Wireless Sync
2008-03-28 23:03 . 2008-04-18 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SyncClient
2008-03-28 23:03 . 2008-03-28 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstalledPackages

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 17:52 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-20 17:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-20 17:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-20 17:49 --------- d-----w C:\Program Files\MUSICMATCH
2008-04-19 01:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-04-18 21:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-05 08:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2008-03-23 03:26 --------- d-----w C:\Program Files\Norton AntiVirus
2003-08-29 03:16 32 --sha-w C:\WINDOWS\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat
2003-08-29 03:16 32 --sha-w C:\WINDOWS\system32\{C6B785D4-A2EC-4320-AADD-7778E174E81D}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0363fcc2-1dd2-11b2-ad3e-cc210a50382e}]
2008-04-18 08:27 58880 --a------ C:\WINDOWS\grqnydud.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21f3f1c3-36e8-fe4f-b966-0b3c534f4e9d}]
2008-04-07 08:52 114688 --a------ C:\WINDOWS\system32\oilqzwfl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 00:25 24576]
"NVIEW"="nview.dll" [2003-05-03 02:19 835654 C:\WINDOWS\system32\nview.dll]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 10:07 114688]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 10:23 90112]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-14 02:53 49152]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 06:03 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 05:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 11:01 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-08-23 10:14 151597]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 22:19 53248]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 02:19 4640768]
"nwiz"="nwiz.exe" [2003-05-03 02:19 323584 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 05:29 54976]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 05:29 59072]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 12:27 139264]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59 218240]
"28fbbbab"="C:\WINDOWS\System32\rimplkab.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-03 02:19 835654 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 01:08 1511453]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-06-13 07:08:16 233472]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 22:20:02 53248]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 23:34:35 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DnXanbNcc"= {28FBBB05-8251-11AF-97E3-741A5E13E054} - C:\WINDOWS\system32\ttoo.dll [2002-08-29 05:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oratcfqt]
oratcfqt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bft25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\edy48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fkq45.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fwf51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hdl86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hry61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lpw56.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qai64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rhw65.sys]
@="Driver"

R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\System32\drivers\Envy24HF.sys [2005-05-27 15:23]
S0 edy48;edy48;C:\WINDOWS\System32\Drivers\Edy48.sys []
S0 fkq45;fkq45;C:\WINDOWS\System32\Drivers\Fkq45.sys []
S0 fwf51;fwf51;C:\WINDOWS\System32\Drivers\Fwf51.sys []
S0 hdl86;hdl86;C:\WINDOWS\System32\Drivers\Hdl86.sys []
S0 hry61;hry61;C:\WINDOWS\System32\Drivers\Hry61.sys []
S0 lpw56;lpw56;C:\WINDOWS\System32\Drivers\Lpw56.sys []
S0 qai64;qai64;C:\WINDOWS\System32\Drivers\Qai64.sys []
S0 rhw65;rhw65;C:\WINDOWS\System32\Drivers\Rhw65.sys []

*Newly Created Service* - alg
*Newly Created Service* - ipnat
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 04:14:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-07 08:40:28 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 14:25:21
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-04-20 14:31:20 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-20 18:31:07

Pre-Run: 144,774,291,456 bytes free
Post-Run: 144,724,594,688 bytes free

273

-----------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:50 PM, on 4/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
K:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {0363fcc2-1dd2-11b2-ad3e-cc210a50382e} - C:\WINDOWS\grqnydud.dll
O2 - BHO: (no name) - {21f3f1c3-36e8-fe4f-b966-0b3c534f4e9d} - C:\WINDOWS\system32\oilqzwfl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [28fbbbab] rundll32.exe "C:\WINDOWS\System32\rimplkab.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O20 - Winlogon Notify: oratcfqt - oratcfqt.dll (file missing)
O21 - SSODL: DnXanbNcc - {28FBBB05-8251-11AF-97E3-741A5E13E054} - C:\WINDOWS\system32\ttoo.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6155 bytes
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
Driver::
edy48
fkq45
fwf51
hdl86
hry61
lpw56
qai64
rhw65
File::
C:\17.tmp
C:\32.tmp
C:\33.tmp
C:\34.tmp
C:\477.htm
C:\687586052
C:\B.tmp
C:\C.tmp
C:\clean.bat
C:\D.tmp
C:\Documents and Settings\All Users\Application Data\enmvcbgz.dll
C:\Documents and Settings\All Users\Application Data\mlkbsdmz.dll
C:\Documents and Settings\All Users\Application Data\vorchufi.dll
C:\Documents and Settings\Owner\AntiVirusPro.exe.log
C:\E.tmp
C:\IPH.PH
C:\iW8.exe
C:\p2hhr.bat
C:\smp.bat
C:\tempdel.bat
C:\WINDOWS\ajeberov.dll
C:\WINDOWS\BM2bc88837.xml
C:\WINDOWS\grqnydud.dll
C:\WINDOWS\ladwtkrw.exe
C:\WINDOWS\system32\dddquuua.tmp
C:\WINDOWS\system32\klwwolpa.ini
C:\WINDOWS\system32\L7973.tmp
C:\WINDOWS\system32\L7A9C.tmp
C:\WINDOWS\system32\L7BA6.tmp
C:\WINDOWS\system32\L7D4B.tmp
C:\WINDOWS\system32\lich.dat
C:\WINDOWS\system32\oilqzwfl.dll
C:\WINDOWS\System32\rimplkab.dll
C:\WINDOWS\system32\ttoo.dll
C:\WINDOWS\system32\wmpns.dll
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\tmp35317468.bat
C:\WINDOWS\zsqalpdt.sys
Folder::
C:\Documents and Settings\All Users\Application Data\dalilqtm
C:\Documents and Settings\All Users\Application Data\ifstyfex
C:\Documents and Settings\All Users\Application Data\rcbqjcdi
C:\Documents and Settings\Owner\Application Data\Zango
C:\Program Files\RcvSystem
C:\Program Files\Smhsggyd
C:\WINDOWS\pgrnomcc
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0363fcc2-1dd2-11b2-ad3e-cc210a50382e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21f3f1c3-36e8-fe4f-b966-0b3c534f4e9d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"28fbbbab"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DnXanbNcc"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oratcfqt]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bft25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\edy48.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fkq45.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fwf51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hdl86.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hry61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lpw56.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qai64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rhw65.sys]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP