View Full Version : Virtumonde Replay - Unable to get rid of it - Please help
ratlanta
2007-07-22, 23:27
Hi Security Gurus:
I am unable to get rid of the Virtumonde.
Below are the logs
==================================================
Spy Bot
==================================================
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PSRV
==================================================
VundoFix
==================================================
VundoFix V6.5.6
Checking Java version...
Scan started at 3:17:41 PM 7/22/2007
Listing files found while scanning....
No infected files were found.
=====================================================
VirtumondeBe Gone
======================================================
[07/22/2007, 15:24:01] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Wendy Sawchuk\My Documents\downloads\VirtumundoBeGone.exe" )
[07/22/2007, 15:24:03] - Detected System Information:
[07/22/2007, 15:24:03] - Windows Version: 5.1.2600, Service Pack 2
[07/22/2007, 15:24:03] - Current Username: Wendy Sawchuk (Admin)
[07/22/2007, 15:24:03] - Windows is in NORMAL mode.
[07/22/2007, 15:24:03] - Searching for Browser Helper Objects:
[07/22/2007, 15:24:04] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[07/22/2007, 15:24:04] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/22/2007, 15:24:04] - BHO 3: {0F660F64-F4C9-477F-8529-44181B717472} (CSMHelperObj Class)
[07/22/2007, 15:24:04] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\NppBho
[07/22/2007, 15:24:04] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[07/22/2007, 15:24:04] - BHO 5: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[07/22/2007, 15:24:04] - BHO 6: {3BCF40C5-F35F-4B1D-9106-E964EFD8F919} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\ljhij
[07/22/2007, 15:24:04] - Key not found: HKLM\...\Winlogon\Notify\ljhij, continuing.
[07/22/2007, 15:24:04] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/22/2007, 15:24:04] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/22/2007, 15:24:04] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/22/2007, 15:24:04] - BHO 9: {857A461D-8D96-4996-A4A0-AEA0A2535B86} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\yayvuss
[07/22/2007, 15:24:04] - Found: HKLM\...\Winlogon\Notify\yayvuss - This is probably Virtumundo.
[07/22/2007, 15:24:04] - Assigning {857A461D-8D96-4996-A4A0-AEA0A2535B86} MSEvents Object
[07/22/2007, 15:24:04] - BHO list has been changed! Starting over...
[07/22/2007, 15:24:04] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[07/22/2007, 15:24:04] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/22/2007, 15:24:04] - BHO 3: {0F660F64-F4C9-477F-8529-44181B717472} (CSMHelperObj Class)
[07/22/2007, 15:24:04] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\NppBho
[07/22/2007, 15:24:04] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[07/22/2007, 15:24:04] - BHO 5: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[07/22/2007, 15:24:04] - BHO 6: {3BCF40C5-F35F-4B1D-9106-E964EFD8F919} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\ljhij
[07/22/2007, 15:24:04] - Key not found: HKLM\...\Winlogon\Notify\ljhij, continuing.
[07/22/2007, 15:24:04] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/22/2007, 15:24:04] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/22/2007, 15:24:04] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/22/2007, 15:24:04] - BHO 9: {857A461D-8D96-4996-A4A0-AEA0A2535B86} (MSEvents Object)
[07/22/2007, 15:24:04] - ALERT: Found MSEvents Object!
[07/22/2007, 15:24:04] - BHO 10: {8C8235A2-8276-4276-9FA3-A22562409E86} ()
[07/22/2007, 15:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:04] - Checking for HKLM\...\Winlogon\Notify\rqomm
[07/22/2007, 15:24:04] - Key not found: HKLM\...\Winlogon\Notify\rqomm, continuing.
[07/22/2007, 15:24:04] - BHO 11: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/22/2007, 15:24:04] - Finished Searching Browser Helper Objects
[07/22/2007, 15:24:04] - *** Detected MSEvents Object
[07/22/2007, 15:24:04] - Trying to remove MSEvents Object...
