Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

sons computer problems


  • Please log in to reply

#1
skipper1

skipper1

    New Member

  • Member
  • Pip
  • 6 posts
My kid is experiencing massive amounts of pop ups from winantiviruspro and need to get rid of them. Any assistance would be appreciated.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:14, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VAV\vav.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://youtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [28c6476d] rundll32.exe "C:\WINDOWS\system32\oadksoqg.dll",b
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F5399FC3.exe] C:\DOCUME~1\user\LOCALS~1\Temp\_A00F5399FC3.exe
O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
O4 - HKCU\..\Run: [A00F1320BC74.exe] C:\DOCUME~1\user\LOCALS~1\Temp\_A00F1320BC74.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm860YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...etup1.0.1.0.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe
O20 - AppInit_DLLs: cdlntejs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6894 bytes
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
skipper1

skipper1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the log you requested. Obviously being the "DAD" I have no clue what I am looking at.

===================================================================
ComboFix 08-06-20.4 - user 2008-06-29 8:18:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.60 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\02A91D0D.urr
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\03E458E1
C:\Program Files\MyWebSearch\bar\Cache\03E471C8.bin
C:\Program Files\MyWebSearch\bar\Cache\03E47E6A.bin
C:\Program Files\MyWebSearch\bar\Cache\03E47FB2.bin
C:\Program Files\MyWebSearch\bar\Cache\03E4807E.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\WinAntivirusPro3.8
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c001B6C8.exe
C:\WINDOWS\system32\__c00369CC.dat
C:\WINDOWS\system32\__c0047C19.dat
C:\WINDOWS\system32\__c0091F9B.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\ackhjvge.dll
C:\WINDOWS\system32\afjqjpqu.ini
C:\WINDOWS\system32\atibmqmq.ini
C:\WINDOWS\system32\avedxxio.dll
C:\WINDOWS\system32\aygoxser.dll
C:\WINDOWS\system32\bmfyfjjc.ini
C:\WINDOWS\system32\bqheywrs.ini
C:\WINDOWS\system32\celahlqm.ini
C:\WINDOWS\system32\cocblytf.ini
C:\WINDOWS\system32\dcgdjdvi.ini
C:\WINDOWS\system32\diwhyrkt.ini
C:\WINDOWS\system32\dltenemh.ini
C:\WINDOWS\system32\dpdrvgtk.ini
C:\WINDOWS\system32\drxgfhox.ini
C:\WINDOWS\system32\ehnhbopx.ini
C:\WINDOWS\system32\erxsnrgn.dll
C:\WINDOWS\system32\etnrtitf.dll
C:\WINDOWS\system32\evjxdvam.ini
C:\WINDOWS\system32\evxawdyl.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\ftylbcoc.dll
C:\WINDOWS\system32\fxcsoqkp.dll
C:\WINDOWS\system32\gdnigvbi.dll
C:\WINDOWS\system32\gqoskdao.ini
C:\WINDOWS\system32\gvmphjmg.ini
C:\WINDOWS\system32\hklntocw.ini
C:\WINDOWS\system32\iarducbh.dll
C:\WINDOWS\system32\ieiwgfxv.dll
C:\WINDOWS\system32\ikTBKRqr.ini
C:\WINDOWS\system32\ikTBKRqr.ini2
C:\WINDOWS\system32\irsvkesb.dll
C:\WINDOWS\system32\jheunfjy.dll
C:\WINDOWS\system32\jkkIcBQK.dll
C:\WINDOWS\system32\keshfssf.ini
C:\WINDOWS\system32\khfGvtuU.dll
C:\WINDOWS\system32\kioahuhs.dll
C:\WINDOWS\system32\krqixvxr.ini
C:\WINDOWS\system32\lpyragfc.ini
C:\WINDOWS\system32\lurxekql.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhmucleb.ini
C:\WINDOWS\system32\mihtdioe.ini
C:\WINDOWS\system32\mlckbsbj.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mybfrexw.ini
C:\WINDOWS\system32\myohorlq.ini
C:\WINDOWS\system32\nbhmawwf.dll
C:\WINDOWS\system32\nnnmligF.dll
C:\WINDOWS\system32\ojthbkui.ini
C:\WINDOWS\system32\opvafwuh.ini
C:\WINDOWS\system32\pchmkiha.dll
C:\WINDOWS\system32\pmnnNheF.dll
C:\WINDOWS\system32\prcshgjg.dll
C:\WINDOWS\system32\qkbigftq.ini
C:\WINDOWS\system32\qlrohoym.dll
C:\WINDOWS\system32\qoMccYSJ.dll
C:\WINDOWS\system32\rqRIbaXQ.dll
C:\WINDOWS\system32\rqRKBTki.dll
C:\WINDOWS\system32\skklcxpo.ini
C:\WINDOWS\system32\slycqhqk.dll
C:\WINDOWS\system32\ssqRHApo.dll
C:\WINDOWS\system32\tdvhxohe.ini
C:\WINDOWS\system32\uqpjqjfa.dll
C:\WINDOWS\system32\urqQgFUk.dll
C:\WINDOWS\system32\vsmlrqhd.ini
C:\WINDOWS\system32\wexynapt.dll
C:\WINDOWS\system32\wminskgc.dll
C:\WINDOWS\system32\wxerfbym.dll
C:\WINDOWS\system32\xjtnjqtg.ini
C:\WINDOWS\system32\xnwknddg.dll
C:\WINDOWS\system32\yayyWqPI.dll
C:\WINDOWS\system32\yrdylaej.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-29 08:39 . 2008-06-29 08:39 233 ---hs---- C:\WINDOWS\system32\gqoskdao.ini
2008-06-29 08:39 . 0 C:\WINDOWS\system32\gqoskdao.tmp
2008-06-29 08:14 . 2008-06-29 08:14 17,948 --a------ C:\malware.rtf
2008-06-28 15:58 . 2008-06-28 15:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 09:52 . 2008-06-28 09:52 103,424 --a------ C:\WINDOWS\system32\ojvinh.dll
2008-06-28 09:52 . 2008-06-28 09:52 103,424 --a------ C:\WINDOWS\system32\iytvbsjb.dll
2008-06-28 09:49 . 2008-06-28 09:49 81,920 --a------ C:\WINDOWS\system32\oadksoqg.dll
2008-06-27 09:52 . 2008-06-27 09:52 103,936 --a------ C:\WINDOWS\system32\wawcuk.dll
2008-06-27 09:52 . 2008-06-27 09:52 103,936 --a------ C:\WINDOWS\system32\nfklwpyy.dll
2008-06-26 09:49 . 2008-06-26 09:49 80,896 --a------ C:\WINDOWS\system32\qbftctsj.dll
2008-06-26 09:49 . 2008-06-26 09:49 294 --ahs---- C:\WINDOWS\system32\jstctfbq.ini
2008-06-26 09:48 . 2008-06-26 09:48 106,496 --a------ C:\WINDOWS\system32\ivvkhqlv.dll
2008-06-24 13:00 . 2008-06-24 13:00 99,840 --a------ C:\WINDOWS\system32\hpcehosv.dll
2008-06-23 13:01 . 2008-06-23 13:01 105,984 --a------ C:\WINDOWS\system32\cdlntejs.dll
2008-06-22 13:02 . 2008-06-22 13:02 99,328 --a------ C:\WINDOWS\system32\inpxiwfr.dll
2008-06-21 12:59 . 2008-06-21 12:59 99,328 --a------ C:\WINDOWS\system32\vurtmfxc.dll
2008-06-20 13:01 . 2008-06-20 13:01 99,328 --a------ C:\WINDOWS\system32\cppdebpc.dll
2008-06-19 12:59 . 2008-06-19 12:59 98,816 --a------ C:\WINDOWS\system32\meihpvyi.dll
2008-06-16 10:02 . 2008-06-16 10:13 4,232 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-16 09:59 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-16 09:59 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-16 09:59 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-16 09:59 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-16 09:59 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-16 09:59 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-16 09:59 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-16 09:59 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-16 09:59 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-16 09:43 . 2008-06-17 17:54 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-06-05 22:36 . 2008-06-05 22:36 2,960 --a------ C:\texttones.rtf
2008-06-05 18:48 . 2008-06-12 20:26 <DIR> d-------- C:\Program Files\VAV
2008-06-05 18:48 . 2008-06-05 06:21 117,248 --a------ C:\WINDOWS\system32\vav.cpl
2008-06-01 13:35 . 2008-06-01 13:35 7,916 --a------ C:\WINDOWS\system32\qasedktd.dll
2008-06-01 13:32 . 2008-06-01 13:32 7,916 --a------ C:\WINDOWS\system32\ecaxlfia.dll
2008-05-30 13:29 . 2008-06-04 10:35 <DIR> d-------- C:\Program Files\LiveAntispy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 19:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-28 03:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-04 14:39 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-04 14:39 --------- d-----w C:\Program Files\Yahoo!
2008-06-04 14:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 14:37 --------- d-----w C:\Program Files\THQ
2008-06-04 14:37 --------- d-----w C:\Program Files\The Learning Company
2008-06-04 14:33 --------- d-----w C:\Program Files\Google
2008-06-04 14:31 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-06-04 14:28 --------- d-----w C:\Program Files\Registry Defender Platinum
2008-06-04 14:22 --------- d-----w C:\Program Files\GameSpy Arcade
2008-06-04 14:18 --------- d-----w C:\Program Files\EA Games
2008-05-24 11:57 --------- d-----w C:\Documents and Settings\user\Application Data\Microsoft Games
2008-05-23 20:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-06-26 13:22 6,980,738 ----a-w C:\Documents and Settings\user\HC4Installer.exe
2007-01-20 12:36 774 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0df62e89-b60c-4a76-b44e-3237c7169e04}]
2008-06-28 09:52 103424 --a------ C:\WINDOWS\system32\ojvinh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 15:45 114688]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 05:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"wcmdmgr"="C:\WINDOWS\wt\updater\wcmdmgrl.exe" [2002-05-07 20:45 20480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 09:19 98304]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 11:57 126104]
"BellSouthWCC_McciTrayApp"="C:\Program Files\BellSouthWCC\McciTrayApp.exe" [2005-11-17 14:19 543232]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe" [2006-01-10 17:56 1896448]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"HelpCenter"="C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe" [2006-10-30 12:00 192512]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 10:05 185896]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL" [ ]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [ ]
"Antivirus"="C:\Program Files\VAV\vav.exe" [2008-06-12 20:27 325632]
"28c6476d"="C:\WINDOWS\system32\oadksoqg.dll" [2008-06-28 09:49 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-04-28 17:19:57 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0047C19]
C:\WINDOWS\system32\__c0047C19.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cdlntejs.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA Games\\The Battle for Middle-earth ™\\game.dat"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\America Online 9.0b\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=

