View Full Version : malware infection
genohunter24
2007-07-25, 03:15
Can you please give me advise of what to do with my problem. Most of the time it is a redirect program. below is my htl. thanks
Logfile of HijackThis v1.99.1
Scan saved at 9:14:53 PM, on 7/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\windows\system32\mpdsregs.exe
C:\WINDOWS\System32\pwinqndt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\StormTeam 13 Desktop Weather\TrueWeather.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner.FAMILYROOM\Desktop\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {F4A9C8F7-2668-2899-1604-59F07BCA6A9D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: (no name) - {1DCEFCCC-8778-41D5-8E57-B3F30B9D5DFA} - C:\Program Files\Windows Media Player\hoke.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - (no file)
O2 - BHO: (no name) - {33B3AC1E-16D0-1927-F04C-68E33BE2FECE} - C:\WINDOWS\System32\igui.dll (file missing)
O2 - BHO: (no name) - {36E5FA46-17D3-4B25-F04C-68E33BE2A999} - C:\WINDOWS\System32\jia.dll (file missing)
O2 - BHO: (no name) - {3A2D6EDA-EFD9-4B99-A646-0B8B0C011CAA} - (no file)
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\System32\ljjkhff.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\System32\tfrxludh.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6CEFE070-1FC5-4ED3-AA63-623177342326} - C:\WINDOWS\System32\hgofyenh.dll
O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B60E4D6B-F5FF-AA0E-DD0B-8CADDFBC75C6} - C:\WINDOWS\System32\vurioswg.dll (file missing)
O2 - BHO: 0 - {CB846822-28BF-4A0B-E2B3-F595B053EB0B} - C:\Program Files\Messenger\lavupa138.dll
O2 - BHO: (no name) - {E426D4B8-1529-495B-963F-560CDDEEBAB3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [{CD-DD-DC-C1-ZN}] C:\windows\system32\mpdsregs.exe CHD003
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\System32\kpjueudl.dll",realset
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pwinqndt.exe CHD003
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\OWNER~1.FAM\APPLIC~1\SSEMBL~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Teb] "C:\Documents and Settings\Owner.FAMILYROOM\Application Data\M?crosoft\r?gsvr32.exe"
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [A00F1A94A0.exe] C:\DOCUME~1\OWNER~1.FAM\LOCALS~1\Temp\_A00F1A94A0.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinqndt.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: StormTeam 13 Desktop Weather.lnk = C:\Program Files\Common Files\StormTeam 13 Desktop Weather\TrueWeather.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Toki Toki Boom - http://download2.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dice - http://download2.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download2.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136678508921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136678493578
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: awvvu - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khfcaxx - C:\WINDOWS\
O20 - Winlogon Notify: ljjkhff - ljjkhff.dll (file missing)
O20 - Winlogon Notify: sstqo - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c00B2DA0 - C:\WINDOWS\System32\__c00B2DA0.dat
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
pskelley
2007-07-25, 15:16
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
For starters, please provide more information about your issues when you post for help like this. Much of the time, what you provide is as important as the HJT log. I can tell you that you are very infected and my advice would be to keep this computer offline except when you are troubleshooting, until I tell you that you are clean.
Do you own Prevx and have you run it? Mention in your next post any tools you ran before posting. This will take a while and require that you read carefully and follow all directions. We will start like this.
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
genohunter24
2007-07-27, 03:52
Thanks to all who is helping!!
Problems I have noticed, a redirect program from www.yahabags.com and a few malware programs with pop ups. I am usually able to solve my own problems, but not this time.
I do use PREVX however, something is blocking the program from communicating with thier database. The program does run, and will jail programs. I clean them and they still pop up.
I did not upgrade to servicepack2. i do not wish to, I hope this will not be problematic.
I ran combofix as requested. Here is the log...
I will post hjtlog in another post.
