View Full Version : Virus +
This is my first time dealing with this stuff in this way. I am totally new at this so I'll do my best to do what I have read. All I ask is that you detailed about what your telling me to do as I have a learning disability and sometimes I comprehend things the wrong way. Thank you
the first one is the Hijackthis.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:05 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {4856BF68-8BF4-4A0B-B4F2-F85B70896DD3} - C:\WINDOWS\system32\pmkjg.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {80F52B11-B980-4FCF-9B66-5B733054D190} - C:\WINDOWS\System32\ssqqpno.dll (file missing)
O2 - BHO: (no name) - {B1E3BF76-6425-465E-B533-D3176C3C02A7} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\thtulmjm.dll",sitypnow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.softpedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190359466968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190360669000
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{8920D73E-B427-4001-8FC1-25F080269C01}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O20 - Winlogon Notify: ssqqpno - ssqqpno.dll (file missing)
O22 - SharedTaskScheduler: comitatus - {98013eb8-258b-4979-bfd5-04ecd93f765c} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7517 bytes
Kaspersksy log is to long to put here.
I did what I had read about restarting and running spybot in safe mode until clean. I've tried vundofix, spyware doctor ,Avg, none of them get all of the trojans out. Hope you can help me.
shelf life
2007-09-23, 15:02
hi Kayel,
Please download ComboFix (by sUBs) from one of the following links:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save it to the Desktop.
Double-click combofix.exe and follow the prompts.
CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.
When finished, it produces a log.
Please provide the contents of the ComboFix log in your reply.
also rescan and post a new hjt log after you run combofix.
shelf life
combofix:
ComboFix 07-09-21.2 - "powner" 2007-09-23 12:18:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.635 [GMT -4:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\afaaibkl.exe
C:\WINDOWS\system32\ainqgrdk.exe
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\gjkmp.bak2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gjkmp.ini2
C:\WINDOWS\system32\gjkmp.tmp
C:\WINDOWS\system32\ilknilcp.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\system32\oaqlkoay.exe
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\rtujiswb.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.
2007-09-23 12:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-23 10:30 85,568 --a------ C:\WINDOWS\system32\ajcwkydh.dll
2007-09-23 08:25 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\AdwareAlert
2007-09-23 07:32 <DIR> d-------- C:\Program Files\Grey License
2007-09-23 07:32 <DIR> d-------- C:\Program Files\3wPlayer
2007-09-23 07:32 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\Grey License
2007-09-23 07:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Link Axis Bat Wave
2007-09-23 07:31 <DIR> d-------- C:\Program Files\DivoCodec
2007-09-22 15:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-22 10:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-22 10:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-22 10:07 <DIR> d-------- C:\VundoFix Backups
2007-09-21 21:11 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\TrojanHunter
2007-09-21 21:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-21 17:58 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire
2007-09-21 12:14 6,414 --ahs---- C:\WINDOWS\system32\ututv.bak1
2007-09-21 11:27 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-21 11:23 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-09-21 11:16 952,834 --ahs---- C:\WINDOWS\system32\bbeeg.bak2
2007-09-21 11:04 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-21 11:01 <DIR> d-------- C:\WINDOWS\EHome
2007-09-21 10:45 6,414 --ahs---- C:\WINDOWS\system32\bbeeg.bak1
2007-09-20 02:44 23,040 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-09-20 02:44 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-09-20 02:44 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-09-20 02:44 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-18 18:43 <DIR> d--hs---- C:\found.000
2007-09-18 15:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-18 15:41 <DIR> d-------- C:\DOCUME~1\powner\.housecall6.6
2007-09-18 13:15 6,414 --ahs---- C:\WINDOWS\system32\aybeg.bak1
2007-09-18 11:43 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\PEX
2007-09-18 11:43 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\F-Secure
2007-09-18 11:41 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\ispnews
2007-09-18 11:38 <DIR> d-------- C:\WINDOWS\rnapxs
2007-09-18 10:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\TuneUp Software
2007-09-16 01:33 <DIR> d-------- C:\Program Files\X'nBeep 1.1
2007-09-14 10:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-13 23:00 184 --a------ C:\WINDOWS\system32\e000003.dat
2007-09-13 21:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-09-13 15:24 <DIR> d-------- C:\Program Files\EVEMon
2007-09-13 15:24 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\EVEMon
2007-09-12 23:58 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-09-12 17:10 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-09-12 17:10 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-09-12 17:10 36,224 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2007-09-12 17:10 24,960 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2007-09-07 05:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 04:31 2,032,640 --a------ C:\WINDOWS\system32\TUKernel.exe
