Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help with Removal of Blackbird [RESOLVED]

Started by lukrey , Apr 22 2008 01:19 PM

  • This topic is locked This topic is locked

#1
lukrey
Posted 22 April 2008 - 01:19 PM

lukrey

    New Member

  • Member
  • Pip
  • 4 posts
I have taken the steps mentioned in some of the other post by member with the similiar problem. I ran SuperAntispyware and it detected and deleted some of my problems.

I ran the ComboFix, then the HiJackThis program and finally the SmitFraudFix programs.

I continue to receive 2 alerts on my desktop.
1. Windows Virus Alert.
(X) Windows has blocked a virus in your computer!
Virus Name: Worm.Win32.NetBooster2
Path: C:\Windows\system32\qappsrv.exe
Behavior: This Trojan allows attackers to access your computer from remote locations, stealing passwords and
personal data.
This process is a security risk and should be removed from your system. Click here to visit Antispyware Web Site.
Then it has a red button with the (OK).
2. There is a yellow triangle with an exclamation point and it states:
Internet attack attempt detected:
Somebodys trying to infect your PC with spyware or harmful viruses. Run FUL SYSTEM SCAN nowto protect your system from Internet attacks, hijacking attempts and spyware.
Click here for the list available security updates...

By the way I have disabled all internet access to this computer!

Below is the logs for ComboFix, HiJackThis and SmitFraudFix.

ComboFix

ComboFix 08-04-16.5 - Owner 2008-04-21 13:08:04.2 - NTFSx86
Running from: F:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 21:41 . 2008-04-20 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 20:12 . 2008-04-17 20:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-17 20:12 . 2008-04-17 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-17 08:07 . 2008-04-17 08:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 01:11 . 2008-04-17 01:11 <DIR> d-------- C:\Deckard
2008-04-16 21:51 . 2008-04-16 21:51 <DIR> d-------- C:\Program Files\CCleaner
2008-04-15 07:46 . 2008-04-16 22:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-14 23:47 . 2008-04-14 21:20 266,240 --a------ C:\WINDOWS\omlbpkaw.dll
2008-04-14 23:47 . 2008-04-14 21:20 229,376 --a------ C:\WINDOWS\pmsoarbf.dll
2008-04-14 23:47 . 2008-04-14 21:20 217,088 --a------ C:\WINDOWS\lgmxvpatrqm.dll
2008-04-14 23:47 . 2008-04-14 21:20 184,320 --a------ C:\WINDOWS\qtvglped.dll
2008-04-14 23:47 . 2008-04-14 21:20 106,496 --a------ C:\WINDOWS\npqtsrak.exe
2008-04-14 23:47 . 2008-04-14 21:20 94,208 --a------ C:\WINDOWS\rtqmekwg.exe
2008-04-14 23:46 . 2008-04-14 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\qforwfov
2008-04-14 23:46 . 2008-04-14 23:46 90,112 --a------ C:\WINDOWS\SYSTEM32\efubidct.exe
2008-04-10 08:15 . 2008-04-10 08:44 69,398 --a------ C:\WINDOWS\hpoins05.dat
2008-04-10 08:15 . 2004-12-14 11:07 19,696 --------- C:\WINDOWS\hpomdl05.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 06:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-12 03:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2008-04-10 13:40 --------- d-----w C:\Program Files\HP
2008-04-10 00:45 --------- d-----w C:\Program Files\Google
2008-03-21 03:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-18 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-13 16:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-02-26 00:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2004-12-30 03:24 81,944 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27F06E78-8650-4E11-934C-4CF91F971277}]
2008-04-14 21:20 217088 --a------ C:\WINDOWS\lgmxvpatrqm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{17283BB5-D8FF-455C-B3D7-E8BC91256610}"= "C:\WINDOWS\qtvglped.dll" [2008-04-14 21:20 184320]

[HKEY_CLASSES_ROOT\clsid\{17283bb5-d8ff-455c-b3d7-e8bc91256610}]
[HKEY_CLASSES_ROOT\qtvglped.1]
[HKEY_CLASSES_ROOT\TypeLib\{83BA5BF1-CA33-411C-9B56-D3F0A42A61B6}]
[HKEY_CLASSES_ROOT\qtvglped]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41 4617720]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 19:52 376912]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 20:10 1688872]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"hadhuzke"="C:\WINDOWS\system32\efubidct.exe" [2008-04-14 23:46 90112]
"SUPERAntiSpyware"="F:\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB"="C:\WINDOWS\system32\usb.exe" [2001-07-03 17:14 102400]
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25 143360]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36 90112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-01 03:25 102455]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 22:23 45056]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 02:56 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-19 19:48 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34 212992]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 19:10 11776]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"HPCDTray"="C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe" [2001-10-17 11:41 69632]
"DVDBitSet"="C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" [2002-03-25 17:19 200704]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"HostManager"="C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 15:21 2213160]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-09-12 19:27 492912]

