View Full Version : nasty virtumonde infection. ran vundofix, adaware, spyware doctor, avast.
knightofni
2007-11-06, 10:20
can't remove this file
khfdbxw.dll with vundofix, it asks me to reboot and try again, I try again and it asks me to reboot and try again.
Done it in safe mode as well.
here's my Hijackthis log, with the file renamed as killa.exe
Logfile of HijackThis v1.99.1
Scan saved at 1:11:57 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\MySQL5.0\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\FixVundo.exe
C:\WINDOWS\system32\Notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\killa.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarCU/YSetSearch/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchUrl/YSetSearch/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E4EACA6-FF17-4B35-A390-1E4FBFF0D882} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B99A305C-A9C5-A110-EA2E-F98A31F32A97} - (no file)
O2 - BHO: {1ef3cae0-a0e3-af28-db74-0bffea08a89c} - {c98a80ae-ffb0-47bd-82fa-3e0a0eac3fe1} - C:\WINDOWS\system32\qgqwqykr.dll
O2 - BHO: (no name) - {F6B1F430-52B5-4478-9FC6-A94F79D423C3} - C:\WINDOWS\system32\khfdbxw.dll
O2 - BHO: (no name) - {FD0953D1-849C-46A2-B8F5-77832C17AB71} - C:\WINDOWS\system32\ssqpo.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [19fd48fd] rundll32.exe "C:\WINDOWS\system32\gnghhssd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: MySQL - Unknown owner - C:\MySQL5.0\bin\mysqld-nt".exe (file missing)
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
PleaSE HELP!!
steamwiz
2007-11-06, 20:41
Hi
Please post the vundofix log ... C:\vundofix.txt
THEN ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Please remember to post :-
1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)
steam
knightofni
2007-11-07, 04:17
Superantispyware log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/06/2007 at 06:29 PM
Application Version : 3.9.1008
Core Rules Database Version : 3338
Trace Rules Database Version: 1339
Scan type : Complete Scan
Total Scan Time : 03:50:11
Memory items scanned : 713
Memory threats detected : 1
Registry items scanned : 6821
Registry threats detected : 5
File items scanned : 172586
File threats detected : 63
Trojan.WinFixer
C:\WINDOWS\SYSTEM32\SSQPO.DLL
C:\WINDOWS\SYSTEM32\SSQPO.DLL
HKLM\Software\Classes\CLSID\{C3994E56-D15C-405B-A099-BD84B279BB1E}
HKCR\CLSID\{C3994E56-D15C-405B-A099-BD84B279BB1E}
HKCR\CLSID\{C3994E56-D15C-405B-A099-BD84B279BB1E}\InprocServer32
HKCR\CLSID\{C3994E56-D15C-405B-A099-BD84B279BB1E}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C3994E56-D15C-405B-A099-BD84B279BB1E}
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pubmatic[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@3.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@3.adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ac.mediatemple[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adecn[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.auctionads[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.auctionads[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads3.blastro[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads4.blastro[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver.easyad[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver5.teracent[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickaider[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicksor[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@crackserialkeygen[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@dev.media.sparkart[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@goclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@imrworldwide[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaservices.myspace[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediatemple[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@netshiftmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@prevx.serialdevil[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@reduxads.valuead[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@richmedia.yahoo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serialdevil[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@servedby.adxpower[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats.adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats.sphere[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tremor.adbureau[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@warezreleases[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.admedia365[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.googleadservices[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www2.mystats[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www2.mystats[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\OQTSS.TMP
Combfix log
ComboFix 07-11-07.3 - Administrator 2007-11-06 18:49:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.460 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\crosof~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\smante~1
C:\WINDOWS\smante~1\S?mantec\
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\kjkmp.tmp
C:\WINDOWS\system32\lwyujure.dll
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\opqss.tmp
C:\WINDOWS\system32\qrygjqys.dll
C:\WINDOWS\system32\rdysbuns.dll
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\nm
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.