[07/22/2007, 15:24:05] - Terminating Process: IEXPLORE.EXE
[07/22/2007, 15:24:06] - Terminating Process: RUNDLL32.EXE
[07/22/2007, 15:24:06] - Disabling Automatic Shell Restart
[07/22/2007, 15:24:06] - Terminating Process: EXPLORER.EXE
[07/22/2007, 15:24:07] - Suspending the NT Session Manager System Service
[07/22/2007, 15:24:07] - Terminating Windows NT Logon/Logoff Manager
[07/22/2007, 15:24:08] - Re-enabling Automatic Shell Restart
[07/22/2007, 15:24:08] - File to disable: C:\WINDOWS\system32\yayvuss.dll
[07/22/2007, 15:24:08] - Renaming C:\WINDOWS\system32\yayvuss.dll -> C:\WINDOWS\system32\yayvuss.dll.vir
[07/22/2007, 15:24:08] - File successfully renamed!
[07/22/2007, 15:24:08] - Removing HKLM\...\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}
[07/22/2007, 15:24:09] - Removing HKCR\CLSID\{857A461D-8D96-4996-A4A0-AEA0A2535B86}
[07/22/2007, 15:24:09] - Adding Kill Bit for ActiveX for GUID: {857A461D-8D96-4996-A4A0-AEA0A2535B86}
[07/22/2007, 15:24:10] - Deleting ATLEvents/MSEvents Registry entries
[07/22/2007, 15:24:10] - Removing HKLM\...\Winlogon\Notify\yayvuss
[07/22/2007, 15:24:10] - Searching for Browser Helper Objects:
[07/22/2007, 15:24:10] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[07/22/2007, 15:24:10] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/22/2007, 15:24:10] - BHO 3: {0F660F64-F4C9-477F-8529-44181B717472} (CSMHelperObj Class)
[07/22/2007, 15:24:10] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[07/22/2007, 15:24:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:10] - Checking for HKLM\...\Winlogon\Notify\NppBho
[07/22/2007, 15:24:10] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[07/22/2007, 15:24:10] - BHO 5: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[07/22/2007, 15:24:10] - BHO 6: {3BCF40C5-F35F-4B1D-9106-E964EFD8F919} ()
[07/22/2007, 15:24:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:10] - Checking for HKLM\...\Winlogon\Notify\ljhij
[07/22/2007, 15:24:10] - Key not found: HKLM\...\Winlogon\Notify\ljhij, continuing.
[07/22/2007, 15:24:10] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/22/2007, 15:24:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:10] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/22/2007, 15:24:10] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/22/2007, 15:24:10] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/22/2007, 15:24:10] - BHO 9: {8C8235A2-8276-4276-9FA3-A22562409E86} ()
[07/22/2007, 15:24:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/22/2007, 15:24:10] - Checking for HKLM\...\Winlogon\Notify\rqomm
[07/22/2007, 15:24:10] - Key not found: HKLM\...\Winlogon\Notify\rqomm, continuing.
[07/22/2007, 15:24:10] - BHO 10: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/22/2007, 15:24:10] - Finished Searching Browser Helper Objects
[07/22/2007, 15:24:10] - Finishing up...
[07/22/2007, 15:24:10] - A restart is needed.
[07/22/2007, 15:24:12] - Attempting to Restart via STOP error (Blue Screen!)