C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\Startup\
Zing PhotoUploader.lnk - C:\Program Files\Zing\PhotoUploader\icamctrl.exe [2003-12-02 23:23:37 135168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BTTray.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2004-11-29 19:55:44 569405]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2005-09-14 17:13:36 929886]
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2001-11-06 21:46:15 69632]
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2001-11-06 21:46:17 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-05-02 20:05:30 663552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"V01lquoc88"= C:\Documents and Settings\All Users\Application Data\qforwfov\kxuvkbwr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"omlbpkaw"= {74A195EF-84EB-486E-89EA-DDEEDD404FA7} - C:\WINDOWS\omlbpkaw.dll [2008-04-14 21:20 266240]
"pmsoarbf"= {DE9435BC-A621-436E-8E3B-EC6E72287CB0} - C:\WINDOWS\pmsoarbf.dll [2008-04-14 21:20 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\NavDiag\\Navini Diagnostics.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 hpcd2k;hpcd2k;C:\WINDOWS\system32\drivers\hpcd2k.sys [2000-10-23 11:38]
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe [2001-08-09 16:46]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-08-16 13:02]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 16:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 13:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-21 13:17:08
ComboFix-quarantined-files.txt 2008-04-21 18:15:59
ComboFix2.txt 2008-04-21 06:52:29

Pre-Run: 12,947,406,848 bytes free
Post-Run: 12,932,198,400 bytes free
.
2008-04-12 08:08:02 --- E O F ---

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:50 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\qforwfov\kxuvkbwr.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\efubidct.exe
F:\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Zing\PhotoUploader\icamctrl.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: DVA Storm - {27F06E78-8650-4E11-934C-4CF91F971277} - C:\WINDOWS\lgmxvpatrqm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CitiBrowserHelper Class - {E8C0F153-B768-4e68-B14F-40F0E8531675} - C:\WINDOWS\System32\BhoCiti.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: qtvglped - {17283BB5-D8FF-455C-B3D7-E8BC91256610} - C:\WINDOWS\qtvglped.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPCDTray] "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [hadhuzke] C:\WINDOWS\system32\efubidct.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [V01lquoc88] C:\Documents and Settings\All Users\Application Data\qforwfov\kxuvkbwr.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Zing PhotoUploader.lnk = C:\Program Files\Zing\PhotoUploader\icamctrl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1190084160781
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O21 - SSODL: omlbpkaw - {74A195EF-84EB-486E-89EA-DDEEDD404FA7} - C:\WINDOWS\omlbpkaw.dll
O21 - SSODL: pmsoarbf - {DE9435BC-A621-436E-8E3B-EC6E72287CB0} - C:\WINDOWS\pmsoarbf.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 14278 bytes

SmitFraudFix

SmitFraudFix v2.314

Scan done at 13:32:17.25, Mon 04/21/2008
Run from F:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\qforwfov\kxuvkbwr.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\efubidct.exe
F:\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Zing\PhotoUploader\icamctrl.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
F:\HijackThis.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection #2 - Packet Scheduler Miniport
DNS Server Search Order: 15.60.103.1
DNS Server Search Order: 15.60.103.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements

#2
Essexboy
Posted 22 April 2008 - 01:53 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You are still infected as you assumed - so it is now clear out time :)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: DVA Storm - {27F06E78-8650-4E11-934C-4CF91F971277} - C:\WINDOWS\lgmxvpatrqm.dll
O3 - Toolbar: qtvglped - {17283BB5-D8FF-455C-B3D7-E8BC91256610} - C:\WINDOWS\qtvglped.dll
O4 - HKCU\..\Run: [hadhuzke] C:\WINDOWS\system32\efubidct.exe
O4 - HKLM\..\Policies\Explorer\Run: [V01lquoc88] C:\Documents and Settings\All Users\Application Data\qforwfov\kxuvkbwr.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O21 - SSODL: omlbpkaw - {74A195EF-84EB-486E-89EA-DDEEDD404FA7} - C:\WINDOWS\omlbpkaw.dll
O21 - SSODL: pmsoarbf - {DE9435BC-A621-436E-8E3B-EC6E72287CB0} - C:\WINDOWS\pmsoarbf.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\omlbpkaw.dll
C:\WINDOWS\pmsoarbf.dll
C:\WINDOWS\lgmxvpatrqm.dll
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\rtqmekwg.exe
C:\WINDOWS\SYSTEM32\efubidct.exe

Folder::
C:\Documents and Settings\All Users\Application Data\qforwfov

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#3
lukrey
Posted 22 April 2008 - 09:02 PM

lukrey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is a copy of the ComboFix and HiJackThis reports. Oh, by the way thank you if I haven't already thanked you for taking the time to help! The other thing is that the pop up window with the virus alert is gone.