2007-11-06 18:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 17:10 <DIR> d-------- C:\Program Files\iPod
2007-11-06 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-06 11:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-06 11:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 11:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-06 11:34 87,104 --a------ C:\WINDOWS\system32\mfkjlady.dll
2007-11-06 02:52 <DIR> d-------- C:\Program Files\Microsoft
2007-11-06 02:05 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-06 02:05 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-06 02:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-06 02:04 11,968,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-06 02:04 64,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-05 11:32 83,008 --a------ C:\WINDOWS\system32\qgqwqykr.dll
2007-11-05 02:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 02:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2007-11-04 16:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2007-11-02 12:00 583,363 --a------ C:\WINDOWS\system32\jnclgmqg.ini.ren
2007-11-02 11:59 86,080 --a------ C:\WINDOWS\system32\gqmglcnj.dll
2007-10-31 12:06 <DIR> d-------- C:\VundoFix Backups
2007-10-31 11:58 85,568 --a------ C:\WINDOWS\system32\bdecmhjb.dll.ren
2007-10-31 11:23 85,568 --a------ C:\WINDOWS\system32\qnbmogcl.dll.ren
2007-10-31 10:53 584,544 --a------ C:\WINDOWS\system32\thdnexis.ini.ren
2007-10-31 10:53 85,568 --a------ C:\WINDOWS\system32\sixendht.dll.ren
2007-10-31 10:39 579,990 --a------ C:\WINDOWS\system32\syqjgyrq.ini.ren
2007-10-31 09:35 85,568 --a------ C:\WINDOWS\system32\ueltbyac.dll.ren
2007-10-31 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2007-10-30 23:38 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-30 20:43 574,758 --a------ C:\WINDOWS\system32\snubsydr.ini.ren
2007-10-30 00:32 <DIR> d-------- C:\Documents and Settings\Administrator\AIMPro
2007-10-29 20:45 84,544 --a------ C:\WINDOWS\system32\cygthchl.dll.ren
2007-10-29 12:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AIMPro
2007-10-29 12:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2007-10-29 11:59 85,568 --a------ C:\WINDOWS\system32\dwkpouxe.dll.ren
2007-10-29 10:17 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-29 10:17 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-29 09:44 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-29 01:12 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-28 18:40 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-28 09:29 <DIR> d-------- C:\Program Files\CONEXANT
2007-10-28 00:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 21:29 456,379 --ahs---- C:\WINDOWS\system32\opqss.ini.ren
2007-10-27 02:37 425,975 --ahs---- C:\WINDOWS\system32\opqss.ini2.ren
2007-10-27 01:06 5,073,479 --a------ C:\WINDOWS\system32\SBSP.dat
2007-10-27 01:06 17,732 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-27 01:06 194 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-26 19:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-26 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-26 09:51 <DIR> d-------- C:\Temp
2007-10-24 10:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-23 09:45 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-23 09:24 34,304 --------- C:\WINDOWS\system32\khfdbxw.dll
2007-10-22 23:06 <DIR> d-------- C:\spoolerlogs
2007-10-22 11:17 <DIR> d-------- C:\Program Files\PowerFolder.com
2007-10-21 19:00 <DIR> d-------- C:\LimeWire
2007-10-21 19:00 <DIR> d-------- C:\Incomplete
2007-10-21 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-10-21 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-10-20 14:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\3M
2007-10-15 21:39 1,045,776 --a------ C:\WINDOWS\system32\MSJET35.DLL
2007-10-15 21:39 368,912 --a------ C:\WINDOWS\system32\VBAR332.DLL
2007-10-15 21:39 252,176 --a------ C:\WINDOWS\system32\MSRD2X35.DLL
2007-10-15 21:39 123,664 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-10-15 21:39 24,848 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-10-12 12:55 <DIR> d-------- C:\Program Files\DWG TrueView 2008
2007-10-12 12:50 <DIR> d-------- C:\install
2007-10-12 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2007-10-12 11:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2007-10-12 11:55 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-10-12 11:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Downloaded Installations
2007-10-12 11:29 <DIR> d-------- C:\Documents and Settings\Administrator\IGC
2007-10-09 10:42 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 03:02 7,076 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-07 03:02 161,864 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 01:11 --------- d-----w C:\Program Files\iTunes
2007-11-07 01:08 --------- d-----w C:\Program Files\QuickTime