2007-09-03 01:11 <DIR> d-------- C:\Program Files\TSO
2007-09-02 10:30 <DIR> d-------- C:\Program Files\Electronic Arts
2007-09-02 10:22 <DIR> d-------- C:\Program Files\Real
2007-09-02 10:22 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-02 10:22 <DIR> d-------- C:\Program Files\Common Files\Real
2007-09-02 10:22 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\Real
2007-09-02 10:18 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll
2007-09-02 10:18 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll
2007-09-02 10:18 <DIR> d-------- C:\Program Files\DivX_311alpha
2007-09-02 10:15 <DIR> d-------- C:\Program Files\GustoSoft
2007-09-02 10:11 <DIR> d-------- C:\Program Files\CyberLink
2007-09-02 10:11 <DIR> d-------- C:\Program Files\ASUSTek
2007-09-02 10:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-09-02 09:31 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\Help
2007-08-23 04:00 <DIR> d-------- C:\DOCUME~1\powner\APPLIC~1\Effexis Software
2007-08-23 04:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Effexis Software
2007-08-23 03:39 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 01:06 --------- d-------- C:\DOCUME~1\powner\APPLIC~1\Xfire
2007-09-23 00:50 --------- d---s---- C:\Program Files\Xfire
2007-09-22 22:14 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-22 07:22 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-09-22 07:18 --------- d-------- C:\Program Files\Google
2007-09-21 21:18 --------- d-------- C:\DOCUME~1\powner\APPLIC~1\OpenOffice.org2
2007-09-21 02:04 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-20 02:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\RFA_Backups
2007-09-18 11:15 --------- d-------- C:\Program Files\PC Tools Firewall Plus
2007-09-14 10:09 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-13 22:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 22:13 --------- d-------- C:\Program Files\Activision
2007-09-12 23:34 --------- d-------- C:\Program Files\BitComet
2007-09-07 05:12 --------- d-------- C:\Program Files\TuneUp Utilities 2007
2007-09-07 04:36 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-08-23 01:54 --------- d-------- C:\DOCUME~1\powner\APPLIC~1\Image Zone Express
2007-08-22 03:43 --------- d-------- C:\Program Files\Common Files\Vbox
2007-08-18 04:00 --------- d-------- C:\Program Files\Microsoft Calculator Plus
2007-08-17 21:58 --------- d-------- C:\Program Files\DIFX
2007-08-14 00:35 --------- d-------- C:\Program Files\RegHealer
2007-08-14 00:26 --------- d-------- C:\Program Files\XP Repair Pro 2007
2007-08-13 23:54 --------- d-------- C:\Program Files\RFA Platinum
2007-08-13 14:06 --------- d-------- C:\Program Files\Sierra
2007-08-13 13:38 --------- d-------- C:\Program Files\Ubisoft
2007-08-13 00:18 --------- d-------- C:\Program Files\Valve
2007-08-13 00:06 --------- d-------- C:\DOCUME~1\powner\APPLIC~1\InstallShield
2007-08-10 18:31 --------- d-------- C:\Program Files\NCH Swift Sound
2007-08-10 18:31 --------- d-------- C:\DOCUME~1\powner\APPLIC~1\NCH Swift Sound
2007-08-09 14:47 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-09 14:25 --------- dr-h----- C:\DOCUME~1\powner\APPLIC~1\SecuROM
2007-08-03 23:51 22328 --a------ C:\DOCUME~1\powner\APPLIC~1\PnkBstrK.sys
2007-07-27 07:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-07-09 20:27 44544 --------- C:\WINDOWS\AWuninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7CC7A4-DEE8-4374-8726-341D2B6FE53C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80F52B11-B980-4FCF-9B66-5B733054D190}]
C:\WINDOWS\System32\ssqqpno.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1E3BF76-6425-465E-B533-D3176C3C02A7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-11-04 18:03]
"nwiz"="nwiz.exe" [2005-11-04 18:03 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-02 10:22]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-21 12:14]
"Bat Wave Base Dale"="C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\global face.exe" [2007-09-23 12:42]
"SearchIndexer"="C:\WINDOWS\system32\ajcwkydh.dll" [2007-09-23 10:30]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Defy pop"="C:\DOCUME~1\powner\APPLIC~1\GREYLI~1\SeekWait.exe" [2007-09-23 07:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{80F52B11-B980-4FCF-9B66-5B733054D190}"= C:\WINDOWS\System32\ssqqpno.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqpno]
ssqqpno.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTSysVol"=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"SBDrvDet"=C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
"CTDVDDET"=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTHelper"=CTHELPER.EXE
R2 PfDetNT;PfDetNT;\??\C:\WINDOWS\System32\drivers\PfModNT.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
S3 HabuFltr;Habu Mouse;C:\WINDOWS\system32\drivers\habu.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
S3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 21:19:25 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-09-23 16:00:00 C:\WINDOWS\Tasks\ADA3AF5792E42D73.job"
- c:\docume~1\powner\applic~1\greyli~1\Team Proxy City.exe
"2007-09-23 12:25:41 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 12:42:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-23 12:43:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-23 12:43
.