S2 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe []
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys []
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2002-11-08 05:50]
S3 ldiskl;ldiskl;C:\DOCUME~1\user\LOCALS~1\Temp\ldiskl.sys []
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 13:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9da9887c-2821-11dc-afb7-00d041a5ca2d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 19:39:06 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 08:33:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\gqoskdao.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-29 8:42:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 12:42:14

Pre-Run: 60,181,532,672 bytes free
Post-Run: 61,708,865,536 bytes free

323 --- E O F --- 2008-05-16 11:06:31
  • 0

#4
skipper1

skipper1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Whatever this boy has gotten on his computer is a nasty pernicious PIA. Now I am seeing popups called VISTA ANTI VIRUS. God help me cause I fell like putting this computer on a fencepost and shooting it.
  • 0

#5
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
LOL!! Its frustrating, I know, let's start cleaning it wont take long

Open notepad and copy/paste the text in RED below into it:

File::
C:\WINDOWS\system32\gqoskdao.ini
C:\WINDOWS\system32\gqoskdao.tmp
C:\malware.rtf
C:\WINDOWS\system32\ojvinh.dll
C:\WINDOWS\system32\iytvbsjb.dll
C:\WINDOWS\system32\oadksoqg.dll
C:\WINDOWS\system32\wawcuk.dll
C:\WINDOWS\system32\nfklwpyy.dll
C:\WINDOWS\system32\qbftctsj.dll
C:\WINDOWS\system32\jstctfbq.ini
C:\WINDOWS\system32\ivvkhqlv.dll
C:\WINDOWS\system32\hpcehosv.dll
C:\WINDOWS\system32\cdlntejs.dll
C:\WINDOWS\system32\inpxiwfr.dll
C:\WINDOWS\system32\vurtmfxc.dll
C:\WINDOWS\system32\cppdebpc.dll
C:\WINDOWS\system32\meihpvyi.dll
C:\WINDOWS\system32\qasedktd.dll
C:\WINDOWS\system32\ecaxlfia.dll
C:\WINDOWS\system32\ojvinh.dll
C:\WINDOWS\system32\__c0047C19.dat
C:\WINDOWS\system32\vav.cpl
Folder::
C:\Program Files\VAV
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"=-
"MyWebSearch Plugin"=-
"My Web Search Bar Search Scope Monitor"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0df62e89-b60c-4a76-b44e-3237c7169e04}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0047C19]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Driver::
MyWebSearchService
ldiskl



Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt, also please post a new hijack log :)
  • 0

#6
skipper1

skipper1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK guys and gals here is the latest LOG FILE for your review.

==========================================================

ComboFix 08-06-20.4 - user 2008-06-29 15:03:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.79 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\malware.rtf
C:\WINDOWS\system32\__c0047C19.dat
C:\WINDOWS\system32\cdlntejs.dll
C:\WINDOWS\system32\cppdebpc.dll
C:\WINDOWS\system32\ecaxlfia.dll
C:\WINDOWS\system32\gqoskdao.ini
C:\WINDOWS\system32\gqoskdao.tmp
C:\WINDOWS\system32\hpcehosv.dll
C:\WINDOWS\system32\inpxiwfr.dll
C:\WINDOWS\system32\ivvkhqlv.dll
C:\WINDOWS\system32\iytvbsjb.dll
C:\WINDOWS\system32\jstctfbq.ini
C:\WINDOWS\system32\meihpvyi.dll
C:\WINDOWS\system32\nfklwpyy.dll
C:\WINDOWS\system32\oadksoqg.dll
C:\WINDOWS\system32\ojvinh.dll
C:\WINDOWS\system32\qasedktd.dll
C:\WINDOWS\system32\qbftctsj.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\vurtmfxc.dll
C:\WINDOWS\system32\wawcuk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\malware.rtf
C:\Program Files\VAV
C:\Program Files\VAV\vav.exe
C:\WINDOWS\system32\cdlntejs.dll
C:\WINDOWS\system32\cppdebpc.dll
C:\WINDOWS\system32\ecaxlfia.dll
C:\WINDOWS\system32\gqoskdao.ini
C:\WINDOWS\system32\hpcehosv.dll
C:\WINDOWS\system32\inpxiwfr.dll
C:\WINDOWS\system32\ivvkhqlv.dll
C:\WINDOWS\system32\iytvbsjb.dll
C:\WINDOWS\system32\jstctfbq.ini
C:\WINDOWS\system32\meihpvyi.dll
C:\WINDOWS\system32\nfklwpyy.dll
C:\WINDOWS\system32\oadksoqg.dll
C:\WINDOWS\system32\ojvinh.dll
C:\WINDOWS\system32\qasedktd.dll
C:\WINDOWS\system32\qbftctsj.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\vurtmfxc.dll
C:\WINDOWS\system32\wawcuk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LDISKL
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_ldiskl
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-28 15:58 . 2008-06-28 15:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 10:02 . 2008-06-16 10:13 4,232 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-16 09:59 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-16 09:59 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-16 09:59 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-16 09:59 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-16 09:59 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-16 09:59 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-16 09:59 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-16 09:59 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-16 09:59 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-16 09:43 . 2008-06-17 17:54 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-06-05 22:36 . 2008-06-05 22:36 2,960 --a------ C:\texttones.rtf
2008-05-30 13:29 . 2008-06-04 10:35 <DIR> d-------- C:\Program Files\LiveAntispy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 19:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-28 03:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-04 14:39 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-04 14:39 --------- d-----w C:\Program Files\Yahoo!
2008-06-04 14:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 14:37 --------- d-----w C:\Program Files\THQ
2008-06-04 14:37 --------- d-----w C:\Program Files\The Learning Company
2008-06-04 14:33 --------- d-----w C:\Program Files\Google
2008-06-04 14:31 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-06-04 14:28 --------- d-----w C:\Program Files\Registry Defender Platinum
2008-06-04 14:22 --------- d-----w C:\Program Files\GameSpy Arcade
2008-06-04 14:18 --------- d-----w C:\Program Files\EA Games
2008-05-24 11:57 --------- d-----w C:\Documents and Settings\user\Application Data\Microsoft Games
2008-05-23 20:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-06-26 13:22 6,980,738 ----a-w C:\Documents and Settings\user\HC4Installer.exe
2007-01-20 12:36 774 ----a-w C:\Program Files\INSTALL.LOG
1784-02-06 00:28 65,536 ------w C:\WINDOWS\inf\copyinf.exe
1784-02-06 00:28 242,432 ------w C:\WINDOWS\inf\rt2500usb.sys
.