ComboFix Report

ComboFix 08-04-16.5 - Owner 2008-04-22 19:16:15.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.541 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: F:\logs\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\lgmxvpatrqm.dll
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\omlbpkaw.dll
C:\WINDOWS\pmsoarbf.dll
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\rtqmekwg.exe
C:\WINDOWS\SYSTEM32\efubidct.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\qforwfov
C:\Documents and Settings\All Users\Application Data\qforwfov\kxuvkbwr.exe
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\omlbpkaw.dll
C:\WINDOWS\pmsoarbf.dll
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\rtqmekwg.exe
C:\WINDOWS\SYSTEM32\efubidct.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-21 13:33 . 2008-04-21 13:33 5,064 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-20 21:41 . 2008-04-20 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 20:12 . 2008-04-17 20:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-17 20:12 . 2008-04-17 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-17 08:07 . 2008-04-17 08:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 01:11 . 2008-04-17 01:11 <DIR> d-------- C:\Deckard
2008-04-16 21:51 . 2008-04-16 21:51 <DIR> d-------- C:\Program Files\CCleaner
2008-04-15 07:46 . 2008-04-16 22:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-10 08:15 . 2008-04-10 08:44 69,398 --a------ C:\WINDOWS\hpoins05.dat
2008-04-10 08:15 . 2004-12-14 11:07 19,696 --------- C:\WINDOWS\hpomdl05.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 06:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-12 03:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2008-04-10 13:40 --------- d-----w C:\Program Files\HP
2008-04-10 00:45 --------- d-----w C:\Program Files\Google
2008-03-21 03:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-03-18 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-13 16:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-26 00:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-12-30 03:24 81,944 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-21_ 1.51.47.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-21 06:29:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 00:21:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41 4617720]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 19:52 376912]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 20:10 1688872]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="F:\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB"="C:\WINDOWS\system32\usb.exe" [2001-07-03 17:14 102400]
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25 143360]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36 90112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-01 03:25 102455]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 22:23 45056]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 02:56 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-19 19:48 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34 212992]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 19:10 11776]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"HPCDTray"="C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe" [2001-10-17 11:41 69632]
"DVDBitSet"="C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" [2002-03-25 17:19 200704]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"HostManager"="C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 15:21 2213160]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-09-12 19:27 492912]

C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\Startup\
Zing PhotoUploader.lnk - C:\Program Files\Zing\PhotoUploader\icamctrl.exe [2003-12-02 23:23:37 135168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BTTray.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2004-11-29 19:55:44 569405]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2005-09-14 17:13:36 929886]
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2001-11-06 21:46:15 69632]
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2001-11-06 21:46:17 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-05-02 20:05:30 663552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"omlbpkaw"= {E1330E17-78E0-49D7-920B-C0C7B479595C} - C:\WINDOWS\omlbpkaw.dll [ ]
"pmsoarbf"= {3102AA18-DD25-4254-8551-120E1A0A34B3} - C:\WINDOWS\pmsoarbf.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\NavDiag\\Navini Diagnostics.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 hpcd2k;hpcd2k;C:\WINDOWS\system32\drivers\hpcd2k.sys [2000-10-23 11:38]
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe [2001-08-09 16:46]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-08-16 13:02]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 16:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 19:25:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-22 19:44:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 00:44:34
ComboFix2.txt 2008-04-21 18:17:10
ComboFix3.txt 2008-04-21 06:52:29

Pre-Run: 12,900,249,600 bytes free
Post-Run: 12,910,366,720 bytes free
.
2008-04-12 08:08:02 --- E O F ---


HiJackThis Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:33 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
F:\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zing\PhotoUploader\icamctrl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CitiBrowserHelper Class - {E8C0F153-B768-4e68-B14F-40F0E8531675} - C:\WINDOWS\System32\BhoCiti.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPCDTray] "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Zing PhotoUploader.lnk = C:\Program Files\Zing\PhotoUploader\icamctrl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1190084160781
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O21 - SSODL: omlbpkaw - {E1330E17-78E0-49D7-920B-C0C7B479595C} - C:\WINDOWS\omlbpkaw.dll (file missing)
O21 - SSODL: pmsoarbf - {3102AA18-DD25-4254-8551-120E1A0A34B3} - C:\WINDOWS\pmsoarbf.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13729 bytes
  • 0

#4
Essexboy
Posted 23 April 2008 - 01:13 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There are two Hijackthis entries that do not want to go - so lets hammer them :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\omlbpkaw.dll 
C:\WINDOWS\pmsoarbf.dll 

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"omlbpkaw"=-
"pmsoarbf"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

On completion

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : Combofix and MBAM
  • 0

#5
lukrey
Posted 23 April 2008 - 07:39 PM

lukrey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is a copy of the ComboFix, HiJackThis and MBAM Reports. The ComboFix report is the report from this last request. I wasn't sure if you wanted me to run ComboFix again after MBAM was done? I ran MBAM twice, once was the quick scan report included and the second was a full scan, report included. Found more trojans the second time around.