==================================================
HijackThis
==================================================
Logfile of HijackThis v1.99.1
Scan saved at 3:40:30 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Wendy Sawchuk\My Documents\downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {3BCF40C5-F35F-4B1D-9106-E964EFD8F919} - C:\WINDOWS\System32\ljhij.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8C8235A2-8276-4276-9FA3-A22562409E86} - C:\WINDOWS\system32\rqomm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\System32\scchk32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winoja32 - C:\WINDOWS\SYSTEM32\winoja32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\lymesmqf.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ratlanta
2007-07-22, 23:36
Renamed Hijackthis to scanner and reposted the log below
Logfile of HijackThis v1.99.1
Scan saved at 4:34:33 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Wendy Sawchuk\My Documents\downloads\scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {3BCF40C5-F35F-4B1D-9106-E964EFD8F919} - C:\WINDOWS\System32\ljhij.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8C8235A2-8276-4276-9FA3-A22562409E86} - C:\WINDOWS\system32\rqomm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\System32\scchk32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winoja32 - C:\WINDOWS\SYSTEM32\winoja32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\lymesmqf.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
steamwiz
2007-07-22, 23:47
Hi
Please run the following:
1. sdfix
1. Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
3. Reboot into Safe Mode`:-
Reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum
-
2. Superantispyware
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
-
3. Combofix
Please download Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Remember to post :-
1. Report.txt from sdfix
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log (run after everything else has been done)
steam
ratlanta
2007-07-23, 01:18
=================================
Here is the SD Fix Report
=================================
SDFix: Version 1.93
Run by Wendy Sawchuk on Sun 07/22/2007 at 05:43 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\AUCKVXKD.EXE - Deleted
C:\WINDOWS\SYSTEM32\BHTNPLWD.EXE - Deleted
C:\WINDOWS\SYSTEM32\EFWCVTWC.EXE - Deleted
C:\WINDOWS\SYSTEM32\INYGEHNY.EXE - Deleted
C:\WINDOWS\SYSTEM32\KKFJPGGW.EXE - Deleted
C:\WINDOWS\SYSTEM32\MLEJGILB.EXE - Deleted
C:\WINDOWS\SYSTEM32\OGOVYYMF.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSWIN.EXE - Deleted
C:\WINDOWS\SYSTEM32\TRPLRJMM.EXE - Deleted
C:\WINDOWS\SYSTEM32\TVDSLWCG.EXE - Deleted
C:\WINDOWS\SYSTEM32\UDBQIVAC.EXE - Deleted
C:\WINDOWS\SYSTEM32\RLLQBFTP.DLL - Deleted
C:\WINDOWS\SYSTEM32\STEILEJC.DLL - Deleted
C:\WINDOWS\SYSTEM32\YJLUXYFF.DLL - Deleted
C:\WINDOWS\Temp\win12E5.tmp.exe - Deleted
C:\WINDOWS\Temp\win12E7.tmp.exe - Deleted
C:\WINDOWS\Temp\win12EB.tmp.exe - Deleted
C:\WINDOWS\Temp\win12ED.tmp.exe - Deleted
C:\WINDOWS\Temp\win212.tmp.exe - Deleted
C:\WINDOWS\Temp\win214.tmp.exe - Deleted
C:\WINDOWS\Temp\win2C.tmp.exe - Deleted
C:\WINDOWS\Temp\win6DC.tmp.exe - Deleted
C:\WINDOWS\Temp\win6DE.tmp.exe - Deleted
C:\WINDOWS\Temp\win6E2.tmp.exe - Deleted
C:\WINDOWS\Temp\win6E9.tmp.exe - Deleted
C:\WINDOWS\Temp\win8AB.tmp.exe - Deleted
C:\WINDOWS\Temp\win8AE.tmp.exe - Deleted
C:\WINDOWS\Temp\win8B3.tmp.exe - Deleted
C:\WINDOWS\Temp\win8B6.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF1.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF3.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF7.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF9.tmp.exe - Deleted
C:\WINDOWS\Temp\winB36.tmp.exe - Deleted
C:\WINDOWS\Temp\winB38.tmp.exe - Deleted
C:\WINDOWS\Temp\winB3C.tmp.exe - Deleted
C:\WINDOWS\Temp\winB3E.tmp.exe - Deleted
C:\WINDOWS\Temp\winB9F.tmp.exe - Deleted
C:\WINDOWS\Temp\winBA1.tmp.exe - Deleted
C:\WINDOWS\Temp\winBA5.tmp.exe - Deleted
C:\WINDOWS\Temp\winBA7.tmp.exe - Deleted
C:\WINDOWS\Temp\winBB2.tmp.exe - Deleted
C:\WINDOWS\Temp\winBB4.tmp.exe - Deleted
C:\WINDOWS\Temp\winBB8.tmp.exe - Deleted
C:\WINDOWS\Temp\winBBA.tmp.exe - Deleted
C:\WINDOWS\Temp\win12E5.tmp.exe - Deleted
C:\WINDOWS\Temp\win12E7.tmp.exe - Deleted
C:\WINDOWS\Temp\win12EB.tmp.exe - Deleted
C:\WINDOWS\Temp\win12ED.tmp.exe - Deleted
C:\WINDOWS\Temp\win212.tmp.exe - Deleted
C:\WINDOWS\Temp\win214.tmp.exe - Deleted
C:\WINDOWS\Temp\win2C.tmp.exe - Deleted
C:\WINDOWS\Temp\win6DC.tmp.exe - Deleted
C:\WINDOWS\Temp\win6DE.tmp.exe - Deleted
C:\WINDOWS\Temp\win6E2.tmp.exe - Deleted
C:\WINDOWS\Temp\win6E9.tmp.exe - Deleted
C:\WINDOWS\Temp\win8AB.tmp.exe - Deleted
C:\WINDOWS\Temp\win8AE.tmp.exe - Deleted
C:\WINDOWS\Temp\win8B3.tmp.exe - Deleted
C:\WINDOWS\Temp\win8B6.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF1.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF3.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF7.tmp.exe - Deleted
C:\WINDOWS\Temp\winAF9.tmp.exe - Deleted
C:\WINDOWS\Temp\winB36.tmp.exe - Deleted
C:\WINDOWS\Temp\winB38.tmp.exe - Deleted
C:\WINDOWS\Temp\winB3C.tmp.exe - Deleted
C:\WINDOWS\Temp\winB3E.tmp.exe - Deleted
C:\WINDOWS\Temp\winB9F.tmp.exe - Deleted
C:\WINDOWS\Temp\winBA1.tmp.exe - Deleted
C:\WINDOWS\Temp\winBA5.tmp.exe - Deleted
C:\WINDOWS\Temp\winBA7.tmp.exe - Deleted
C:\WINDOWS\Temp\winBB2.tmp.exe - Deleted
C:\WINDOWS\Temp\winBB4.tmp.exe - Deleted
C:\WINDOWS\Temp\winBB8.tmp.exe - Deleted
C:\WINDOWS\Temp\winBBA.tmp.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Wendy Sawchuk\My Documents\friends\~WRL0002.tmp
C:\Documents and Settings\Wendy Sawchuk\My Documents\RE\~WRL0001.tmp
C:\Program Files\InterActual\InterActual Player\iti38.tmp
C:\WINDOWS\system32\beqgmoqy.tmp
Finished
------------------------------------------------------------
currently I am Running Super Antispyware
ratlanta
2007-07-23, 03:16
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/22/2007 at 08:02 PM
Application Version : 3.9.1008
Core Rules Database Version : 3272
Trace Rules Database Version: 1283
Scan type : Complete Scan
Total Scan Time : 01:41:10
Memory items scanned : 559
Memory threats detected : 3
Registry items scanned : 6442
Registry threats detected : 23
File items scanned : 63181
File threats detected : 186
Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\IIIHH.DLL
C:\WINDOWS\SYSTEM32\IIIHH.DLL
C:\WINDOWS\SYSTEM32\RQRRPPM.DLL
C:\WINDOWS\SYSTEM32\RQRRPPM.DLL
Trojan.Mezzia/Resident
C:\WINDOWS\SYSTEM32\WINOJA32.DLL
C:\WINDOWS\SYSTEM32\WINOJA32.DLL
Trojan.Downloader-UltimateFixer
[SC2] C:\WINDOWS\SYSTEM32\SCCHK32.EXE
C:\WINDOWS\SYSTEM32\SCCHK32.EXE
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3BCF40C5-F35F-4B1D-9106-E964EFD8F919}
HKCR\CLSID\{3BCF40C5-F35F-4B1D-9106-E964EFD8F919}
HKCR\CLSID\{3BCF40C5-F35F-4B1D-9106-E964EFD8F919}\InprocServer32
HKCR\CLSID\{3BCF40C5-F35F-4B1D-9106-E964EFD8F919}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\LJHIJ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3BCF40C5-F35F-4B1D-9106-E964EFD8F919}
Trojan.Downloader-Gen/HitItQuitIt
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}
HKCR\CLSID\{857A461D-8D96-4996-A4A0-AEA0A2535B86}
HKCR\CLSID\{857A461D-8D96-4996-A4A0-AEA0A2535B86}\InprocServer32
HKCR\CLSID\{857A461D-8D96-4996-A4A0-AEA0A2535B86}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{857A461D-8D96-4996-A4A0-AEA0A2535B86}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rqrrppm
C:\WINDOWS\SYSTEM32\CBXVVVT.DLL
C:\WINDOWS\SYSTEM32\OPNOOOL.DLL
C:\WINDOWS\SYSTEM32\QOMJHEC.DLL
Trojan.Downloader-Win/GHY
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winoja32
Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
C:\WINDOWS\SYSTEM32\WNSCPISV.EXE
Adware.Tracking Cookie
Adware.Search2Find
C:\WINDOWS\SYSTEM32\S2F.EXE
Trace.Known Threat Sources
C:\Documents and Settings\Wendy Sawchuk\Local Settings\Temporary Internet Files\Content.IE5\E9CJI5K9\xc60[1].exe
C:\Documents and Settings\Wendy Sawchuk\Local Settings\Temporary Internet Files\Content.IE5\VMCF39SP\xc42[1].exe
C:\Documents and Settings\Wendy Sawchuk\Local Settings\Temporary Internet Files\Content.IE5\GPQZ4HUB\xc29[1].exe
C:\Documents and Settings\Wendy Sawchuk\Local Settings\Temporary Internet Files\Content.IE5\KPY3OLEF\anti4[1].exe
C:\Documents and Settings\Wendy Sawchuk\Local Settings\Temporary Internet Files\Content.IE5\8TU30PU3\antzom[1].exe
ratlanta
2007-07-23, 03:46
"Wendy Sawchuk" - 2007-07-22 20:24:37 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Log\log_2007_07_14_16_10_01.log
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Log\log_2007_07_14_16_10_15.log
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Log\log_2007_07_16_23_53_18.log
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Log\log_2007_07_16_23_53_31.log
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Settings\CustomScan.stg
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Settings\IgnoreList.stg
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Settings\ScanInfo.stg
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Settings\ScanResults.stg
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Settings\SelectedFolders.stg
C:\DOCUME~1\WENDYS~1\APPLIC~1\AntiSpywareBot\Settings\Settings.stg
C:\Program Files\ystem~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\Tasks\AntiSpywareBot Scheduled Scan.job
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))
2007-07-22 20:23 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 18:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-22 18:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-22 18:11 <DIR> d-------- C:\DOCUME~1\WENDYS~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-22 17:41 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-22 16:43 6,489 ---hs---- C:\WINDOWS\system32\hhiii.bak1
2007-07-22 00:15 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-07-21 22:53 6,528 ---hs---- C:\WINDOWS\system32\mnnmp.bak1
2007-07-21 22:47 31,254 --a------ C:\WINDOWS\system32\yayvuss.dll.vir
2007-07-21 21:47 178 --a------ C:\handle.dat
2007-07-21 21:28 6,488 ---hs---- C:\WINDOWS\system32\xyyay.bak1
2007-07-21 21:22 31,254 --a------ C:\WINDOWS\system32\ssqonkh.dll.vir
2007-07-21 17:13 6,529 ---hs---- C:\WINDOWS\system32\svvyb.bak1
2007-07-21 08:22 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterVideo
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Drag'n Drop CD+DVD
2007-07-20 21:57 6,489 ---hs---- C:\WINDOWS\system32\tutwa.bak1
2007-07-20 21:21 31,254 --a------ C:\WINDOWS\system32\ddcaaww.dll.vir
2007-07-18 19:13 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-17 23:52 <DIR> d-------- C:\Program Files\MSBuild
2007-07-17 23:44 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-17 23:40 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-17 23:35 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-07-17 22:32 <DIR> d-------- C:\WINDOWS\pss
2007-07-17 07:27 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-17 07:20 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-17 07:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-17 06:34 <DIR> d-------- C:\Program Files\Managed DirectX (0901)
2007-07-17 06:25 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-07-17 06:25 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-07-17 06:25 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-07-17 01:17 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-17 00:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-17 00:18 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-14 10:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-14 10:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-14 10:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 07:52 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-14 00:09 <DIR> d-------- C:\WINDOWS\provisioning
2007-07-14 00:09 <DIR> d-------- C:\WINDOWS\peernet
2007-07-13 23:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-07-13 23:00 <DIR> d-------- C:\WINDOWS\EHome
2007-07-12 08:02 1,226,073 --ahs---- C:\WINDOWS\system32\beqgmoqy.ini2
2007-07-07 02:51 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-07-07 02:51 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-07-06 12:35 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-07-06 12:01 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-07-06 12:01 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-07-06 12:01 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-07-06 11:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-06 11:38 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-07-06 11:02 <DIR> d-------- C:\WINDOWS\system32\bits
2007-07-06 11:00 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-06 11:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-06 10:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-06 07:56 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-07-06 07:52 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-06 07:52 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-06 07:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-07-01 08:05 53 --ahs---- C:\WINDOWS\system32\3232528864.dat
2007-07-01 00:45 71,340 --a------ C:\WINDOWS\system32\qoppm.dll
2007-06-28 10:45 1,084,416 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-28 10:44 249,856 --a------ C:\WINDOWS\system32\odbc32.dll
2007-06-24 08:35 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
2007-06-24 08:35 713,216 --a------ C:\WINDOWS\system32\sxs.dll
2007-06-24 08:35 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
2007-06-22 07:21 57,856 --a------ C:\WINDOWS\system32\spoolsv.exe
2007-06-22 07:21 249,344 --a------ C:\WINDOWS\system32\tapisrv.dll
2007-06-22 07:19 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-06-22 07:19 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-06-22 07:19 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2007-06-22 07:19 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-06-22 07:19 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-06-22 07:19 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-23 03:11:51 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-17 13:29:49 -------- d-----w C:\Program Files\HP
2007-07-17 13:19:26 -------- d-----w C:\DOCUME~1\WENDYS~1\APPLIC~1\Skype
2007-07-17 08:28:53 -------- d-----w C:\Program Files\Messenger
2007-07-14 07:09:07 -------- d-----w C:\Program Files\Movie Maker
2007-07-14 06:51:52 -------- d-----w C:\Program Files\Windows NT
2007-07-06 15:03:19 -------- d-----w C:\Program Files\Symantec
2007-07-06 15:03:18 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-06 15:03:18 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-08-06 10:37:49 30,048 ----a-w C:\DOCUME~1\WENDYS~1\APPLIC~1\GDIPFONTCACHEV1.DAT
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2004-01-07 14:32 272983 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F660F64-F4C9-477F-8529-44181B717472}]
2002-03-15 17:15 155702 --a------ C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2007-01-12 00:04 96936 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
2007-02-05 18:32 747048 --a------ C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7320C4CD-53DE-4069-BFCC-AD2A77F563FD}]
C:\WINDOWS\system32\iiihh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C8235A2-8276-4276-9FA3-A22562409E86}]
C:\WINDOWS\system32\rqomm.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 19:54]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 14:38]
"TFNF5"="TFNF5.exe" [2001-08-03 17:08 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 10:49 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 18:00]
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 20:26]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 13:21]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2003-02-25 17:03]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 21:53]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-02-07 15:39]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-19 10:14]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 11:20 C:\WINDOWS\agrsmmsg.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiihh]
C:\WINDOWS\system32\iiihh.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
*Newly Created Service* - COMHOST
Contents of the 'Scheduled Tasks' folder
2007-07-23 03:30:16 C:\WINDOWS\tasks\HP Usg Daily.job
2007-07-23 03:36:39 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-06 15:15:13 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - David Sawchuk.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 20:35:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
Completion time: 2007-07-22 20:40:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-22 20:40
--- E O F ---
ratlanta
2007-07-23, 03:50
Logfile of HijackThis v1.99.1
Scan saved at 8:48:49 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wendy Sawchuk\My Documents\downloads\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7320C4CD-53DE-4069-BFCC-AD2A77F563FD} - C:\WINDOWS\system32\iiihh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8C8235A2-8276-4276-9FA3-A22562409E86} - C:\WINDOWS\system32\rqomm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: iiihh - C:\WINDOWS\system32\iiihh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
steamwiz
2007-07-23, 21:53
HI
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O2 - BHO: (no name) - {7320C4CD-53DE-4069-BFCC-AD2A77F563FD} - C:\WINDOWS\system32\iiihh.dll (file missing)
O2 - BHO: (no name) - {8C8235A2-8276-4276-9FA3-A22562409E86} - C:\WINDOWS\system32\rqomm.dll (file missing)
O20 - Winlogon Notify: iiihh - C:\WINDOWS\system32\iiihh.dll (file missing)
THEN...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\beqgmoqy.tmp
C:\WINDOWS\system32\hhiii.bak1
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\yayvuss.dll.vir
C:\WINDOWS\system32\xyyay.bak1
C:\WINDOWS\system32\ssqonkh.dll.vir
C:\WINDOWS\system32\svvyb.bak1
C:\WINDOWS\system32\tutwa.bak1
C:\WINDOWS\system32\ddcaaww.dll.vir
C:\WINDOWS\system32\beqgmoqy.ini2
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Is your problem resolved ?
steam
ratlanta
2007-07-24, 04:18
"Wendy Sawchuk" - 2007-07-23 19:42:00 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Wendy Sawchuk\Desktop\CFScript.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\beqgmoqy.ini2
C:\WINDOWS\system32\beqgmoqy.tmp
C:\WINDOWS\system32\ddcaaww.dll.vir
C:\WINDOWS\system32\hhiii.bak1
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\ssqonkh.dll.vir
C:\WINDOWS\system32\svvyb.bak1
C:\WINDOWS\system32\tutwa.bak1
C:\WINDOWS\system32\xyyay.bak1
C:\WINDOWS\system32\yayvuss.dll.vir
((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))
2007-07-22 20:23 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 18:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-22 18:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-22 18:11 <DIR> d-------- C:\DOCUME~1\WENDYS~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-22 17:41 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-22 00:15 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-07-21 21:47 178 --a------ C:\handle.dat
2007-07-21 08:22 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterVideo
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-07-21 08:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Drag'n Drop CD+DVD
2007-07-18 19:13 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-17 23:52 <DIR> d-------- C:\Program Files\MSBuild
2007-07-17 23:44 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-17 23:40 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-17 23:35 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-07-17 22:32 <DIR> d-------- C:\WINDOWS\pss
2007-07-17 07:27 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-17 07:20 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-17 07:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-17 06:34 <DIR> d-------- C:\Program Files\Managed DirectX (0901)
2007-07-17 06:25 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-07-17 06:25 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-07-17 06:25 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-07-17 01:17 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-17 00:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-17 00:18 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-14 10:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-14 10:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-14 10:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 07:52 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-14 00:09 <DIR> d-------- C:\WINDOWS\provisioning
2007-07-14 00:09 <DIR> d-------- C:\WINDOWS\peernet
2007-07-13 23:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-07-13 23:00 <DIR> d-------- C:\WINDOWS\EHome
2007-07-07 02:51 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-07-07 02:51 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-07-06 12:35 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-07-06 12:01 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-07-06 12:01 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-07-06 12:01 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-07-06 11:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-06 11:38 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-07-06 11:02 <DIR> d-------- C:\WINDOWS\system32\bits
2007-07-06 11:00 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-06 11:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-06 10:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-06 07:56 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-07-06 07:52 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-06 07:52 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-06 07:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-07-01 08:05 53 --ahs---- C:\WINDOWS\system32\3232528864.dat
2007-07-01 00:45 71,340 --a------ C:\WINDOWS\system32\qoppm.dll
2007-06-28 10:45 1,084,416 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-28 10:44 249,856 --a------ C:\WINDOWS\system32\odbc32.dll
2007-06-24 08:35 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
2007-06-24 08:35 713,216 --a------ C:\WINDOWS\system32\sxs.dll
2007-06-24 08:35 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-23 03:11:51 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-17 13:29:49 -------- d-----w C:\Program Files\HP
2007-07-17 13:19:26 -------- d-----w C:\DOCUME~1\WENDYS~1\APPLIC~1\Skype
2007-07-17 08:28:53 -------- d-----w C:\Program Files\Messenger
2007-07-14 07:09:07 -------- d-----w C:\Program Files\Movie Maker
2007-07-14 06:51:52 -------- d-----w C:\Program Files\Windows NT
2007-07-06 15:03:19 -------- d-----w C:\Program Files\Symantec
2007-07-06 15:03:18 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-06 15:03:18 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-08-06 10:37:49 30,048 ----a-w C:\DOCUME~1\WENDYS~1\APPLIC~1\GDIPFONTCACHEV1.DAT
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2004-01-07 14:32 272983 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F660F64-F4C9-477F-8529-44181B717472}]
2002-03-15 17:15 155702 --a------ C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2007-01-12 00:04 96936 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
2007-02-05 18:32 747048 --a------ C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 19:54]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 14:38]
"TFNF5"="TFNF5.exe" [2001-08-03 17:08 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 10:49 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 18:00]
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 20:26]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 13:21]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2003-02-25 17:03]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 21:53]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-02-07 15:39]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-19 10:14]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 11:20 C:\WINDOWS\agrsmmsg.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
Contents of the 'Scheduled Tasks' folder
2007-07-23 03:30:16 C:\WINDOWS\tasks\HP Usg Daily.job
2007-07-23 03:36:39 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-06 15:15:13 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - David Sawchuk.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 19:46:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
Completion time: 2007-07-23 19:47:28
C:\ComboFix-quarantined-files.txt ... 2007-07-23 19:47
C:\ComboFix2.txt ... 2007-07-22 20:40
--- E O F ---
ratlanta
2007-07-24, 04:20
Logfile of HijackThis v1.99.1
Scan saved at 9:19:37 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Wendy Sawchuk\My Documents\downloads\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
steamwiz
2007-07-24, 19:34
HI
Browse to this file on your computer :-
C:\WINDOWS\system32\qoppm.dll
Right click on it and select delete...
Is your problem resolved ?
ratlanta
2007-07-26, 05:12
I am getting the following error at startup... any suggestions/
TouchEd Error
Retrevial of "THotkey failed"
ratlanta
2007-07-26, 14:17
Ignore my previous posting ... i was able to resolve it by downloading the utilites (common modules, Hotkey) from the Toshiba website.
So far everything seems to be working well and i do not see any traces of the Virtumonde.
What are your suggestions for preventive measures in the future. What are the tools as far as Anti Virus, Anti Spyware / Adware and Firewalls are concerned?
Currently i have:
Antivirus: Norton Security
Firewall: Norton Security has an in-built firewall. Is that sufficient?
Anti spyware / Adware: any suggestions?
Thank you for your expertise on this matter. It is greatly appreciated !
steamwiz
2007-07-26, 16:50
HI
I cannot recommend Norton ... It is bloated, resource intensive & expensive, I believe you can do far better with free programs ... for instance Zonealarm FREE firewall & AVG FREE anti-virus ... there are also many FREE anti-spyware/adware programs ... which do as good, if not better job than paid for ones... Spybot is of course a must....
Take a look here for some great advice :-
http://forums.spybot.info/showthread.php?t=279