View Full Version : Smitfraud Strikes Again!
craigbert
2007-06-06, 01:51
I see from the forum threads that smitfraud has caused a great deal of trouble. I'm quite a novice at much of this, but I've managed to acquire hjt which seems to be a tool used by those more skilled in the way of malware removal. I'm pretty sure that I followed the "Before You Post" steps, but please accept my humble apologies if I missed a step (or two).
Logfile of HijackThis v1.99.1
Scan saved at 6:27:06 PM, on
6/5/2007
Platform: Windows XP SP1 (WinNT
5.01.2600)
MSIE: Internet Explorer v6.00 SP1
(6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust
Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust
Antivirus\InoRT.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust
Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program
Files\Canon\CAL\CALMAIN.exe
C:\Program
Files\Java\j2re1.4.2_03\bin\jusche
d.exe
C:\WINDOWS\System32\spool\DRIVERS\
W32X86\3\E_FATI9AA.EXE
C:\Program
Files\NETGEAR\WG511SCU\Utility\Gea
r511.exe
C:\Program
Files\QuickTime\qttask.exe
C:\Program
Files\iTunes\iTunesHelper.exe
C:\Program
Files\WinTouch\WinTouch.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\Documents and Settings\All
Users\Application
Data\claruxeb.exe
C:\Program
Files\iPod\bin\iPodService.exe
C:\Program Files\Common
Files\{D06C0CCE-069E-1033-0515-030
210020001}\Update.exe
C:\DOCUME~1\cabarber\MYDOCU~1\MANT
EC~1\arpa.exe
C:\Program
Files\?dobe\??erinit.exe
C:\Program
Files\Google\GoogleToolbarNotifier
\GoogleToolbarNotifier.exe
C:\Program Files\Internet
Explorer\iexplore.exe
C:\Program Files\Microsoft
Money\System\urlmap.exe
C:\Program
Files\HijackThis\HijackThis.exe
R1 -
HKCU\Software\Microsoft\Windows\Cu
rrentVersion\Internet
Settings,ProxyServer =
http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143
SafeWeb.com
O1 - Hosts: 204.244.184.143
WWW.SafeWeb.com
O3 - Toolbar: EPSON Web-To-Page -
{EE5D279F-081B-4404-994D-C6B60AAEB
A6D} - C:\Program
Files\EPSON\EPSON
Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082
467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5C
D4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange]
Ati2mdxx.exe
O4 - HKLM\..\Run: [DM_Server]
C:\PROGRA~1\COMETS~1\DM\bin\dmserv
er.exe /onreboot
O4 - HKLM\..\Run:
[SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusche
d.exe
O4 - HKLM\..\Run: [EPSON Stylus
CX4600 Series]
C:\WINDOWS\System32\spool\DRIVERS\
W32X86\3\E_FATI9AA.EXE /P26 "EPSON
Stylus CX4600 Series" /O6 "USB001"
/M "Stylus CX4600"
O4 - HKLM\..\Run:
[MoneyStartUp10.0] "C:\Program
Files\Microsoft
Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime
Monitor]
C:\PROGRA~1\CA\ETRUST~1\realmon.ex
e -s
O4 - HKLM\..\Run: [AS00_Gear511]
C:\Program
Files\NETGEAR\WG511SCU\Utility\Gea
r511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task]
"C:\Program
Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper]
"C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinTouch]
C:\Program
Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w]
C:\WINDOWS\nqxux.exe
O4 - HKLM\..\Run: [MsgCenterExe]
"C:\Program Files\Common
Files\Real\Update_OB\RealOneMessag
eCenter.exe" -osboot
O4 - HKLM\..\Run: [Configuration
Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms065202-79822]
C:\WINDOWS\ms065202-79822.exe
O4 - HKLM\..\Run: [avp]
C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SManager]
smanager.7.exe
O4 - HKLM\..\Run: [claruxeb.exe]
C:\Documents and Settings\All
Users\Application
Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc]
rundll32.exe
"C:\WINDOWS\System32\vvfmfbdu.dll"
,realset
O4 - HKCU\..\Run: [rfiq]
C:\Program Files\Common
Files\rfiq\rfiqm.exe
O4 - HKCU\..\Run: [Bsnp]
"C:\DOCUME~1\cabarber\MYDOCU~1\MAN
TEC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Rlbwn]
"C:\Program
Files\?dobe\??erinit.exe"
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier
\GoogleToolbarNotifier.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: Microsoft
Office.lnk = C:\Program
Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL
Toolbar search - res://C:\Program
Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item:
E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office1
0\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608
501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi1
42_03.dll
O9 - Extra 'Tools' menuitem: Sun
Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608
501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi1
42_03.dll
O9 - Extra button: Related -
{c95fe080-8f5d-11d2-a20b-00aa003c1
57a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show
&Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c1
57a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide -
{E023F504-0C5A-4750-A1E7-A9046DEA8
A21} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795
683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem:
Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795
683} - C:\Program
Files\Messenger\MSMSGS.EXE
O16 - DPF:
{17492023-C23A-453E-A040-C7C580BBF
700} (Windows Genuine Advantage
Validation Tool) -
http://go.microsoft.com/fwlink/?li
nkid=39204
O16 - DPF:
{197AB1D7-A7DD-4C86-A938-1FCC0DB21
B85} (DMProxyCtl Class) -
http://dm.cometsystems.com/dm/dm_2
99.cab
O16 - DPF:
{406B5949-7190-4245-91A9-30A17DE16
AD0} (Snapfish Activia) -
http://photo.walgreens.com/Walgree
nsActivia.cab
O16 - DPF:
{56336BCB-3D8A-11D6-A00B-0050DA18D
E71} -
http://software-dl.real.com/0550bf
c4151e9abf8005/netzip/RdxIE601.cab
O16 - DPF:
{5F8469B4-B055-49DD-83F7-62B522420
ECC} (Facebook Photo Uploader
Control) -
http://upload.facebook.com/control
s/FacebookPhotoUploader.cab
O16 - DPF:
{6414512B-B978-451D-A0D8-FCFDF33E8
33C} (WUWebControl Class) -
http://update.microsoft.com/micros
oftupdate/v6/V5Controls/en/x86/cli
ent/wuweb_site.cab?1170342936513
O16 - DPF:
{6E32070A-766D-4EE6-879C-DC1FA91D2
FC3} (MUWebControl Class) -
http://update.microsoft.com/micros
oftupdate/v6/V5Controls/en/x86/cli
ent/muweb_site.cab?1170342889225
O16 - DPF:
{A18962F6-E6ED-40B1-97C9-1FB36F38B
FA8} (Aurigma Image Uploader 3.5
Control) -
http://www.mpix.com/Customer/Uploa
ding/activex/ImageUploader3.cab
O17 -
HKLM\System\CCS\Services\Tcpip\Par
ameters: Domain =
student.secollege
O17 - HKLM\Software\..\Telephony:
DomainName = student.secollege
O17 -
HKLM\System\CS1\Services\Tcpip\Par
ameters: Domain =
student.secollege
O17 -
HKLM\System\CS2\Services\Tcpip\Par
ameters: Domain =
student.secollege
O17 -
HKLM\System\CS3\Services\Tcpip\Par
ameters: Domain =
student.secollege
O23 - Service: Ati HotKey Poller -
Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
(file missing)
O23 - Service: Canon Camera Access
Library 8 (CCALib8) - Canon Inc. -
C:\Program
Files\Canon\CAL\CALMAIN.exe
O23 - Service: Client IP-IPX -
Unknown owner - ".exe (file
missing)
O23 - Service: Google Updater
Service (gusvc) - Google -
C:\Program
Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table
Manager (IDriverT) - Macrovision
Corporation - C:\Program
Files\Common
Files\InstallShield\Driver\11\Inte
l 32\IDriverT.exe
O23 - Service: eTrust Antivirus
RPC Server (InoRPC) - Computer
Associates International, Inc. -
C:\Program Files\CA\eTrust
Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus
Realtime Server (InoRT) - Computer
Associates International, Inc. -
C:\Program Files\CA\eTrust
Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus
Job Server (InoTask) - Computer
Associates International, Inc. -
C:\Program Files\CA\eTrust
Antivirus\InoTask.exe
O23 - Service: iPod Service -
Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown
owner - C:\WINDOWS\dls0523pmw.exe
(file missing)
miekiemoes
2007-06-06, 09:41
Hi,
Above log is impossible to read... so, in notepad:
On top, click Format >uncheck Word Wrap
Then, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
craigbert
2007-06-07, 06:24
:oops: I followed your instructions. Thank you.
Logfile of HijackThis v1.99.1
Scan saved at 11:30:15 PM, on 6/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\claruxeb.exe
C:\Program Files\Common Files\{D06C0CCE-069E-1033-0515-030210020001}\Update.exe
C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1\arpa.exe
C:\Program Files\?dobe\??erinit.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\DOCUME~1\cabarber\LOCALS~1\Temp\powermon.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Analyse.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F69073C-B3B4-49C9-8982-8CD2459EBE37} - C:\WINDOWS\System32\qoppn.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\System32\wvusstr.dll
O2 - BHO: (no name) - {64E8A742-438D-1871-A340-68E33A9FAA9B} - C:\WINDOWS\System32\hftvumc.dll (file missing)
O2 - BHO: (no name) - {75579BE8-67D0-4BF3-A053-234FDCC4A1B5} - C:\WINDOWS\System32\ptkytpiy.dll
O2 - BHO: (no name) - {87E6D82C-77B8-47AF-800C-6985C50A9034} - \
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBDD0576-41DD-44FA-AC8F-474A3928FEDB} - C:\WINDOWS\System32\efeec.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\dnsersnd.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\System32\pouknoth.dll
O2 - BHO: (no name) - {E0011D1B-A2F5-DF5F-D909-FEADD9932092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: (no name) - {E1011D6E-A2F5-AF5C-D907-8CADDE972092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: 0 - {E383D2E5-017F-4E15-52A7-694FDB691A15} - C:\Program Files\Internet Explorer\laduxa.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\nqxux.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms065202-79822] C:\WINDOWS\ms065202-79822.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\System32\vvfmfbdu.dll",realset
O4 - HKLM\..\Run: [j5201931] rundll32 C:\WINDOWS\System32\j5201931.dll sook
O4 - HKCU\..\Run: [rfiq] C:\Program Files\Common Files\rfiq\rfiqm.exe
O4 - HKCU\..\Run: [Bsnp] "C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Rlbwn] "C:\Program Files\?dobe\??erinit.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_299.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0550bfc4151e9abf8005/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170342936513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170342889225
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\Software\..\Telephony: DomainName = student.secollege
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = student.secollege
O20 - Winlogon Notify: efeec - C:\WINDOWS\System32\efeec.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winfvj32 - C:\WINDOWS\SYSTEM32\winfvj32.dll
O20 - Winlogon Notify: wvusstr - C:\WINDOWS\SYSTEM32\wvusstr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
miekiemoes
2007-06-07, 08:10
Hi,
Perform next steps in the right order please..
Go to start > controlpanel > software > add/remove programs and uninstall next if present:
WinTouch
Owlforce
TSA
Think Adz
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.
Reboot when done! Really important!
Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: (no name) - {0F69073C-B3B4-49C9-8982-8CD2459EBE37} - C:\WINDOWS\System32\qoppn.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\System32\wvusstr.dll
O2 - BHO: (no name) - {64E8A742-438D-1871-A340-68E33A9FAA9B} - C:\WINDOWS\System32\hftvumc.dll (file missing)
O2 - BHO: (no name) - {75579BE8-67D0-4BF3-A053-234FDCC4A1B5} - C:\WINDOWS\System32\ptkytpiy.dll
O2 - BHO: (no name) - {87E6D82C-77B8-47AF-800C-6985C50A9034} - \
O2 - BHO: (no name) - {BBDD0576-41DD-44FA-AC8F-474A3928FEDB} - C:\WINDOWS\System32\efeec.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\dnsersnd.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\System32\pouknoth.dll
O2 - BHO: (no name) - {E0011D1B-A2F5-DF5F-D909-FEADD9932092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: (no name) - {E1011D6E-A2F5-AF5C-D907-8CADDE972092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: 0 - {E383D2E5-017F-4E15-52A7-694FDB691A15} - C:\Program Files\Internet Explorer\laduxa.dll
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\nqxux.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms065202-79822] C:\WINDOWS\ms065202-79822.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\System32\vvfmfbdu.dll",realset
O4 - HKLM\..\Run: [j5201931] rundll32 C:\WINDOWS\System32\j5201931.dll sook
O4 - HKCU\..\Run: [rfiq] C:\Program Files\Common Files\rfiq\rfiqm.exe
O4 - HKCU\..\Run: [Bsnp] "C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Rlbwn] "C:\Program Files\?dobe\??erinit.exe"
O4 - Startup: TA_Start.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_299.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0550bfc4...p/RdxIE601.cab
O20 - Winlogon Notify: winfvj32 - C:\WINDOWS\SYSTEM32\winfvj32.dll
O20 - Winlogon Notify: wvusstr - C:\WINDOWS\SYSTEM32\wvusstr.dll
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
craigbert
2007-06-07, 20:21
When I tried to uninstall WinTouch (that was the only one I noticed in the add/remove programs list) I received the following error:
C:\PROGRA~1\WinTouch\WTUNIN~1.EXE
The NTVDM CPU has encountered an illegal instruction.
CS: 0dd3 IP:0135 OP:63 65 69 76 65 Choose ‘close’ to terminate the application
with the options “Close” or Ignore”
I tried clicking "close" and "ignore" with the intent of using add/remove programs to uninstall but it didn't seem to work... Should I try it again?
Combofix log:
"cabarber" - 2007-06-07 12:49:31 Service Pack 1 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\cabarber\Desktop\"
Unable to gain System Privileges
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\cexgafyt.dll
C:\WINDOWS\system32\hpfmusqv.dll
C:\WINDOWS\system32\pouknoth.dll
C:\WINDOWS\system32\ptkytpiy.dll
C:\WINDOWS\system32\winfvj32.dll
C:\WINDOWS\system32\ceefe.bak1
C:\WINDOWS\system32\ceefe.bak2
C:\WINDOWS\system32\ceefe.ini
C:\WINDOWS\system32\ceefe.bak1
C:\WINDOWS\system32\ceefe.bak2
C:\WINDOWS\system32\ceefe.ini
C:\WINDOWS\system32\efeec.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
-- Purity Folders:
C:\12482976.exe
C:\75336680.exe
C:\DOCUME~1\cabarber\APPLIC~1.\.rdr.ini
C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1
C:\DOCUME~1\cabarber\MYDOCU~1\YMBOLS~1
C:\Program Files\Common Files\{306C0~1
C:\Program Files\Common Files\{306C0~1\Bar888.dll
C:\Program Files\Common Files\{306C0~1\UnInstall.exe
C:\Program Files\Common Files\{D06C0~1
C:\Program Files\Common Files\{D06C0~1\Update.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\Internet Explorer\promymy.html
C:\Program Files\YSTEM3~1
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\avp.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\Duce6.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu11.exe
C:\WINDOWS\sammy3.exe
C:\WINDOWS\Setup89.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\SSEMBL~1
C:\WINDOWS\stub_mma1.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\dlltk67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\d5ll.exe
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\uninst108.exe
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\Client IP-IPX