Thanks for the help
tom
"Owner" - 2007-07-26 20:34:51 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 1 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\inetadpt.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\awvdcmmy.dll
C:\WINDOWS\system32\byxywuu.dll
C:\WINDOWS\system32\hggecdc.dll
C:\WINDOWS\system32\hgofyenh.dll
C:\WINDOWS\system32\kpjueudl.dll
C:\WINDOWS\system32\qyagntkb.dll
C:\WINDOWS\system32\tfrxludh.dll
C:\WINDOWS\system32\tvevogxc.dll
C:\WINDOWS\system32\urqppqn.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\xfdvsvyq.dll
C:\WINDOWS\system32\byxywuu.dll
C:\WINDOWS\system32\hggecdc.dll
C:\WINDOWS\system32\urqppqn.dll
C:\WINDOWS\system32\ymmcdvwa.ini
C:\WINDOWS\system32\ldueujpk.ini
C:\WINDOWS\system32\oqstv.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\53828015.exe
C:\DOCUME~1\OWNER~1.FAM\APPLIC~1.\mcroso~1
C:\DOCUME~1\OWNER~1.FAM\APPLIC~1.\ssembl~1
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\icroso~1.net
C:\Program Files\internet explorer\svchost.exe
C:\Program Files\Messenger\lavupa.dll
C:\Program Files\Messenger\lavupa138.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\stem32~1
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\temp\tn3
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\System32\__c00B2DA0.dat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\inetadpt.dll
C:\WINDOWS\system32\mpdsregs.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\smpi1\lb5.exe
C:\WINDOWS\system32\smpi1\lb66.exe
C:\WINDOWS\system32\smpi1\lib06.exe
C:\WINDOWS\system32\smpi1\lib67.exe
C:\WINDOWS\system32\test.bmp
C:\WINDOWS\system32\wcpisu.exe
C:\WINDOWS\system32\wcpsvsu.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\wr.txt
C:\WINDOWS\ymbols~1
C:\xcrashdump.dat
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\core
((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))
2007-07-26 20:29 51,200 --a------ C:\WINDOWS\nircmd.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-27 02:05:15 223 ----a-w C:\WINDOWS\freedom.backup.dat
2007-07-27 02:00:18 -------- d-----w C:\Program Files\Messenger
2007-07-25 17:15:54 -------- d-----w C:\Program Files\Common Files\PestPatrol
2007-07-20 02:15:07 105,434 ----a-w C:\WINDOWS\qwr67.exe
2007-06-22 20:31:40 -------- d--h--r C:\DOCUME~1\OWNER~1.FAM\APPLIC~1\yahoo!
2007-06-07 22:33:30 2,177 ----a-w C:\WINDOWS\eReg.dat
2007-06-07 22:30:57 -------- d-----w C:\Program Files\Maxis
2007-06-03 12:26:33 192,629 ----a-w C:\WINDOWS\system32\pwinqndt.exe
2007-05-25 22:48:23 53,760 ----a-w C:\WINDOWS\ycf.exe
2007-05-25 22:23:03 1,564,800 --sh--w C:\WINDOWS\system32\oqtss.bak2
2007-05-24 15:04:07 1,498,255 --sh--w C:\WINDOWS\system32\oqtss.bak1
2007-05-24 14:03:08 725,044 --sh--w C:\WINDOWS\system32\awvvt.dll
2007-05-24 09:56:37 725,044 --sh--w C:\WINDOWS\system32\geebc.dll
2007-05-24 09:50:06 184,435 ----a-w C:\WINDOWS\system32\pwinqndv.exe
2007-05-19 00:09:32 10,240 ----a-w C:\WINDOWS\kdgsmjlu.exe
2007-05-14 02:10:22 1,466,609 --sh--w C:\WINDOWS\system32\uvvwa.bak1
2007-05-10 21:31:44 77,312 ----a-w C:\WINDOWS\ua2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DCEFCCC-8778-41D5-8E57-B3F30B9D5DFA}]
2007-04-06 14:27 139264 --a------ C:\Program Files\Windows Media Player\hoke.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33B3AC1E-16D0-1927-F04C-68E33BE2FECE}]
C:\WINDOWS\System32\igui.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36E5FA46-17D3-4B25-F04C-68E33BE2A999}]
C:\WINDOWS\System32\jia.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A2D6EDA-EFD9-4B99-A646-0B8B0C011CAA}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b4d79df-9ef0-429d-a0e9-d9b138c6a53b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B60E4D6B-F5FF-AA0E-DD0B-8CADDFBC75C6}]
C:\WINDOWS\System32\vurioswg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E426D4B8-1529-495B-963F-560CDDEEBAB3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [2005-02-11 09:02]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-26 17:23]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"Notn"="C:\DOCUME~1\OWNER~1.FAM\APPLIC~1\SSEMBL~1\nopdb.exe" []
"Teb"="C:\Documents and Settings\Owner.FAMILYROOM\Application Data\M?crosoft\r?gsvr32.exe" []
C:\Documents and Settings\Owner.FAMILYROOM\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-02-13 14:11:50]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-04-10 06:08:26]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 20:08:34]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
StormTeam 13 Desktop Weather.lnk - C:\Program Files\Common Files\StormTeam 13 Desktop Weather\TrueWeather.exe [2006-02-13 13:53:39]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"contrabandists"= {dfa61db1-388e-4c87-8d56-540fa229bcb4} - Apartment [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcaxx]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkhff]
ljjkhff.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqo]
R0 fasttx2k;fasttx2k;C:\WINDOWS\System32\DRIVERS\fasttx2k.sys
R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\System32\drivers\pxfsf.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys
R1 FreeTdi;Freedom Filter;C:\WINDOWS\System32\Drivers\FreeTdi.sys
R1 PrevxTdi;PREVX Tdi filter;C:\WINDOWS\System32\drivers\pxtdi.sys
R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS
R2 CSS DVP;CSS DVP;C:\WINDOWS\System32\DRIVERS\css-dvp.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys
R3 Freedom;Freedom Miniport;C:\WINDOWS\System32\DRIVERS\FREEDOM.SYS
R3 ltmodem5;Lucent Modem Driver;C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 Ps2;PS2;C:\WINDOWS\System32\DRIVERS\PS2.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\System32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\System32\DRIVERS\usbhub.sys
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\System32\DRIVERS\usbuhci.sys
S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys
S3 CA561;ICatch (VI) PC Camera;C:\WINDOWS\System32\Drivers\SPCA561.SYS
S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 PrevxEmulator;PREVX Emulator Driver;C:\WINDOWS\System32\drivers\pxemu.sys
S3 PXRDDriver;PREVX Rootkitscan driver;\??\C:\WINDOWS\system32\drivers\pxrd.sys
S3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\System32\DRIVERS\usbccgp.sys
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\System32\DRIVERS\usbohci.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys
S3 usbscan;USB Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\System32\DRIVERS\w300bus.sys
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\w300mdfl.sys
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\System32\DRIVERS\w300mdm.sys
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\System32\DRIVERS\w300mgmt.sys
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\System32\DRIVERS\w300obex.sys
Contents of the 'Scheduled Tasks' folder
2007-07-20 16:57:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-26 05:00:00 C:\WINDOWS\tasks\At1.job
2007-07-26 14:00:00 C:\WINDOWS\tasks\At10.job
2007-07-26 15:00:00 C:\WINDOWS\tasks\At11.job
2007-07-26 16:00:00 C:\WINDOWS\tasks\At12.job
2007-07-26 17:00:00 C:\WINDOWS\tasks\At13.job
2007-07-26 18:00:00 C:\WINDOWS\tasks\At14.job
2007-07-26 19:00:00 C:\WINDOWS\tasks\At15.job
2007-07-26 20:00:00 C:\WINDOWS\tasks\At16.job
2007-07-26 21:00:00 C:\WINDOWS\tasks\At17.job
2007-07-26 22:00:00 C:\WINDOWS\tasks\At18.job
2007-07-26 23:00:00 C:\WINDOWS\tasks\At19.job
2007-07-26 06:00:00 C:\WINDOWS\tasks\At2.job
2007-07-27 00:00:00 C:\WINDOWS\tasks\At20.job
2007-07-27 01:00:00 C:\WINDOWS\tasks\At21.job
2007-07-27 02:00:07 C:\WINDOWS\tasks\At22.job
2007-07-26 03:00:00 C:\WINDOWS\tasks\At23.job
2007-07-26 04:00:00 C:\WINDOWS\tasks\At24.job
2007-07-26 05:00:01 C:\WINDOWS\tasks\At25.job
2007-07-26 06:00:00 C:\WINDOWS\tasks\At26.job
2007-07-26 07:00:00 C:\WINDOWS\tasks\At27.job
2007-07-26 08:00:00 C:\WINDOWS\tasks\At28.job
2007-07-26 09:00:01 C:\WINDOWS\tasks\At29.job
2007-07-26 07:00:00 C:\WINDOWS\tasks\At3.job
2007-07-26 10:00:01 C:\WINDOWS\tasks\At30.job
2007-07-26 11:00:01 C:\WINDOWS\tasks\At31.job
2007-07-26 12:00:00 C:\WINDOWS\tasks\At32.job
2007-07-26 13:00:00 C:\WINDOWS\tasks\At33.job
2007-07-26 14:00:00 C:\WINDOWS\tasks\At34.job
2007-07-26 15:00:00 C:\WINDOWS\tasks\At35.job
2007-07-26 16:00:00 C:\WINDOWS\tasks\At36.job
2007-07-26 17:00:00 C:\WINDOWS\tasks\At37.job
2007-07-26 18:00:00 C:\WINDOWS\tasks\At38.job
2007-07-26 19:00:00 C:\WINDOWS\tasks\At39.job
2007-07-26 08:00:00 C:\WINDOWS\tasks\At4.job
2007-07-26 20:00:00 C:\WINDOWS\tasks\At40.job
2007-07-26 21:00:00 C:\WINDOWS\tasks\At41.job