--- E O F ---
Hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:53 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {4E7CC7A4-DEE8-4374-8726-341D2B6FE53C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {80F52B11-B980-4FCF-9B66-5B733054D190} - C:\WINDOWS\System32\ssqqpno.dll (file missing)
O2 - BHO: (no name) - {B1E3BF76-6425-465E-B533-D3176C3C02A7} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Bat Wave Base Dale] C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\global face.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ajcwkydh.dll",sitypnow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Defy pop] C:\DOCUME~1\powner\APPLIC~1\GREYLI~1\SeekWait.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Play Radio URL - C:\Program Files\Christian Music Toolbar\MusicToolBar.dll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.softpedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190359466968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190360669000
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{8920D73E-B427-4001-8FC1-25F080269C01}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O20 - Winlogon Notify: ssqqpno - ssqqpno.dll (file missing)
O22 - SharedTaskScheduler: comitatus - {98013eb8-258b-4979-bfd5-04ecd93f765c} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7070 bytes
shelf life
2007-09-23, 22:10
hi Kayel,
ok good. another download to use:
download and run vundofix.exe:
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
shelf life
VundoFix V6.5.8
Checking Java version...
Scan started at 10:07:01 AM 9/22/2007
Listing files found while scanning....
C:\windows\system32\drvtirr.dll
Beginning removal...
Attempting to delete C:\windows\system32\drvtirr.dll
C:\windows\system32\drvtirr.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Scan started at 4:16:25 PM 9/22/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.8
Checking Java version...
Scan started at 6:52:18 PM 9/23/2007
Listing files found while scanning....
No infected files were found.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:40 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {4E7CC7A4-DEE8-4374-8726-341D2B6FE53C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {80F52B11-B980-4FCF-9B66-5B733054D190} - C:\WINDOWS\System32\ssqqpno.dll (file missing)
O2 - BHO: (no name) - {B1E3BF76-6425-465E-B533-D3176C3C02A7} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Bat Wave Base Dale] C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\global face.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ajcwkydh.dll",sitypnow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Defy pop] C:\DOCUME~1\powner\APPLIC~1\GREYLI~1\SeekWait.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Play Radio URL - C:\Program Files\Christian Music Toolbar\MusicToolBar.dll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.softpedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190359466968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190360669000
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{8920D73E-B427-4001-8FC1-25F080269C01}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O20 - Winlogon Notify: ssqqpno - ssqqpno.dll (file missing)
O22 - SharedTaskScheduler: comitatus - {98013eb8-258b-4979-bfd5-04ecd93f765c} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7156 bytes
shelf life
2007-09-24, 02:29
hi Kayel,
ok first we will use hjt, then boot into safe mode to look for and delete some files. before you use hjt, disable spybots tea timer so it will allow the hjt changes. like this:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
----------------------------------
HJT:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
O2 - BHO: (no name) - {4E7CC7A4-DEE8-4374-8726-341D2B6FE53C} - (no file)
O2 - BHO: (no name) - {80F52B11-B980-4FCF-9B66-5B733054D190} - C:\WINDOWS\System32\ssqqpno.dll (file missing)
O2 - BHO: (no name) - {B1E3BF76-6425-465E-B533-D3176C3C02A7} - (no file)
O4 - HKLM\..\Run: [Bat Wave Base Dale] C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\global face.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ajcwkydh.dll",sitypnow
O4 - HKCU\..\Run: [Defy pop] C:\DOCUME~1\powner\APPLIC~1\GREYLI~1\SeekWait.exe
O20 - Winlogon Notify: ssqqpno - ssqqpno.dll (file missing)
O22 - SharedTaskScheduler: comitatus - {98013eb8-258b-4979-bfd5-04ecd93f765c} - (no file)
-----------------------
this is the safe mode part so you might want to copy.paste this into notepad and save it so you can read it in safe mode:
to reach safe mode you would tap the f8 key during a computer restart. chose the first option from the list safe mode. ok in safe mode to show all files do this:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
1) using explorer, start>right click>explore navigate here:
C:\Documents and Settings\All Users\Application Data
you are looking for a folder named:Link Axis Bat Wave
delete the entire folder.
2) using explorer see if you can find:
C:\DOCUME~1\powner\APPLIC~1\GREYLI~1
(c:documents and settings\powner(a user profile) application data
a folder that begins with greyli...
3) using explorer navigate to the C:\WINDOWS\system32 dir. and see if you can delete this .dll:
ajcwkydh.dll
-------------------------------
while in safe mode run spybot once. reboot normally and post a new hjt log.
shelf life
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:55 AM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Play Radio URL - C:\Program Files\Christian Music Toolbar\MusicToolBar.dll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.softpedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190359466968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190360669000
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{8920D73E-B427-4001-8FC1-25F080269C01}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F6D98A4-A6E9-4EE2-AC6B-5C4B7DCC4D9D}: NameServer = 4.2.2.2,2.2.2.3
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 5909 bytes
shelf life
2007-09-24, 23:35
hi Kayel,
ok good. couple more.
if you dont use bitcomet anymore and you have uninstalled it you can select the first item in hjt, otherwise dont check it to fix.
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
if you didnt add this site to your trusted zone you can fix it also:
O15 - Trusted Zone: *.softpedia.com
------------------------
if all looks good on your end-- we can make new restore points:
One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is agood idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405
shelf life
All done. Just 1 question the BHO 's are they supposed to have named files to them? I guess what I'm asking is if they say (no name) or (no file) should I get rid of it?
shelf life
2007-09-26, 02:22
hi Kayel,
if they say (no name) or (no file)
yes any 02 or 04 item that says no name or no file you can get rid of by selecting it in hjt.
happy safe surfing.
shelf life