-------\core
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))
2007-06-07 12:56 58,420 --a------ C:\WINDOWS\system32\nrwgwerm.dll
2007-06-07 12:53 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\evgnctuj.exe
2007-06-07 12:52 93,696 --a------ C:\WINDOWS\system32\drvwiv.dll
2007-06-07 12:52 33,302 --a------ C:\WINDOWS\system32\qomjhhg.dll
2007-06-07 12:44 131,124 --a------ C:\WINDOWS\system32\lgppkbmk.dll
2007-06-05 21:51 14,868 --a------ C:\WINDOWS\system32\ceachgac.exe
2007-06-05 21:51 10,752 --a------ C:\WINDOWS\system32\j5201931.dll
2007-06-05 20:20 33,302 --a------ C:\WINDOWS\system32\yaywxxw.dll
2007-06-05 15:52 <DIR> d-------- C:\DOCUME~1\cabarber\APPLIC~1\Lavasoft
2007-06-05 15:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 15:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-05 15:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-05 15:44 <DIR> d-------- C:\Program Files\Safer Networking
2007-06-05 13:13 <DIR> d-------- C:\SafetyTools
2007-06-04 22:25 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-06-04 21:36 2,580 --a------ C:\WINDOWS\system32\ujptxyhf.exe
2007-06-04 21:34 131,124 --a------ C:\WINDOWS\system32\vvfmfbdu.dll
2007-06-04 21:28 93,696 --a------ C:\WINDOWS\system32\drvmun.dll
2007-06-04 21:28 33,302 --a------ C:\WINDOWS\system32\rqroonl.dll
2007-06-03 16:01 93,696 --a------ C:\WINDOWS\system32\drvwag.dll
2007-06-03 16:01 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
2007-06-03 16:00 33,302 --a------ C:\WINDOWS\system32\wvusstr.dll
2007-06-03 14:53 <DIR> d-------- C:\VundoFix Backups
2007-06-03 14:39 2,580 --a------ C:\WINDOWS\system32\hhuxdkmn.exe
2007-06-03 12:30 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-05-30 10:44 93,696 --a------ C:\WINDOWS\system32\drvdam.dll
2007-05-30 10:44 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-05-30 10:43 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-30 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-30 10:42 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-30 10:41 <DIR> d-------- C:\Program Files\Ofb11
2007-05-30 10:40 46,592 --a------ C:\WINDOWS\bxhxxae.exe
2007-05-30 10:40 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-05-30 10:40 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-30 10:40 <DIR> d-------- C:\WINDOWS\system32\T5QaSQ
2007-05-30 10:40 <DIR> d-------- C:\Temp
2007-05-28 18:01 60,928 --a------ C:\WINDOWS\system32\huphs.dll
2007-05-19 12:35 <DIR> d-------- C:\DOCUME~1\cabarber\G2IP
2007-05-18 18:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-05-18 15:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-15 22:50 <DIR> d-------- C:\Program Files\WinTouch
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-05 19:39:49 -------- d-----w C:\Program Files\Yahoo!
2007-06-05 03:24:06 -------- d-----w C:\Program Files\Messenger
2007-06-01 13:56:48 -------- d-----w C:\Program Files\Audacity
2007-05-28 22:01:26 -------- d-----w C:\Program Files\?dobe
2007-05-18 22:42:29 -------- d-----w C:\Program Files\Common Files\Real
2007-05-01 23:59:07 -------- d-----w C:\DOCUME~1\cabarber\APPLIC~1\Google
2007-05-01 20:05:41 -------- d-----w C:\Program Files\Google
2007-05-01 01:14:19 -------- d-----w C:\Program Files\Kodak
2007-04-08 16:17:32 -------- d-----w C:\Program Files\Common Files\rfiq
2007-04-06 19:27:01 139,264 ----a-w C:\TTC.dll
2007-03-29 15:04:04 5,171,867 ----a-w C:\WINDOWS\system32\WBLog.dat
2007-03-23 16:29:06 1,426 ----a-w C:\WINDOWS\system32\Wbconf.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{54CBB12C-3481-4C5D-942D-4976C0F0A406}=C:\WINDOWS\system32\wvusstr.dll [2007-06-03 16:00]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-01 16:05]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-28 11:45]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\System32\nrwgwerm.dll [2007-06-07 12:56]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}=C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2004-02-10 15:08]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 11:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 11:00]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"@"="" []
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 15:14]
"SYSWB6"="SYSWB6" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2007-05-18 18:41]
"evgnctuj.exe"="C:\Documents and Settings\All Users\Application Data\evgnctuj.exe" [2007-06-07 12:53]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 11:45]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\promymy.html
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54CBB12C-3481-4C5D-942D-4976C0F0A406}"="C:\WINDOWS\system32\wvusstr.dll" [2007-06-03 16:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusstr]
wvusstr.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-05-17 22:27:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-03-06 08:27:55 C:\WINDOWS\tasks\Disk Cleanup.job
**************************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 13:13:46
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-07 13:17:38
C:\ComboFix-quarantined-files.txt ... 2007-06-07 13:17
--- E O F ---
New HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 13:23, on 2007-06-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\evgnctuj.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\Analyse.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\wvusstr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\nrwgwerm.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [evgnctuj.exe] C:\Documents and Settings\All Users\Application Data\evgnctuj.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170342936513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170342889225
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\Software\..\Telephony: DomainName = student.secollege
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = student.secollege
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvusstr - C:\WINDOWS\SYSTEM32\wvusstr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
I couldn't find this entry in HJT: O2 - BHO: (no name) - {BBDD0576-41DD-44FA-AC8F-474A3928FEDB} - C:\WINDOWS\System32\efeec.dll
Thank you for your help.
miekiemoes
2007-06-07, 20:43
Hi,
Don't worry if you received the error from WinTouch when trying to uninstall it. We'll deal with it manually..
Looks like this system is already infected for a while.. Why did you wait so long?
But first... * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\Internet Explorer\promymy.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.
Then,
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\nrwgwerm.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\evgnctuj.exe
C:\WINDOWS\system32\drvwiv.dll
C:\WINDOWS\system32\qomjhhg.dll
C:\WINDOWS\system32\lgppkbmk.dll
C:\WINDOWS\system32\ceachgac.exe
C:\WINDOWS\system32\j5201931.dll
C:\WINDOWS\system32\yaywxxw.dll
C:\WINDOWS\system32\ujptxyhf.exe
C:\WINDOWS\system32\vvfmfbdu.dll
C:\WINDOWS\system32\drvmun.dll
C:\WINDOWS\system32\rqroonl.dll
C:\WINDOWS\system32\drvwag.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
C:\WINDOWS\system32\wvusstr.dll
C:\WINDOWS\system32\hhuxdkmn.exe
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\bxhxxae.exe
C:\WINDOWS\system32\huphs.dll
C:\TTC.dll
C:\WINDOWS\system32\drvdam.dll
C:\WINDOWS\system32\winsys64.exe
Folder::
C:\VundoFix Backups
C:\Program Files\myCleanerPC
C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
C:\Program Files\Ofb11
C:\Program Files\WinTouch
C:\Program Files\Common Files\rfiq
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T5QaSQ
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E12BFF69-38A7-406e-A8EF-2738107A7831}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54CBB12C-3481-4C5D-942D-4976C0F0A406}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"evgnctuj.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54CBB12C-3481-4C5D-942D-4976C0F0A406}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusstr]
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
craigbert
2007-06-07, 21:41
My wife just graduated from college... and we've moved... busy busy busy...