2007-07-26 22:00:00 C:\WINDOWS\tasks\At42.job
2007-07-26 23:00:00 C:\WINDOWS\tasks\At43.job
2007-07-27 00:00:00 C:\WINDOWS\tasks\At44.job
2007-07-27 01:00:00 C:\WINDOWS\tasks\At45.job
2007-07-27 02:00:07 C:\WINDOWS\tasks\At46.job
2007-07-26 03:00:01 C:\WINDOWS\tasks\At47.job
2007-07-26 04:00:00 C:\WINDOWS\tasks\At48.job
2007-07-26 09:00:02 C:\WINDOWS\tasks\At5.job
2007-07-26 10:00:02 C:\WINDOWS\tasks\At6.job
2007-07-26 11:00:01 C:\WINDOWS\tasks\At7.job
2007-07-26 12:00:01 C:\WINDOWS\tasks\At8.job
2007-07-26 13:00:01 C:\WINDOWS\tasks\At9.job
2003-12-05 14:50:42 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1062638510.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 21:10:20
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-26 21:22:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-26 21:21
--- E O F ---
genohunter24
2007-07-27, 03:53
Logfile of HijackThis v1.99.1
Scan saved at 9:53:24 PM, on 7/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.FAMILYROOM\Desktop\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {F4A9C8F7-2668-2899-1604-59F07BCA6A9D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: (no name) - {1DCEFCCC-8778-41D5-8E57-B3F30B9D5DFA} - C:\Program Files\Windows Media Player\hoke.dll
O2 - BHO: (no name) - {33B3AC1E-16D0-1927-F04C-68E33BE2FECE} - C:\WINDOWS\System32\igui.dll (file missing)
O2 - BHO: (no name) - {36E5FA46-17D3-4B25-F04C-68E33BE2A999} - C:\WINDOWS\System32\jia.dll (file missing)
O2 - BHO: (no name) - {3A2D6EDA-EFD9-4B99-A646-0B8B0C011CAA} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B60E4D6B-F5FF-AA0E-DD0B-8CADDFBC75C6} - C:\WINDOWS\System32\vurioswg.dll (file missing)
O2 - BHO: (no name) - {E426D4B8-1529-495B-963F-560CDDEEBAB3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\OWNER~1.FAM\APPLIC~1\SSEMBL~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Teb] "C:\Documents and Settings\Owner.FAMILYROOM\Application Data\M?crosoft\r?gsvr32.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: StormTeam 13 Desktop Weather.lnk = C:\Program Files\Common Files\StormTeam 13 Desktop Weather\TrueWeather.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Toki Toki Boom - http://download2.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dice - http://download2.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download2.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136678508921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136678493578
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: awvvu - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khfcaxx - C:\WINDOWS\
O20 - Winlogon Notify: ljjkhff - ljjkhff.dll (file missing)
O20 - Winlogon Notify: sstqo - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
pskelley
2007-07-27, 12:36
Thanks for returning your information and the feedback.
I asked if you owed Prevyx (purchased the program) I can see you installed it and would assume you used it. I use it also for folks with some stubborn trojans but the program uses a lot of resources and if you did not purchase it I would advise you uninstall it once the trial is over.
I did not upgrade to servicepack2. i do not wish to, I hope this will not be problematic.http://forums.spybot.info/showthread.php?t=288 <<< please read post number 4, I will continue with this cleaning but I can tell you without SP #2 you will get reinfected and I believe you and I our both wasting our time cleaning this computer if you have no intentions to install the Service Pack for your own protection.
Follow the instructions in the posted order
1) Go to Start > Control > Add or Remove Programs
In the list of Currently Installed Programs, look for any entry with OuterInfo or OIN, such as:
PurityScan By OIN
If found, select and click: Remove
If no entries with OuterInfo or OIN are listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Prevx will block changes we must make, use these instructions and turn it off until your are finished.
Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
On the Management Console click the Protection Level drop-down menu. You will see three levels:
Maximum
Off
User Defined
To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
Click the X on the upper right hand corner to exit the Management console.
5) Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(hold that report and HJT log until you finish)
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {F4A9C8F7-2668-2899-1604-59F07BCA6A9D} - (no file)
O2 - BHO: (no name) - {1DCEFCCC-8778-41D5-8E57-B3F30B9D5DFA} - C:\Program Files\Windows Media Player\hoke.dll
O2 - BHO: (no name) - {33B3AC1E-16D0-1927-F04C-68E33BE2FECE} - C:\WINDOWS\System32\igui.dll (file missing)
O2 - BHO: (no name) - {36E5FA46-17D3-4B25-F04C-68E33BE2A999} - C:\WINDOWS\System32\jia.dll (file missing)
O2 - BHO: (no name) - {3A2D6EDA-EFD9-4B99-A646-0B8B0C011CAA} - (no file)
O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - (no file)
O2 - BHO: (no name) - {B60E4D6B-F5FF-AA0E-DD0B-8CADDFBC75C6} - C:\WINDOWS\System32\vurioswg.dll (file missing)
O2 - BHO: (no name) - {E426D4B8-1529-495B-963F-560CDDEEBAB3} - (no file)
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\OWNER~1.FAM\APPLIC~1\SSEMBL~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Teb] "C:\Documents and Settings\Owner.FAMILYROOM\Application Data\M?crosoft\r?gsvr32.exe"
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: awvvu - C:\WINDOWS\
O20 - Winlogon Notify: khfcaxx - C:\WINDOWS\
O20 - Winlogon Notify: ljjkhff - ljjkhff.dll (file missing)
O20 - Winlogon Notify: sstqo - C:\WINDOWS\
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
(these folder may be gone, this is PurityScan adware, just DO NOT miss them if they are there)
C:\DOCUMENTS AND SETTINGS~1\OWNER~1.FAM\APPLICATION DATA~1\SSEMBL~1\ <<< delete that folder
C:\Documents and Settings\Owner.FAMILYROOM\Application Data\M?crosoft\ <<< delete that folder
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report and a new HJT log.
Thanks
genohunter24
2007-07-28, 02:06
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 7:51:13 PM 7/27/2007
Listing files found while scanning....
C:\windows\system32\awvvt.dll
C:\windows\system32\geebc.dll
Beginning removal...
Attempting to delete C:\windows\system32\awvvt.dll
C:\windows\system32\awvvt.dll Has been deleted!
Attempting to delete C:\windows\system32\geebc.dll
C:\windows\system32\geebc.dll Has been deleted!
Performing Repairs to the registry.
Done!
genohunter24
2007-07-28, 02:07
Logfile of HijackThis v1.99.1
Scan saved at 8:09:07 PM, on 7/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner.FAMILYROOM\Desktop\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {F4A9C8F7-2668-2899-1604-59F07BCA6A9D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: (no name) - {1DCEFCCC-8778-41D5-8E57-B3F30B9D5DFA} - C:\Program Files\Windows Media Player\hoke.dll
O2 - BHO: (no name) - {33B3AC1E-16D0-1927-F04C-68E33BE2FECE} - C:\WINDOWS\System32\igui.dll (file missing)
O2 - BHO: (no name) - {36E5FA46-17D3-4B25-F04C-68E33BE2A999} - C:\WINDOWS\System32\jia.dll (file missing)
O2 - BHO: (no name) - {3A2D6EDA-EFD9-4B99-A646-0B8B0C011CAA} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B60E4D6B-F5FF-AA0E-DD0B-8CADDFBC75C6} - C:\WINDOWS\System32\vurioswg.dll (file missing)
O2 - BHO: (no name) - {E426D4B8-1529-495B-963F-560CDDEEBAB3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: StormTeam 13 Desktop Weather.lnk = C:\Program Files\Common Files\StormTeam 13 Desktop Weather\TrueWeather.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Toki Toki Boom - http://download2.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dice - http://download2.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download2.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136678508921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136678493578
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: awvvu - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: khfcaxx - C:\WINDOWS\
O20 - Winlogon Notify: ljjkhff - ljjkhff.dll (file missing)
O20 - Winlogon Notify: sstqo - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
genohunter24
2007-07-28, 02:30
Please ignore the last HJTLOG, the one posted after the vundo
Logfile of HijackThis v1.99.1
Scan saved at 8:28:41 PM, on 7/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.FAMILYROOM\Desktop\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn18\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: StormTeam 13 Desktop Weather.lnk = C:\Program Files\Common Files\StormTeam 13 Desktop Weather\TrueWeather.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Toki Toki Boom - http://download2.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dice - http://download2.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download2.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136678508921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136678493578
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
genohunter24
2007-07-28, 02:34
Yes I do pay for prevx
and i understand about servicepack2. thanks for the advice.
What's next?
thanks for the help thus far :bigthumb: its been a big help.
tom
pskelley
2007-07-28, 02:47
For your information, this program: C:\Program Files\ewido\security suite\ewidoctrl.exe
was purchased by Grisoft and it is now AVG Anti-Spyware 7.5. The program you have installed is obsolete and I suggest you uninstall it.
This HJT log is clean, I suggest you do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.