2007-11-06 19:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-11-06 11:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\Move Networks
2007-11-06 10:04 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-06 09:47 --------- d-----w C:\Program Files\Viewpoint
2007-11-06 09:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-06 09:46 --------- d-----w C:\Program Files\InterVideo
2007-11-06 09:46 --------- d-----w C:\Program Files\BreezeSys
2007-11-06 09:11 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-05 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-05 01:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-05 00:46 --------- d-----w C:\Program Files\Microsoft Script Debugger
2007-11-03 21:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 21:07 --------- d-----w C:\Program Files\Java
2007-10-29 20:19 --------- d-----w C:\Program Files\AIM
2007-10-29 20:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-10-29 20:16 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-29 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-28 17:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-28 07:51 --------- d-----w C:\Program Files\Sonic
2007-10-28 07:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-28 07:40 --------- d-----w C:\Program Files\HPQ
2007-10-25 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-23 23:25 --------- d-----w C:\Program Files\uTorrent
2007-10-22 05:15 --------- d-----w C:\Program Files\Quick Screen Recorder
2007-10-22 05:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NJStar
2007-10-15 20:17 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-05 00:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX
2007-10-04 04:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-09-13 19:21 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-09-13 19:21 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-09-13 19:19 --------- d-----w C:\Program Files\Common Files\Logitech
2007-09-13 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-09-12 00:56 --------- d-----w C:\Program Files\Apple Software Update
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 01:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 14:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 13:43]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-02-14 10:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 08:46]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 09:49]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 12:38]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 07:03]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" []
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 C:\WINDOWS\KHALMNPR.Exe]
"RegistryMechanic"="" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-09-13 11:19:38]
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [2005-10-09 19:17:20]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 01:39:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 02:00:01 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
knightofni
2007-11-07, 04:18
Logfile of HijackThis v1.99.1
Scan saved at 19:09, on 2007-11-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\MySQL5.0\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Notepad.exe
C:\Documents and Settings\Administrator\Desktop\killa.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchUrl/YSetSearch/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: MySQL - Unknown owner - C:\MySQL5.0\bin\mysqld-nt".exe (file missing)
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
THANKS.
steamwiz
2007-11-07, 21:22
HI
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\mfkjlady.dll
C:\WINDOWS\system32\qgqwqykr.dll
C:\WINDOWS\system32\gqmglcnj.dll
C:\WINDOWS\system32\bdecmhjb.dll.ren
C:\WINDOWS\system32\qnbmogcl.dll.ren
C:\WINDOWS\system32\thdnexis.ini.ren
C:\WINDOWS\system32\sixendht.dll.ren
C:\WINDOWS\system32\syqjgyrq.ini.ren
C:\WINDOWS\system32\ueltbyac.dll.ren
C:\WINDOWS\system32\snubsydr.ini.ren
C:\WINDOWS\system32\cygthchl.dll.ren
C:\WINDOWS\system32\dwkpouxe.dll.ren
C:\WINDOWS\system32\opqss.ini.ren
C:\WINDOWS\system32\opqss.ini2.ren
C:\WINDOWS\system32\khfdbxw.dll
Folder::
C:\VundoFix Backups
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
knightofni
2007-11-08, 04:52
Combo Fix Log
ComboFix 07-11-07.3 - Administrator 2007-11-07 19:33:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.538 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\bdecmhjb.dll.ren
C:\WINDOWS\system32\cygthchl.dll.ren
C:\WINDOWS\system32\dwkpouxe.dll.ren
C:\WINDOWS\system32\gqmglcnj.dll
C:\WINDOWS\system32\khfdbxw.dll
C:\WINDOWS\system32\mfkjlady.dll
C:\WINDOWS\system32\opqss.ini.ren
C:\WINDOWS\system32\opqss.ini2.ren
C:\WINDOWS\system32\qgqwqykr.dll
C:\WINDOWS\system32\qnbmogcl.dll.ren
C:\WINDOWS\system32\sixendht.dll.ren
C:\WINDOWS\system32\snubsydr.ini.ren
C:\WINDOWS\system32\syqjgyrq.ini.ren
C:\WINDOWS\system32\thdnexis.ini.ren
C:\WINDOWS\system32\ueltbyac.dll.ren
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\iifggfe.dll.bad
C:\VundoFix Backups\khfdbxw.dll.bad
C:\VundoFix Backups\ouxhkgoo.dll.bad
C:\VundoFix Backups\xtynufjb.dll.bad
C:\WINDOWS\system32\bdecmhjb.dll.ren
C:\WINDOWS\system32\cygthchl.dll.ren
C:\WINDOWS\system32\dwkpouxe.dll.ren
C:\WINDOWS\system32\gqmglcnj.dll
C:\WINDOWS\system32\khfdbxw.dll
C:\WINDOWS\system32\mfkjlady.dll
C:\WINDOWS\system32\opqss.ini.ren
C:\WINDOWS\system32\opqss.ini2.ren
C:\WINDOWS\system32\qgqwqykr.dll
C:\WINDOWS\system32\qnbmogcl.dll.ren
C:\WINDOWS\system32\sixendht.dll.ren
C:\WINDOWS\system32\snubsydr.ini.ren
C:\WINDOWS\system32\syqjgyrq.ini.ren
C:\WINDOWS\system32\thdnexis.ini.ren
C:\WINDOWS\system32\ueltbyac.dll.ren
.
---- Previous Run -------
.
C:\Program Files\Common Files\crosof~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\smante~1
C:\WINDOWS\smante~1\S?mantec\
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\kjkmp.tmp
C:\WINDOWS\system32\lwyujure.dll
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\opqss.tmp
C:\WINDOWS\system32\qrygjqys.dll
C:\WINDOWS\system32\rdysbuns.dll
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\nm
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.
2007-11-06 18:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 17:10 <DIR> d-------- C:\Program Files\iPod
2007-11-06 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-06 11:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-06 11:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 11:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-06 02:52 <DIR> d-------- C:\Program Files\Microsoft
2007-11-06 02:05 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-06 02:05 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-06 02:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-06 02:04 12,214,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-06 02:04 82,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-05 02:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 02:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2007-11-04 16:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2007-11-02 12:00 583,363 --a------ C:\WINDOWS\system32\jnclgmqg.ini.ren
2007-10-31 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2007-10-30 23:38 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-30 00:32 <DIR> d-------- C:\Documents and Settings\Administrator\AIMPro
2007-10-29 12:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AIMPro
2007-10-29 12:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2007-10-29 10:17 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-29 10:17 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-29 09:44 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-29 01:12 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-28 18:40 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-28 09:29 <DIR> d-------- C:\Program Files\CONEXANT
2007-10-28 00:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 01:06 5,073,479 --a------ C:\WINDOWS\system32\SBSP.dat
2007-10-27 01:06 17,732 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-27 01:06 194 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-26 19:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-26 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-26 09:51 <DIR> d-------- C:\Temp
2007-10-24 10:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-23 09:45 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-22 23:06 <DIR> d-------- C:\spoolerlogs
2007-10-22 11:17 <DIR> d-------- C:\Program Files\PowerFolder.com
2007-10-21 19:00 <DIR> d-------- C:\LimeWire
2007-10-21 19:00 <DIR> d-------- C:\Incomplete
2007-10-21 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-10-21 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-10-20 14:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\3M
2007-10-15 21:39 1,045,776 --a------ C:\WINDOWS\system32\MSJET35.DLL
2007-10-15 21:39 368,912 --a------ C:\WINDOWS\system32\VBAR332.DLL
2007-10-15 21:39 252,176 --a------ C:\WINDOWS\system32\MSRD2X35.DLL
2007-10-15 21:39 123,664 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-10-15 21:39 24,848 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-10-12 12:55 <DIR> d-------- C:\Program Files\DWG TrueView 2008
2007-10-12 12:50 <DIR> d-------- C:\install
2007-10-12 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2007-10-12 11:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2007-10-12 11:55 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-10-12 11:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Downloaded Installations
2007-10-12 11:29 <DIR> d-------- C:\Documents and Settings\Administrator\IGC
2007-10-09 10:42 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 03:40 8,732 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-08 03:40 165,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 01:11 --------- d-----w C:\Program Files\iTunes
2007-11-07 01:08 --------- d-----w C:\Program Files\QuickTime
2007-11-06 19:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-11-06 11:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\Move Networks
2007-11-06 10:04 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-06 09:47 --------- d-----w C:\Program Files\Viewpoint
2007-11-06 09:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-06 09:46 --------- d-----w C:\Program Files\InterVideo
2007-11-06 09:46 --------- d-----w C:\Program Files\BreezeSys
2007-11-06 09:11 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-05 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-05 01:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-05 00:46 --------- d-----w C:\Program Files\Microsoft Script Debugger
2007-11-03 21:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 21:07 --------- d-----w C:\Program Files\Java
2007-10-29 20:19 --------- d-----w C:\Program Files\AIM
2007-10-29 20:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-10-29 20:16 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-29 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-28 17:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-28 07:51 --------- d-----w C:\Program Files\Sonic
2007-10-28 07:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-28 07:40 --------- d-----w C:\Program Files\HPQ
2007-10-25 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-23 23:25 --------- d-----w C:\Program Files\uTorrent
2007-10-22 05:15 --------- d-----w C:\Program Files\Quick Screen Recorder
2007-10-22 05:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NJStar
2007-10-15 20:17 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-05 00:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX
2007-10-04 04:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-09-13 19:21 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-09-13 19:21 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-09-13 19:19 --------- d-----w C:\Program Files\Common Files\Logitech
2007-09-13 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-09-12 00:56 --------- d-----w C:\Program Files\Apple Software Update
.
((((((((((((((((((((((((((((( snapshot@2007-11-06_19.08.06.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-14 02:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-11-07 02:43:49 84,070 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 03:08:48 84,070 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-07 02:43:49 461,964 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 03:08:48 461,964 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 01:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 14:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 13:43]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-02-14 10:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 08:46]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 09:49]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 12:38]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 07:03]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" []
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 C:\WINDOWS\KHALMNPR.Exe]
"RegistryMechanic"="" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-09-13 11:19:38]
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [2005-10-09 19:17:20]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 01:39:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 02:00:01 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 19:42:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???pd??????(?@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-07 19:46:13 - machine was rebooted
.
--- E O F ---
knightofni
2007-11-08, 04:53
Logfile of HijackThis v1.99.1
Scan saved at 7:47:38 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\MySQL5.0\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\killa.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchUrl/YSetSearch/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5F435F-E1FF-4CB1-B4BF-B1DEFE7F7662}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: MySQL - Unknown owner - C:\MySQL5.0\bin\mysqld-nt".exe (file missing)
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
knightofni
2007-11-08, 04:54
Thanks for the help thus far, steam. I think my computer is in better shape now.
steamwiz
2007-11-08, 20:50
HI
One file I missed ...
C:\WINDOWS\system32\jnclgmqg.ini.ren
Can you browse to this file on your computer ... right click on it & delete it ...
-
Then do this please ...
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
cheers
steam
This topic has been moved to archives.
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.