"cabarber" - 2007-06-07 14:30:48 Service Pack 1 NTFS
Command switches used :: ""C:\Documents and Settings\cabarber\Desktop\ComboFix-Do.txt""
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\rqqss.bak1
C:\WINDOWS\system32\rqqss.ini
C:\WINDOWS\system32\rqqss.bak1
C:\WINDOWS\system32\rqqss.ini
C:\WINDOWS\system32\ssqqr.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\evgnctuj.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC\Signatures.dat
C:\Program Files\Common Files\rfiq
C:\Program Files\Common Files\rfiq\rfiqa.exe
C:\Program Files\Common Files\rfiq\rfiqd\class-barrel
C:\Program Files\Common Files\rfiq\rfiqd\rfiqc.dll
C:\Program Files\Common Files\rfiq\rfiqd\vocabulary
C:\Program Files\Common Files\rfiq\rfiqp.exe
C:\Program Files\myCleanerPC
C:\Program Files\myCleanerPC\clean.swf
C:\Program Files\myCleanerPC\clean1.swf
C:\Program Files\myCleanerPC\MyCleanerPCInner.EXE
C:\Program Files\myCleanerPC\Setup.INI
C:\Program Files\Ofb11
C:\Program Files\Ofb11\Ofb11.dll
C:\Program Files\Ofb11\sites.ini
C:\Program Files\WinTouch
C:\Program Files\WinTouch\fusion.cfg.8f41d6581ffd5eefdffdad55f36acc2f.23f8467dc9506233dd552d1c9411d981
C:\Program Files\WinTouch\wintouch.cfg
C:\Program Files\WinTouch\WinTouch.exe
C:\Program Files\WinTouch\WTUninstaller.exe
C:\Temp
C:\TTC.dll
C:\VundoFix Backups
C:\VundoFix Backups\feapmnno.dll.bad
C:\VundoFix Backups\ghhjl.ini.bad
C:\VundoFix Backups\gtuwhbwj.dll.bad
C:\VundoFix Backups\jwbhwutg.ini.bad
C:\VundoFix Backups\ljhhg.dll.bad
C:\VundoFix Backups\nppoq.bak1.bad
C:\VundoFix Backups\nppoq.bak2.bad
C:\VundoFix Backups\nppoq.ini.bad
C:\VundoFix Backups\nppoq.ini2.bad
C:\VundoFix Backups\nppoq.tmp.bad
C:\VundoFix Backups\onnmpaef.ini.bad
C:\VundoFix Backups\qoppn.dll.bad
C:\VundoFix Backups\tuvtuss.dll.bad
C:\VundoFix Backups\xixmyavi.dll.bad
C:\VundoFix Backups\yeicbxco.dll.bad
C:\WINDOWS\bxhxxae.exe
C:\WINDOWS\system32\ceachgac.exe
C:\WINDOWS\system32\drvdam.dll
C:\WINDOWS\system32\drvmun.dll
C:\WINDOWS\system32\drvwag.dll
C:\WINDOWS\system32\drvwiv.dll
C:\WINDOWS\system32\hhuxdkmn.exe
C:\WINDOWS\system32\huphs.dll
C:\WINDOWS\system32\j5201931.dll
C:\WINDOWS\system32\lgppkbmk.dll
C:\WINDOWS\system32\nrwgwerm.dll
C:\WINDOWS\system32\qomjhhg.dll
C:\WINDOWS\system32\rqroonl.dll
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\T5QaSQ
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\dlwr.exe
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\TQ0\dl52.exe
C:\WINDOWS\system32\ujptxyhf.exe
C:\WINDOWS\system32\vvfmfbdu.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\wvusstr.dll
C:\WINDOWS\system32\yaywxxw.dll
((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))
2007-06-07 14:41 0 --ah----- C:\StashIMAPI.bin
2007-06-07 14:40 <DIR> d-------- C:\WINDOWS\TEM
2007-06-07 13:29 131,124 --a------ C:\WINDOWS\system32\kwtrhbqe.dll
2007-06-07 13:17 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 15:52 <DIR> d-------- C:\DOCUME~1\cabarber\APPLIC~1\Lavasoft
2007-06-05 15:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 15:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-05 15:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-05 15:44 <DIR> d-------- C:\Program Files\Safer Networking
2007-06-05 13:13 <DIR> d-------- C:\SafetyTools
2007-06-04 22:25 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-05-30 10:42 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-19 12:35 <DIR> d-------- C:\DOCUME~1\cabarber\G2IP
2007-05-18 18:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-05-18 15:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-05 19:39:49 -------- d-----w C:\Program Files\Yahoo!