((((((((((((((((((((((((((((( [email protected]_ 8.41.52.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-06-29 12:29:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-29 19:08:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2008-06-29 12:39:35 10,377 ----a-w C:\WINDOWS\wt\wtupdates\wtupdater\appinfo.dat
+ 2008-06-29 19:13:14 10,404 ----a-w C:\WINDOWS\wt\wtupdates\wtupdater\appinfo.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 15:45 114688]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 05:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"wcmdmgr"="C:\WINDOWS\wt\updater\wcmdmgrl.exe" [2002-05-07 20:45 20480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 09:19 98304]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 11:57 126104]
"BellSouthWCC_McciTrayApp"="C:\Program Files\BellSouthWCC\McciTrayApp.exe" [2005-11-17 14:19 543232]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe" [2006-01-10 17:56 1896448]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"HelpCenter"="C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe" [2006-10-30 12:00 192512]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 10:05 185896]
"28c6476d"="C:\WINDOWS\system32\oadksoqg.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-04-28 17:19:57 169472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA Games\\The Battle for Middle-earth ™\\game.dat"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\America Online 9.0b\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=

S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys []
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2002-11-08 05:50]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 13:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9da9887c-2821-11dc-afb7-00d041a5ca2d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 19:39:06 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 15:12:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-29 15:16:46 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-06-29 19:16:42
ComboFix2.txt 2008-06-29 12:42:19

Pre-Run: 61,610,307,584 bytes free
Post-Run: 61,609,246,720 bytes free

183 --- E O F --- 2008-06-29 12:59:19
  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Looks much better, Can you please post a new hijack log, and tell me how its running
  • 0

#8
skipper1

skipper1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the log file.
====================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:10, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [28c6476d] rundll32.exe "C:\WINDOWS\system32\oadksoqg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm860YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...etup1.0.1.0.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6182 bytes


==================================================================

And.... I don't know if it is related but he still has some reminaing pop ups. I do not know if they are related but they read something like this.


IPHSend.exe Unable to locate component
The application has failed to start because xprt.dll was not found.


c:\windows\system32\oadksoqg.dlland.....

Rundll
Eroor loading c:\windows\system32\oadksoqg.dll
  • 0

#9
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Understood

Please rescan with Hijackthis and place a check next to the following entries:

O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [28c6476d] rundll32.exe "C:\WINDOWS\system32\oadksoqg.dll",b

Now click "Fix Checked" and close Hijackthis then Reboot

What popups is he recieving now if any
  • 0

#10
skipper1

skipper1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Wooo hooooooooooooo


So far I have two reboots on this thing without the first pop up.

Thanks a million.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP