View Full Version : Need help!!
I had serious number of spyware on PC
After I clean it with many diff antivirus software still have something.
Allways open new window in Firefox or IE whit next adress
http://89.188.16.16/go//?cmp=wavff_r&uid=5b381ac461ad11dcb595f67605feffff&nid=cc&guid=5bfa46b3320e42b3bbb560fb53b51c82&affid=67605&lid=http>
if I try to close it starts to open new windows whit message UNABLE TO OPEN PAGE, i can only stop that if preform end task of IEXPLORE.exe process in task manager.
How to get ride of it
Here is HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 20:58:42, on 14.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\PoscMail.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\PC\Desktop\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PoscMailProc] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\PoscMail.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTLoader] C:\Program Files\CafeTimePro\CTLoader.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\pluvqloc.dll",sitypnow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [SolidCapture] C:\Program Files\SolidDocuments\SolidCapture\solidcapture.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190656118171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://212.39.103.154/AL/WinWebPush.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.buygenesis.com/livedemo/msrdp.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.6/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Print Spooler Service (h23ahixsuz5) - Unknown owner - C:\WINDOWS\system32\qnoknchehhdx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Thanks ahead!
Hello Vlatko
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
I need you to move HJT to its own folder and off the desktop, go to your C:\ drive and create a folder and name it HJT, go to where you have HJT installed on your desktop and right click on it and select CUT, open the new folder you just created and right click inside that folder and select PASTE
Now to to C:\ HJT\Hijackthis.exe and right click on it and rename it to Scanner.exe.
You have a nice collection of malware and trojans on your system, lets do this first.
Only do this after you have moved HJT to its own folder as directed.
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\pluvqloc.dll",sitypnow
Only remove these two if you set them yourself, if a systems administrator set them then leave them be
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://212.39.103.154/AL/WinWebPush.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.6/ttinst.cab
O23 - Service: Print Spooler Service (h23ahixsuz5) - Unknown owner - C:\WINDOWS\system32\qnoknchehhdx.exe (file missing)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Hi
I had read before u post (but , sorry it was after I post)
And try with kaspersky on-line scanner, and then follow your instrucitions
here it is report.txt
DFix: Version 1.109
Run by PC on uto 16.10.2007 at 04:49
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDfix\SDFix
Safe Mode:
Checking Services:
Name:
h23ahixsuz5
ImagePath:
C:\WINDOWS\system32\qnoknchehhdx.exe /service
h23ahixsuz5 - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\DOCUME~1\PC\LOCALS~1\Temp\eraseme_17416.exe - Deleted
C:\DOCUME~1\PC\LOCALS~1\Temp\eraseme_52574.exe - Deleted
C:\DOCUME~1\PC\LOCALS~1\Temp\eraseme_67442.exe - Deleted
C:\DOCUME~1\PC\LOCALS~1\Temp\eraseme_88805.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"="C:\\Program Files\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"="C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe:*:Enabled:VoipStunt"
"C:\\Program Files\\Free World Dialup\\FWD.Communicator\\FWD.Communicator.exe"="C:\\Program Files\\Free World Dialup\\FWD.Communicator\\FWD.Communicator.exe:*:Enabled:FWD:Communicator"
"C:\\Program Files\\PoivY.com\\PoivY\\PoivY.exe"="C:\\Program Files\\PoivY.com\\PoivY\\PoivY.exe:*:Enabled:PoivY"
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"="C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe:*:Enabled:VoipBuster"
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"="C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe:*:Enabled:VoipCheapCom"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\FileZilla\\FileZilla.exe"="C:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\WINDOWS\\system\\lsass.exe"="C:\\WINDOWS\\system\\lsass.exe:*:Enabled:Windows Sharing"
"C:\\DOCUME~1\\PC\\LOCALS~1\\Temp\\Rar$DI00.328\\img0012-www.photostorage.com"="C:\\DOCUME~1\\PC\\LOCALS~1\\Temp\\Rar$DI00.328\\img0012-www.photostorage.com:*:Enabled:Windows Sharing"
"C:\\DOCUME~1\\PC\\LOCALS~1\\Temp\\Rar$DI00.906\\img0012-www.photostorage.com"="C:\\DOCUME~1\\PC\\LOCALS~1\\Temp\\Rar$DI00.906\\img0012-www.photostorage.com:*:Enabled:Windows Sharing"
"C:\\DOCUME~1\\PC\\LOCALS~1\\Temp\\Rar$DI01.406\\img0012-www.photostorage.com"="C:\\DOCUME~1\\PC\\LOCALS~1\\Temp\\Rar$DI01.406\\img0012-www.photostorage.com:*:Enabled:Windows Sharing"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\WINDOWS\\system\\explorer.exe"="C:\\WINDOWS\\system\\explorer.exe:*:Enabled:Windows Sharing"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"\"C:\\Program Files\\CCP Client\\CCPClient.exe\""="\"C:\\Program Files\\CCP Client\\CCPClient.exe:*:Enabled:CyberCafePro Client Software\""
"C:\\Program Files\\CCP Client\\CCPClient.exe"="C:\\Program Files\\CCP Client\\CCPClient.exe:*:Enabled:CyberCafePro Client"
"C:\\Program Files\\CCP Client\\ccpsys.exe"="C:\\Program Files\\CCP Client\\ccpsys.exe:*:Enabled:CCP Communications"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
File Backups: - C:\SDfix\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 26 Sep 2007 882,328 A.SH. --- "C:\WINDOWS\system32\cdeeg.tmp"
Sat 13 Oct 2007 606,787 A.SH. --- "C:\WINDOWS\system32\cdeeg.bak1"
Sun 14 Oct 2007 606,158 A.SH. --- "C:\WINDOWS\system32\cdeeg.bak2"
Sat 29 Sep 2007 693,961 A.SH. --- "C:\WINDOWS\system32\lupvsjfi.tmp"
Sun 14 Oct 2007 611,296 A.SH. --- "C:\WINDOWS\system32\npqss.tmp"
Sun 14 Oct 2007 595,764 A.SH. --- "C:\WINDOWS\system32\npqss.bak1"
Mon 1 Oct 2007 693,541 A.SH. --- "C:\WINDOWS\system32\qwqhrjee.tmp"
Tue 25 Sep 2007 534 A.SH. --- "C:\WINDOWS\system32\wcjdjnfa.tmp"
Sat 22 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 29 Sep 2004 15,360 A..HR --- "C:\WINDOWS\system32\drivers\NetMotCM.sys"
Thu 20 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2f492065f824095d7200f7aaf1fabb46\BIT1.tmp"
Finished!
and HJD
Logfile of HijackThis v1.99.1
Scan saved at 5:03:39, on 16.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\PoscMail.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SolidDocuments\SolidCapture\solidcapture.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJD\scanner.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BF263D2-AD6D-4104-88CB-90B7B4C37D2E} - (no file)
O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\iifghfc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: rightonadz browser optimizer - {971C3384-F75E-4562-95B3-CBE7417529BC} - C:\WINDOWS\system32\gzmrotate.dll (file missing)
O2 - BHO: (no name) - {A05DBF8F-A254-4E8F-8C3B-FE932E237C35} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {A7DAECC6-FB42-4FF5-AAFA-8B8244D5FF54} - (no file)
O2 - BHO: (no name) - {B7745279-4CBF-47F8-8193-C2E65B0FCF67} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {DB26AD3E-A23C-4507-BE72-39154390A95E} - (no file)
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\system32\vwoosihw.dll
O2 - BHO: SpoofBHO Class - {F631AAE2-4C20-11DC-8929-D3F855D89593} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PoscMailProc] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\PoscMail.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTLoader] C:\Program Files\CafeTimePro\CTLoader.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [SolidCapture] C:\Program Files\SolidDocuments\SolidCapture\solidcapture.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190656118171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.buygenesis.com/livedemo/msrdp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: drmvndde - C:\WINDOWS\
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)
O20 - Winlogon Notify: iifghfc - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: ssqpn - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
I was unable to do this before, sorry
Best regards
It looks like your infected with the Vundo trojan also. FYI, the reason I had you rename HJT is because the thieves that have written the Vundo trojan have written it to evade a HJT scan and by renaming it to something else if Vundo is present on your system it will show up on your log, and it did :sad: If you look at the original log you posted and your latest one you will see many more entries on the log. You also have a CoolWebSearch infection.
Download the Stand Alone Version of CWShredder (http://www.intermute.com/spysubtract/cwshredder_download.html) to your desktop.
Open CWShredder
Check for Updates
Close out the program. <-- Dont run it yet
Boot your computer into Safemode
Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Open CWShredder
Double-click on CWShredder.exe.
Click Fix and click OK at the prompt.
CWShredder will scan and clean your system of CWS files.
Click Next and then Exit .
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix log, the Combofix log and a new HJT log please.
Hi Ken
Thanks for doing this
here are the rusults
VundoFix
VundoFix V6.5.10
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 15:30:15 16.10.2007
Listing files found while scanning....
C:\windows\system32\bqckatdm.dll
C:\windows\system32\bwemqxsh.dll
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\cdeeg.tmp
C:\windows\system32\chxfkvpp.dll
C:\windows\system32\cygnscyd.dll
C:\windows\system32\dlakqoxy.dll
C:\windows\system32\dneekkdf.dll
C:\windows\system32\dnyghswc.dll
C:\windows\system32\drwxootd.dll
C:\windows\system32\edpxexbe.dll
C:\windows\system32\ejyhcxur.dll
C:\windows\system32\ewdahtip.dll
C:\windows\system32\fqxbwbga.dll
C:\windows\system32\fvxxxvbq.dll
C:\windows\system32\gbdggosc.dll
C:\WINDOWS\system32\geedc.dll
C:\windows\system32\gkpmehva.dll
C:\windows\system32\gpxjdbgw.dll
C:\windows\system32\gtuiptft.dll
C:\windows\system32\gxmvonng.dll
C:\windows\system32\hbrvfvqd.dll
C:\WINDOWS\system32\iifghfc.dll
C:\windows\system32\ijsjqwyl.dll
C:\windows\system32\iwoymfad.dll
C:\windows\system32\jffojgrs.dll
C:\windows\system32\kygsrayi.dll
C:\windows\system32\lkmgmnll.dll
C:\windows\system32\mmibbgca.dll
C:\windows\system32\naoqaejr.dll
C:\windows\system32\nfdqwrji.dll
C:\windows\system32\npldixub.dll
C:\windows\system32\npwnyjum.dll
C:\windows\system32\omiegjmi.dll
C:\windows\system32\opxrkyqs.dll
C:\windows\system32\pjjvfmxo.dll
C:\windows\system32\qjbirbwc.dll
C:\windows\system32\qohftlum.dll
C:\windows\system32\qoivxlko.dll
C:\windows\system32\qyxkdphv.dll
C:\windows\system32\rjpdyfuo.dll
C:\windows\system32\rsgefelt.dll
C:\windows\system32\siifqigo.dll
C:\windows\system32\txlkycjl.dll
C:\windows\system32\uhxfljlj.dll
C:\windows\system32\uknamabs.dll
C:\windows\system32\uyrjfyut.dll
C:\windows\system32\uysbmbsa.dll
C:\WINDOWS\system32\vwoosihw.dll
C:\windows\system32\wostuvbh.dll
C:\windows\system32\xfukybmp.dll
C:\windows\system32\xwubabqm.dll
C:\windows\system32\yswkehjn.dll
C:\windows\system32\yugctcpr.dll
C:\windows\system32\yuqjbhrn.dll
Beginning removal...
Attempting to delete C:\windows\system32\bqckatdm.dll
C:\windows\system32\bqckatdm.dll Has been deleted!
Attempting to delete C:\windows\system32\bwemqxsh.dll
C:\windows\system32\bwemqxsh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\cdeeg.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdeeg.tmp
C:\WINDOWS\system32\cdeeg.tmp Has been deleted!
Attempting to delete C:\windows\system32\chxfkvpp.dll
C:\windows\system32\chxfkvpp.dll Has been deleted!
Attempting to delete C:\windows\system32\cygnscyd.dll
C:\windows\system32\cygnscyd.dll Has been deleted!
Attempting to delete C:\windows\system32\dlakqoxy.dll
C:\windows\system32\dlakqoxy.dll Has been deleted!
Attempting to delete C:\windows\system32\dneekkdf.dll
C:\windows\system32\dneekkdf.dll Has been deleted!
Attempting to delete C:\windows\system32\dnyghswc.dll
C:\windows\system32\dnyghswc.dll Has been deleted!
Attempting to delete C:\windows\system32\drwxootd.dll
C:\windows\system32\drwxootd.dll Has been deleted!
Attempting to delete C:\windows\system32\edpxexbe.dll
C:\windows\system32\edpxexbe.dll Has been deleted!
Attempting to delete C:\windows\system32\ejyhcxur.dll
C:\windows\system32\ejyhcxur.dll Has been deleted!
Attempting to delete C:\windows\system32\ewdahtip.dll
C:\windows\system32\ewdahtip.dll Has been deleted!
Attempting to delete C:\windows\system32\fqxbwbga.dll
C:\windows\system32\fqxbwbga.dll Has been deleted!
Attempting to delete C:\windows\system32\fvxxxvbq.dll
C:\windows\system32\fvxxxvbq.dll Has been deleted!
Attempting to delete C:\windows\system32\gbdggosc.dll
C:\windows\system32\gbdggosc.dll Has been deleted!
Attempting to delete C:\windows\system32\gkpmehva.dll
C:\windows\system32\gkpmehva.dll Has been deleted!
Attempting to delete C:\windows\system32\gpxjdbgw.dll
C:\windows\system32\gpxjdbgw.dll Has been deleted!
Attempting to delete C:\windows\system32\gtuiptft.dll
C:\windows\system32\gtuiptft.dll Has been deleted!
Attempting to delete C:\windows\system32\gxmvonng.dll
C:\windows\system32\gxmvonng.dll Has been deleted!
Attempting to delete C:\windows\system32\hbrvfvqd.dll
C:\windows\system32\hbrvfvqd.dll Has been deleted!
Attempting to delete C:\windows\system32\ijsjqwyl.dll
C:\windows\system32\ijsjqwyl.dll Has been deleted!
Attempting to delete C:\windows\system32\iwoymfad.dll
C:\windows\system32\iwoymfad.dll Has been deleted!
Attempting to delete C:\windows\system32\jffojgrs.dll
C:\windows\system32\jffojgrs.dll Has been deleted!
Attempting to delete C:\windows\system32\kygsrayi.dll
C:\windows\system32\kygsrayi.dll Has been deleted!
Attempting to delete C:\windows\system32\lkmgmnll.dll
C:\windows\system32\lkmgmnll.dll Has been deleted!
Attempting to delete C:\windows\system32\mmibbgca.dll
C:\windows\system32\mmibbgca.dll Has been deleted!
Attempting to delete C:\windows\system32\naoqaejr.dll
C:\windows\system32\naoqaejr.dll Has been deleted!
Attempting to delete C:\windows\system32\nfdqwrji.dll
C:\windows\system32\nfdqwrji.dll Has been deleted!
Attempting to delete C:\windows\system32\npldixub.dll
C:\windows\system32\npldixub.dll Has been deleted!
Attempting to delete C:\windows\system32\npwnyjum.dll
C:\windows\system32\npwnyjum.dll Has been deleted!
Attempting to delete C:\windows\system32\omiegjmi.dll
C:\windows\system32\omiegjmi.dll Has been deleted!
Attempting to delete C:\windows\system32\opxrkyqs.dll
C:\windows\system32\opxrkyqs.dll Has been deleted!
Attempting to delete C:\windows\system32\pjjvfmxo.dll
C:\windows\system32\pjjvfmxo.dll Has been deleted!
Attempting to delete C:\windows\system32\qjbirbwc.dll
C:\windows\system32\qjbirbwc.dll Has been deleted!
Attempting to delete C:\windows\system32\qohftlum.dll
C:\windows\system32\qohftlum.dll Has been deleted!
Attempting to delete C:\windows\system32\qoivxlko.dll
C:\windows\system32\qoivxlko.dll Has been deleted!
Attempting to delete C:\windows\system32\qyxkdphv.dll
C:\windows\system32\qyxkdphv.dll Has been deleted!
Attempting to delete C:\windows\system32\rjpdyfuo.dll
C:\windows\system32\rjpdyfuo.dll Has been deleted!
Attempting to delete C:\windows\system32\rsgefelt.dll
C:\windows\system32\rsgefelt.dll Has been deleted!
Attempting to delete C:\windows\system32\siifqigo.dll
C:\windows\system32\siifqigo.dll Has been deleted!
Attempting to delete C:\windows\system32\txlkycjl.dll
C:\windows\system32\txlkycjl.dll Has been deleted!
Attempting to delete C:\windows\system32\uhxfljlj.dll
C:\windows\system32\uhxfljlj.dll Has been deleted!
Attempting to delete C:\windows\system32\uknamabs.dll
C:\windows\system32\uknamabs.dll Has been deleted!
Attempting to delete C:\windows\system32\uyrjfyut.dll
C:\windows\system32\uyrjfyut.dll Has been deleted!
Attempting to delete C:\windows\system32\uysbmbsa.dll
C:\windows\system32\uysbmbsa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vwoosihw.dll
C:\WINDOWS\system32\vwoosihw.dll Has been deleted!
Attempting to delete C:\windows\system32\wostuvbh.dll
C:\windows\system32\wostuvbh.dll Has been deleted!
Attempting to delete C:\windows\system32\xfukybmp.dll
C:\windows\system32\xfukybmp.dll Has been deleted!
Attempting to delete C:\windows\system32\xwubabqm.dll
C:\windows\system32\xwubabqm.dll Has been deleted!
Attempting to delete C:\windows\system32\yswkehjn.dll
C:\windows\system32\yswkehjn.dll Has been deleted!
Attempting to delete C:\windows\system32\yugctcpr.dll
C:\windows\system32\yugctcpr.dll Has been deleted!
Attempting to delete C:\windows\system32\yuqjbhrn.dll
C:\windows\system32\yuqjbhrn.dll Has been deleted!
Performing Repairs to the registry.
Done!
.....
Combo Fix
ComboFix 07-10-16.1 - PC 2007-10-16 15:46:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.563 [GMT 2:00]
Running from: C:\Documents and Settings\PC\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\PC\Application Data\DriveCleaner 2006 Free
C:\Documents and Settings\PC\Application Data\DriveCleaner 2006 Free\Logs\update.log
C:\Documents and Settings\PC\Application Data\DriveCleaner 2006 Free\Logs\update.log
C:\Documents and Settings\PC\Desktop\internet.lnk
C:\Documents and Settings\PC\Desktop\internet.lnk
C:\Documents and Settings\PC\Desktop\internet.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\acugbnhg.dll
C:\WINDOWS\system32\ajrvyapg.dll
C:\WINDOWS\system32\axpcuacj.dll
C:\WINDOWS\system32\bhsqlmlq.dll
C:\WINDOWS\system32\buaxsiqe.ini
C:\WINDOWS\system32\buaxsiqe.ini2
C:\WINDOWS\system32\ckvnqcjk.ini
C:\WINDOWS\system32\ckvnqcjk.ini2
C:\WINDOWS\system32\cpcnvleg.dll
C:\WINDOWS\system32\cufqaanj.ini
C:\WINDOWS\system32\cxlvgdjx.ini
C:\WINDOWS\system32\cxlvgdjx.ini2
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\edyvxryt.dll
C:\WINDOWS\system32\ejguutel.dll
C:\WINDOWS\system32\etbmiirm.dll
C:\WINDOWS\system32\fesblwjn.ini
C:\WINDOWS\system32\fesblwjn.ini2
C:\WINDOWS\system32\fhvokppc.dll
C:\WINDOWS\system32\fqjalgix.dll
C:\WINDOWS\system32\frexpibf.ini
C:\WINDOWS\system32\frexpibf.ini2
C:\WINDOWS\system32\gqmdrnoo.ini
C:\WINDOWS\system32\gqmdrnoo.ini2
C:\WINDOWS\system32\hbsljijd.dll
C:\WINDOWS\system32\hlekbskq.dll
C:\WINDOWS\system32\hnfgqlag.dll
C:\WINDOWS\system32\icphjrqc.dll
C:\WINDOWS\system32\iecryeow.ini
C:\WINDOWS\system32\iecryeow.ini2
C:\WINDOWS\system32\iocmyppw.ini
C:\WINDOWS\system32\isjteaqd.dll
C:\WINDOWS\system32\jgnbtame.dll
C:\WINDOWS\system32\jnaaqfuc.dll
C:\WINDOWS\system32\jowwjodg.dll
C:\WINDOWS\system32\jygsdstv.dll
C:\WINDOWS\system32\kkpdvhms.dll
C:\WINDOWS\system32\kqdqaotb.dll
C:\WINDOWS\system32\kravnigk.dll
C:\WINDOWS\system32\lbjhvole.ini
C:\WINDOWS\system32\lbjhvole.ini2
C:\WINDOWS\system32\lpjrlcwm.dll
C:\WINDOWS\system32\lupvsjfi.ini
C:\WINDOWS\system32\lupvsjfi.ini2
C:\WINDOWS\system32\lupvsjfi.tmp
C:\WINDOWS\system32\luwfilpg.dll
C:\WINDOWS\system32\mdlayklk.ini
C:\WINDOWS\system32\mdlayklk.ini2
C:\WINDOWS\system32\mjtynlbs.dll
C:\WINDOWS\system32\msdfpjwk.dll
C:\WINDOWS\system32\mtxgljwb.ini
C:\WINDOWS\system32\mtxgljwb.ini2
C:\WINDOWS\system32\niairyqg.dll
C:\WINDOWS\system32\nmksceya.dll
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.tmp
C:\WINDOWS\system32\npqss.tmp
C:\WINDOWS\system32\nsgdjgwx.ini
C:\WINDOWS\system32\nsgdjgwx.ini2
C:\WINDOWS\system32\odchxivc.ini
C:\WINDOWS\system32\odchxivc.ini2
C:\WINDOWS\system32\ooeeqlqb.dll
C:\WINDOWS\system32\qikdogvf.dll
C:\WINDOWS\system32\qskymxon.ini
C:\WINDOWS\system32\qskymxon.ini2
C:\WINDOWS\system32\qtiuqwrn.dll
C:\WINDOWS\system32\qwqhrjee.ini
C:\WINDOWS\system32\qwqhrjee.ini2
C:\WINDOWS\system32\qwqhrjee.tmp
C:\WINDOWS\system32\qxisuwws.dll
C:\WINDOWS\system32\rtkipnuu.dll
C:\WINDOWS\system32\uinywibj.ini
C:\WINDOWS\system32\uinywibj.ini2
C:\WINDOWS\system32\urkwqphl.ini
C:\WINDOWS\system32\urkwqphl.ini2
C:\WINDOWS\system32\utlolrny.dll
C:\WINDOWS\system32\utxpjrbn.ini
C:\WINDOWS\system32\utxpjrbn.ini2
C:\WINDOWS\system32\uvgahfnj.dll
C:\WINDOWS\system32\vaexsocj.dll
C:\WINDOWS\system32\vdewoedq.dll
C:\WINDOWS\system32\vkokrecx.dll
C:\WINDOWS\system32\wmhmokdj.ini
C:\WINDOWS\system32\wmhmokdj.ini2
C:\WINDOWS\system32\wppymcoi.dll
C:\WINDOWS\system32\xcerkokv.ini
C:\WINDOWS\system32\xjbhhljc.ini
C:\WINDOWS\system32\xjbhhljc.ini2
C:\WINDOWS\system32\xtmltlsj.dll
C:\WINDOWS\system32\xuanjswy.ini
C:\WINDOWS\system32\xuanjswy.ini2
C:\WINDOWS\system32\xugkilac.dll
C:\WINDOWS\system32\xyraiujc.dll
C:\WINDOWS\system32\yhntkqwe.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SFSYNC02
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.
2007-10-16 15:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 15:30 <DIR> d-------- C:\VundoFix Backups
2007-10-16 04:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-16 04:28 <DIR> d-------- C:\HJD
2007-10-14 23:57 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-14 23:57 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-14 23:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-14 23:56 <DIR> d-------- C:\kav
2007-10-14 23:56 4,161,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-14 23:56 20,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-14 21:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-14 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 18:43 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-12 13:15 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-08 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-08 21:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-06 22:03 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-06 22:03 <DIR> d-------- C:\Program Files\QuickTime
2007-10-06 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-06 22:03 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-10-06 22:02 <DIR> d-------- C:\Program Files\Disney Interactive
2007-10-06 20:43 0 --a------ C:\WINDOWS\PowerReg.dat
2007-10-06 20:39 <DIR> d-------- C:\Program Files\Ubi Soft
2007-10-06 20:39 778,240 --a------ C:\WINDOWS\system32\Petz 5.scr
2007-10-02 13:33 <DIR> d-------- C:\Documents and Settings\PC\.GalleryRemote
2007-09-28 17:33 <DIR> d-------- C:\Program Files\Uniblue
2007-09-28 17:28 <DIR> d-------- C:\Documents and Settings\PC\Application Data\Uniblue
2007-09-27 17:00 <DIR> d-------- C:\Program Files\CafeTimePro
2007-09-27 17:00 299,008 --a------ C:\WINDOWS\system32\MSDBRPTR.DLL
2007-09-27 16:53 <DIR> d-------- C:\Program Files\CafeTimePro Prepay Ticketer
2007-09-27 16:52 90,624 --a------ C:\WINDOWS\tsuninst1.exe
2007-09-27 16:28 <DIR> d-------- C:\Program Files\CCP Client
2007-09-26 13:26 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe
2007-09-24 20:00 <DIR> d-------- C:\Program Files\Quick Screen Recorder
2007-09-24 13:17 79,832 --a------ C:\WINDOWS\system32\adssite-remove.exe
2007-09-24 13:17 40,315 --a------ C:\WINDOWS\system32\gzmrot-uninst.exe
2007-09-22 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PY_Software
2007-09-22 09:12 446,464 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-09-21 21:12 <DIR> d-------- C:\Program Files\HyCam2
2007-09-21 21:10 <DIR> d-------- C:\Program Files\Active WebCam
2007-09-21 19:02 11,264 --a--c--- C:\WINDOWS\system32\dllcache\atrace.dll
2007-09-21 19:02 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-09-21 18:45 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-09-21 18:45 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-09-21 18:45 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-09-21 18:45 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-09-20 11:04 <DIR> d-------- C:\Documents and Settings\PC\Shared
2007-09-20 11:04 <DIR> d-------- C:\Documents and Settings\PC\Incomplete
2007-09-20 11:03 <DIR> d-------- C:\Documents and Settings\PC\Application Data\LimeWire
2007-09-20 11:02 <DIR> d-------- C:\Program Files\LimeWire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 13:55 --------- d-----w C:\Documents and Settings\PC\Application Data\SolidDocuments
2007-10-16 13:55 --------- d-----w C:\Documents and Settings\PC\Application Data\Skype
2007-10-16 13:53 56,564 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-16 13:53 2,900 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-11 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-10 11:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-08 20:08 --------- d-----w C:\Documents and Settings\PC\Application Data\BitTorrent
2007-10-08 14:19 --------- d-----w C:\Program Files\Valve
2007-10-08 10:34 --------- d-----w C:\Program Files\VoipCheapCom
2007-10-07 13:41 --------- d-----w C:\Program Files\Cheat Engine
2007-10-06 20:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 08:38 --------- d-----w C:\Program Files\DC++
2007-09-27 07:52 --------- d-----w C:\Program Files\Winamp
2007-09-22 13:05 --------- d-----w C:\Program Files\Deskshare
2007-09-22 09:01 --------- d-----w C:\Program Files\Cheating-Death
2007-09-21 16:31 --------- d-----w C:\Program Files\Video Strip Poker Supreme
2007-09-11 16:54 --------- d-----w C:\Program Files\SolidDocuments
2007-09-03 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-03 08:44 --------- d-----w C:\Program Files\Apple Software Update
2007-09-03 08:43 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-03 08:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-08-22 13:13 --------- d-----w C:\Program Files\ModTheSims2.com
2007-08-22 12:07 --------- d-----w C:\Program Files\EA GAMES
2007-08-22 11:25 --------- d-----w C:\Program Files\Battle For Troy
2007-08-21 15:05 --------- d-----w C:\Program Files\ALLCapture Trial
2007-08-20 07:21 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-08-17 17:22 --------- d-----w C:\Program Files\PartyGaming
2007-08-14 15:48 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2006-04-17 18:11 1,241,822 ----a-w C:\Program Files\metamod.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BF263D2-AD6D-4104-88CB-90B7B4C37D2E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971C3384-F75E-4562-95B3-CBE7417529BC}]
C:\WINDOWS\system32\gzmrotate.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A05DBF8F-A254-4E8F-8C3B-FE932E237C35}]
C:\WINDOWS\system32\geedc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7DAECC6-FB42-4FF5-AAFA-8B8244D5FF54}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7745279-4CBF-47F8-8193-C2E65B0FCF67}]
C:\WINDOWS\system32\ssqpn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB26AD3E-A23C-4507-BE72-39154390A95E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F631AAE2-4C20-11DC-8929-D3F855D89593}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-02 21:03]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"PoscMailProc"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\PoscMail.exe" [2006-06-23 16:21]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 05:01 C:\WINDOWS\SOUNDMAN.EXE]
"CTLoader"="C:\Program Files\CafeTimePro\CTLoader.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53]
"SolidCapture"="C:\Program Files\SolidDocuments\SolidCapture\solidcapture.exe" [2007-04-17 14:40]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\Documents and Settings\PC\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-10-06 20:43:48]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drmvndde]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geedc]
C:\WINDOWS\system32\geedc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghfc]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpn]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwea32]
winwea32.dll
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S1 bdftdif;bdftdif;\??\C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys
S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe"
S4 NOTEPAD;NOTEPAD;"C:\WINDOWS\system\NOTEPAD.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cd0ee37-a7dd-11da-b0e4-806d6172696f}]
AutoRun\command - D:\ASUSACPI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{377D7E23-8D19-ED72-0804-080602050800}]
C:\WINDOWS\system32\windows.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 21:21:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 15:54:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-16 15:57:21 - machine was rebooted
.
--- E O F ---
....too be continued
Die hard part 3 :)
HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 16:08:28, on 16.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\PoscMail.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SolidDocuments\SolidCapture\solidcapture.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJD\scanner.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BF263D2-AD6D-4104-88CB-90B7B4C37D2E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: rightonadz browser optimizer - {971C3384-F75E-4562-95B3-CBE7417529BC} - C:\WINDOWS\system32\gzmrotate.dll (file missing)
O2 - BHO: (no name) - {A05DBF8F-A254-4E8F-8C3B-FE932E237C35} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {A7DAECC6-FB42-4FF5-AAFA-8B8244D5FF54} - (no file)
O2 - BHO: (no name) - {B7745279-4CBF-47F8-8193-C2E65B0FCF67} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {DB26AD3E-A23C-4507-BE72-39154390A95E} - (no file)
O2 - BHO: SpoofBHO Class - {F631AAE2-4C20-11DC-8929-D3F855D89593} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PoscMailProc] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\PoscMail.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTLoader] C:\Program Files\CafeTimePro\CTLoader.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [SolidCapture] C:\Program Files\SolidDocuments\SolidCapture\solidcapture.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190656118171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.buygenesis.com/livedemo/msrdp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: drmvndde - C:\WINDOWS\
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll (file missing)
O20 - Winlogon Notify: iifghfc - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: ssqpn - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
So, now u have to read for a while :)
Thanks Ken
Your doing well :bigthumb:
We need to disable the Tea Timer in Spybot Search and Destroy as to not interfere with the fix.
Open Spybot and go to Mode> Advanced Mode> Tools> Resident and take the checkmark out of Tea Timer
REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BF263D2-AD6D-4104-88CB-90B7B4C37D2E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971C3384-F75E-4562-95B3-CBE7417529BC}]
C:\WINDOWS\system32\gzmrotate.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A05DBF8F-A254-4E8F-8C3B-FE932E237C35}]
C:\WINDOWS\system32\geedc.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7DAECC6-FB42-4FF5-AAFA-8B8244D5FF54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7745279-4CBF-47F8-8193-C2E65B0FCF67}]
C:\WINDOWS\system32\ssqpn.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB26AD3E-A23C-4507-BE72-39154390A95E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F631AAE2-4C20-11DC-8929-D3F855D89593}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drmvndde]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geedc]
C:\WINDOWS\system32\geedc.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghfc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwea32]
winwea32.dll
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
Post a new HJT log please
Due to lack of a response, this topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.