2007-06-05 03:24:06 -------- d-----w C:\Program Files\Messenger
2007-06-01 13:56:48 -------- d-----w C:\Program Files\Audacity
2007-05-28 22:01:26 -------- d-----w C:\Program Files\?dobe
2007-05-18 22:42:29 -------- d-----w C:\Program Files\Common Files\Real
2007-05-01 23:59:07 -------- d-----w C:\DOCUME~1\cabarber\APPLIC~1\Google
2007-05-01 20:05:41 -------- d-----w C:\Program Files\Google
2007-05-01 01:14:19 -------- d-----w C:\Program Files\Kodak
2007-03-29 15:04:04 5,171,867 ----a-w C:\WINDOWS\system32\WBLog.dat
2007-03-23 16:29:06 1,426 ----a-w C:\WINDOWS\system32\Wbconf.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-01 16:05]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-28 11:45]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}=C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2004-02-10 15:08]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 11:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 11:00]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"@"="" []
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 15:14]
"SYSWB6"="SYSWB6" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2007-05-18 18:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 11:45]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-05-17 22:27:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-03-06 08:27:55 C:\WINDOWS\tasks\Disk Cleanup.job
**************************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 14:41:19
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-07 14:43:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 14:43
C:\ComboFix2.txt ... 2007-06-07 13:17
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 14:45, on 2007-06-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\Analyse.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170342936513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170342889225
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\Software\..\Telephony: DomainName = student.secollege
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = student.secollege
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
Thank you for your assistance.
miekiemoes
2007-06-07, 22:15
Hi,
Your HijackThislog looks clean again, but we're not finished yet.
Navigate to and Delete next file:
C:\WINDOWS\system32\kwtrhbqe.dll
Also delete next folder:
C:\Program Files\?dobe <== BE Careful here!!! This folder may look like Adobe, so it could be possible that you have two Adobe folders present in your Program Files folder. The good Adobe folder and a bad one.
The good one contains the subfolders: Adobe Help Viewer and Reader. Don't delete that folder!
The bad adobe folder is created/modified 2007-05-28 22:01:26 and is most probably an empty folder.
If in doubt, just leave it and tell me.
Delete the C:\Qoobox - folder as well. This since it contains backups of the files Combofix deleted previously and we don't want them anymore.
Also, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs: Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now.
As a sidenote, you may want to reconsider an other Antivirus - because I am disappointed that it didn't delete so many infected files on your system.
Also, recent Antivirus comparison tests showed that CA eTrust Antivirus was one of the Antivirus worst in detection.
Also read here: http://www.pcmag.com/article2/0,1895,2135092,00.asp and full results here: http://www.sunbelt-software.com/ihs/alex/marx/detections_2007q2.htm
There are some great freeware Antivirus out there as well. Take a look here: http://users.telenet.be/bluepatchy/miekiemoes/Links.html#AntiVirus%20Scanners
One of my personal favorites is Avira which is free and great in detection and removal. Ofcourse the choice is yours if you choose to keep your current Antivirus or install a new one.
Keep in mind, when you decide to install another Antivirus, uninstall your current one first. This because more than one Antivirus installed are not compatible with eachother, cause a serious slowdown and may cause crashes as well.
craigbert
2007-06-09, 22:35
Things seem to be working great now... no more smitfraud, my pc is working much FASTER and I'm leaving the computer desk with a smile instead of greater destructive tendencies.
2 questions:
When I tried to install the new Java, it said that I should have Windows XP sp 2 or higher. Should I go ahead and install sp 2? I assume that the system is clean now (I read in some of the other forums that sp 2 doesn't work well on infected systems)
Would you mind posting a direct link to your personal favorite antivirus program. I'm afraid of false sites that would lure me into clicking on them only to bombard me with more garbage.
Thank you for your help. I'm most grateful!
miekiemoes
2007-06-09, 22:38
Hi,
Yes, go ahead and install Service Pack 2.
Would you mind posting a direct link to your personal favorite antivirus program. I'm afraid of false sites that would lure me into clicking on them only to bombard me with more garbage.The previous link I gave you is from a page I made where I made a collection of Antivirus/Firewalls/Antispyware I recommend. When you click the icons, it will go to the correct site, so really don't worry :)
Glad I could help. :)
Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).
Happy Surfing again!