ComboFix Report:

ComboFix 08-04-16.5 - Owner 2008-04-23 18:43:17.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.568 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: F:\logs\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\omlbpkaw.dll
C:\WINDOWS\pmsoarbf.dll
.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-21 13:33 . 2008-04-21 13:33 5,064 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-20 21:41 . 2008-04-20 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 20:12 . 2008-04-17 20:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-17 20:12 . 2008-04-17 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-17 08:07 . 2008-04-17 08:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 01:11 . 2008-04-17 01:11 <DIR> d-------- C:\Deckard
2008-04-16 21:51 . 2008-04-16 21:51 <DIR> d-------- C:\Program Files\CCleaner
2008-04-15 07:46 . 2008-04-16 22:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-10 08:15 . 2008-04-10 08:44 69,398 --a------ C:\WINDOWS\hpoins05.dat
2008-04-10 08:15 . 2004-12-14 11:07 19,696 --------- C:\WINDOWS\hpomdl05.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-12 03:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2008-04-10 13:40 --------- d-----w C:\Program Files\HP
2008-04-10 00:45 --------- d-----w C:\Program Files\Google
2008-03-21 03:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-03-18 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-13 16:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-26 00:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-12-30 03:24 81,944 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-21_ 1.51.47.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-21 06:29:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 23:49:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41 4617720]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 19:52 376912]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 20:10 1688872]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="F:\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB"="C:\WINDOWS\system32\usb.exe" [2001-07-03 17:14 102400]
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25 143360]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36 90112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-01 03:25 102455]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 22:23 45056]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 02:56 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-19 19:48 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34 212992]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 19:10 11776]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"HPCDTray"="C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe" [2001-10-17 11:41 69632]
"DVDBitSet"="C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" [2002-03-25 17:19 200704]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"HostManager"="C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 15:21 2213160]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-09-12 19:27 492912]

C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\Startup\
Zing PhotoUploader.lnk - C:\Program Files\Zing\PhotoUploader\icamctrl.exe [2003-12-02 23:23:37 135168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BTTray.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2004-11-29 19:55:44 569405]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2005-09-14 17:13:36 929886]
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2001-11-06 21:46:15 69632]
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2001-11-06 21:46:17 16384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-05-02 20:05:30 663552]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\NavDiag\\Navini Diagnostics.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 hpcd2k;hpcd2k;C:\WINDOWS\system32\drivers\hpcd2k.sys [2000-10-23 11:38]
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe [2001-08-09 16:46]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-08-16 13:02]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 16:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 18:51:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-23 19:11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 00:11:45
ComboFix2.txt 2008-04-23 00:45:00
ComboFix3.txt 2008-04-21 18:17:10
ComboFix4.txt 2008-04-21 06:52:29

Pre-Run: 12,933,906,432 bytes free
Post-Run: 12,917,137,408 bytes free
.
2008-04-12 08:08:02 --- E O F ---


HiJackThis Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:38 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
F:\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Zing\PhotoUploader\icamctrl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CitiBrowserHelper Class - {E8C0F153-B768-4e68-B14F-40F0E8531675} - C:\WINDOWS\System32\BhoCiti.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPCDTray] "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1188390631\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Zing PhotoUploader.lnk = C:\Program Files\Zing\PhotoUploader\icamctrl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1190084160781
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13519 bytes


MBAM Report Quick Scan:

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Quick Scan
Objects scanned: 34457
Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.bxmo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


MBAM Report Full Scan:

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 178369
Time elapsed: 1 hour(s), 43 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\qforwfov\kxuvkbwr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\efubidct.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\geBsqnLb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qoMeEWon.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wvUlmjKD.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\WEB\def.htm.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP508\A0047983.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP508\A0047984.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP508\A0047985.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP510\A0048227.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP510\A0048233.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by lukrey, 23 April 2008 - 10:22 PM.

  • 0

#6
Essexboy
Posted 24 April 2008 - 01:25 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Excellent - all the stuff deleted by MBAM on the second run was either quarantined or in system restore :)

So subject to you experiencing no further problems .............

Now the best part of the day ----- Your log now appears clean :)

You may now delete all the programmes I had you download

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#7
lukrey
Posted 24 April 2008 - 05:31 PM

lukrey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Just completed your request! Thank you very much! You assistance is greatly appreciated.
  • 0

#8
Essexboy
Posted 25 April 2008 - 09:18 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP