View Full Version : Need help with virtumonde
spybot says i have it and directed me to here. it keeps coming back after being cleaned, how do I get rid of it?
__RiP_ChAiN_
2007-12-21, 00:07
Hello jebu82,
Please have a look through this thread (http://forums.spybot.info/showthread.php?t=288), and if you still require assistance afterwards, please post the required logs.
ok. I was having trouble getting the log files. This is the HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:17 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~2\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 3855 bytes
and this is the other one.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 20, 2007 4:34:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/12/2007
Kaspersky Anti-Virus database records: 490757
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 33519
Number of viruses found: 1
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 00:14:41
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F02442E7-0EBB-4C09-9E1B-EF3E48D8090E}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\awtqn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\awvvu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\ddcyx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\jkhff.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\ssqpm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\ssqpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\sstqr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\vtsqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxc skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
__RiP_ChAiN_
2007-12-21, 02:51
Hello jebu82,
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Please download ComboFix by sUBs from HERE (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or HERE (http://subs.geekstogo.com/ComboFix.exe)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ok. im not sure where it's sending that uninstall file you first stated. heres the other 2.
ComboFix 07-12-21.4 - 2007-12-20 19:17:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.628 [GMT -6:00]
Running from: C:\Documents and Settings\\Desktop\sims2\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\SYSTEM32\ppqss.ini
C:\WINDOWS\SYSTEM32\ppqss.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.
2007-12-20 16:37 . 2007-12-20 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 15:51 . 2007-12-20 15:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-20 15:51 . 2007-12-20 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-20 15:25 . 2007-12-20 15:25 314,560 --a------ C:\WINDOWS\SYSTEM32\ssqpm.dll
2007-12-20 14:48 . 2007-12-20 15:49 151 --a------ C:\WINDOWS\wininit.ini
2007-12-20 14:16 . 2007-12-20 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 12:11 . 2007-12-20 12:11 314,560 --a------ C:\WINDOWS\SYSTEM32\vtsqo.dll
2007-12-20 11:11 . 2007-12-20 11:11 314,560 --a------ C:\WINDOWS\SYSTEM32\awtqn.dll
2007-12-15 11:49 . 2007-12-15 11:49 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-12-14 09:45 . 2007-12-14 09:45 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-14 09:41 . 2007-12-14 09:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-14 07:32 . 2007-12-14 07:32 314,624 --a------ C:\WINDOWS\SYSTEM32\ssqpp.dll
2007-12-11 17:14 . 2007-12-11 17:14 <DIR> d-------- C:\Program Files\Google
2007-12-11 09:12 . 2007-12-11 09:12 2,422 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-12-11 08:29 . 2007-12-11 08:29 <DIR> d-------- C:\Documents and Settings\\Application Data\Grisoft
2007-12-11 08:29 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-11 08:05 . 2007-12-11 08:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-11 08:05 . 2007-12-20 10:07 <DIR> d-------- C:\Documents and Settings\\Application Data\AVG7
2007-12-11 08:05 . 2007-12-11 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-11 08:05 . 2007-12-11 08:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-11 08:05 . 2007-12-11 08:05 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-11 08:05 . 2007-12-11 08:05 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-10 05:24 . 2007-12-10 05:24 <DIR> d---s---- C:\Documents and Settings\\UserData
2007-12-09 16:31 . 2007-12-09 16:31 <DIR> d-------- C:\Program Files\Marvell
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d-------- C:\WINDOWS\VirtualEar
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 16:29 . 2007-12-09 16:31 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d-------- C:\Program Files\Analog Devices
2007-12-09 15:05 . 2007-12-09 16:23 <DIR> d-------- C:\Program Files\EA GAMES
2007-12-09 15:05 . 2004-08-17 20:14 442,368 -ra------ C:\WINDOWS\SYSTEM32\vp6vfw.dll
2007-12-09 14:49 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2007-12-09 14:47 . 2007-12-09 14:47 <DIR> d-------- C:\Program Files\Intel
2007-12-09 14:47 . 2007-12-09 16:29 11,001 --a------ C:\WINDOWS\Ascd_tmp.ini
2007-12-09 14:47 . 2005-04-30 06:30 5,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASUSHWIO.SYS
2007-12-09 14:44 . 2007-12-09 14:44 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2007-12-09 14:44 . 2007-12-09 14:44 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-09 14:42 . 2004-08-04 06:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-12-09 14:40 . 2007-12-20 15:51 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-12-09 14:40 . 2007-12-09 14:41 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2007-12-09 14:40 . 2004-08-04 06:00 4,399,505 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nls302en.lex
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
2007-12-09 14:40 . 2007-12-09 14:40 488 -rah----- C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
2007-12-09 14:40 . 2007-12-09 14:40 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-09 14:37 . 2007-12-09 14:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\MsDtc
2007-12-09 08:34 . 2001-08-17 07:59 3,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\audstub.sys
2007-12-09 08:33 . 2004-08-03 16:59 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2007-12-09 08:32 . 2004-08-03 18:56 74,240 --a------ C:\WINDOWS\SYSTEM32\usbui.dll
2007-12-09 08:32 . 2004-08-03 16:59 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\intelide.sys
2007-12-09 08:31 . 2007-12-09 15:40 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-12-09 08:30 . 2007-12-20 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2007-12-09 08:30 . 2007-12-09 08:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
2007-12-09 08:30 . 2004-08-04 06:00 1,086,058 -ra------ C:\WINDOWS\SET4.tmp
2007-12-09 08:30 . 2004-08-04 06:00 1,042,903 -ra------ C:\WINDOWS\SET3.tmp
2007-12-09 08:30 . 2004-08-04 06:00 13,753 -ra------ C:\WINDOWS\SET8.tmp
2007-12-09 08:27 . 2007-12-09 14:45 <DIR> d-------- C:\Documents and Settings
2007-12-09 08:24 . 2007-12-09 08:24 512 ---hs---- C:\bootsect.dos
2007-12-09 08:24 . 2007-12-09 14:43 261 --a------ C:\WINDOWS\SYSTEM32\$winnt$.inf
2007-12-09 08:24 . 2007-12-09 14:36 211 ---hs---- C:\boot.ini
2007-12-06 16:02 . 2007-12-06 16:02 19,247 ---hs---- C:\BOOTLOG.PRV
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 13:51 5,166 --sh--w C:\SUHDLOG.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60C88137-82BA-4B0E-BF0F-49A5880B452F}]
2007-12-14 07:32 314624 --a------ C:\WINDOWS\system32\ssqpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 10:18]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"AVG7_CC"="C:\PROGRA~2\Grisoft\AVG7\avgcc.exe" [2007-12-11 08:05]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~2\Grisoft\AVG7\avgw.exe" [2007-12-11 08:05]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqpp.dll
*Newly Created Service* - HTTPFILTER
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 19:20:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\ssqpp.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\ssqpp.dll
-> C:\DOCUME~1\\LOCALS~1\Temp\rjexejkn.dll
.
Completion time: 2007-12-20 19:21:15 - machine was rebooted
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:28 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~2\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 3769 bytes
I'm soo sorry about the language, I didn't realize until now what my doc folder was named(It was a very long day when I did the windows instalation and it wouldn't let me call it comp and boyfriend was getting upset...he thought it was only a half hour tops kind of thing....and I named it something I wanted to say to him not realizing I would not be able to change it later. It's been another long day, trying to get rid of this thing, thanks so much for helping.
__RiP_ChAiN_
2007-12-21, 06:24
Hello jebu82,
I understand how frustrating doing things on the computer can be, I used to get more upset with mine then I ever thought possible. For the purpose of this help though, and the nature of this fourm I must ask you to remove that language from your logs before you post them in the future.
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\ssqpm.dll
C:\WINDOWS\SYSTEM32\vtsqo.dll
C:\WINDOWS\SYSTEM32\awtqn.dll
C:\QINDOWS\SYSTEM32\ssqpp.dll
C:\DOCUME~1\\LOCALS~1\Temp\rjexejkn.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60C88137-82BA-4B0E-BF0F-49A5880B452F}]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
Combofix.txt
A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ok. heres the reports. again so sorry and is there a way to change that anyway?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:06 AM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~2\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5178 bytes
ComboFix 07-12-21.4 - Mine 2007-12-21 1:13:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.572 [GMT -6:00]
Running from: C:\Documents and Settings\Mine\Desktop\sims2\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mine\My Documents\CFScript.txt
* Created a new restore point
FILE
C:\DOCUME~1\\LOCALS~1\Temp\rjexejkn.dll
C:\QINDOWS\SYSTEM32\ssqpp.dll
C:\WINDOWS\SYSTEM32\awtqn.dll
C:\WINDOWS\SYSTEM32\ssqpm.dll
C:\WINDOWS\SYSTEM32\vtsqo.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\awtqn.dll
C:\WINDOWS\SYSTEM32\ssqpm.dll
C:\WINDOWS\SYSTEM32\vtsqo.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.
2007-12-20 23:02 . 2007-12-20 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 23:00 . 2007-12-20 23:01 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-20 22:05 . 2007-12-20 22:05 <DIR> d-------- C:\Documents and Settings\*****\Application Data\Comodo
2007-12-20 22:05 . 2007-12-20 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-12-20 22:04 . 2007-12-09 14:36 211 --a------ C:\boot.ini.comodofirewall
2007-12-20 22:03 . 2007-12-20 22:03 <DIR> d-------- C:\Program Files\Comodo
2007-12-20 19:23 . 2007-12-21 01:16 40,625 --ahs---- C:\WINDOWS\SYSTEM32\ppqss.ini2
2007-12-20 19:20 . 2007-12-21 01:16 40,727 --ahs---- C:\WINDOWS\SYSTEM32\ppqss.ini
2007-12-20 16:37 . 2007-12-20 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 15:51 . 2007-12-20 15:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-20 15:51 . 2007-12-20 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-20 14:48 . 2007-12-20 15:49 151 --a------ C:\WINDOWS\wininit.ini
2007-12-20 14:16 . 2007-12-20 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-15 11:49 . 2007-12-15 11:49 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-12-14 09:45 . 2007-12-14 09:45 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-14 09:41 . 2007-12-14 09:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-14 07:32 . 2007-12-14 07:32 314,624 --a------ C:\WINDOWS\SYSTEM32\ssqpp.dll
2007-12-11 17:14 . 2007-12-11 17:14 <DIR> d-------- C:\Program Files\Google
2007-12-11 09:12 . 2007-12-11 09:12 2,422 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-12-11 08:29 . 2007-12-11 08:29 <DIR> d-------- C:\Documents and Settings\*****\Application Data\Grisoft
2007-12-11 08:29 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-11 08:05 . 2007-12-11 08:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-11 08:05 . 2007-12-20 23:20 <DIR> d-------- C:\Documents and Settings\*****\Application Data\AVG7
2007-12-11 08:05 . 2007-12-11 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-11 08:05 . 2007-12-11 08:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-11 08:05 . 2007-12-11 08:05 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-11 08:05 . 2007-12-11 08:05 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-10 05:24 . 2007-12-10 05:24 <DIR> d---s---- C:\Documents and Settings\******\UserData
2007-12-09 16:31 . 2007-12-09 16:31 <DIR> d-------- C:\Program Files\Marvell
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d-------- C:\WINDOWS\VirtualEar
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 16:29 . 2007-12-09 16:31 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d-------- C:\Program Files\Analog Devices
2007-12-09 15:05 . 2007-12-09 16:23 <DIR> d-------- C:\Program Files\EA GAMES
2007-12-09 15:05 . 2004-08-17 20:14 442,368 -ra------ C:\WINDOWS\SYSTEM32\vp6vfw.dll
2007-12-09 14:49 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2007-12-09 14:47 . 2007-12-09 14:47 <DIR> d-------- C:\Program Files\Intel
2007-12-09 14:47 . 2007-12-09 16:29 11,001 --a------ C:\WINDOWS\Ascd_tmp.ini
2007-12-09 14:47 . 2005-04-30 06:30 5,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASUSHWIO.SYS
2007-12-09 14:44 . 2007-12-09 14:44 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2007-12-09 14:44 . 2007-12-09 14:44 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-09 14:42 . 2004-08-04 06:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-12-09 14:40 . 2007-12-20 15:51 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-12-09 14:40 . 2007-12-09 14:41 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2007-12-09 14:40 . 2004-08-04 06:00 4,399,505 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nls302en.lex
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
2007-12-09 14:40 . 2007-12-09 14:40 488 -rah----- C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
2007-12-09 14:40 . 2007-12-09 14:40 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-09 14:37 . 2007-12-09 14:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\MsDtc
2007-12-09 08:34 . 2001-08-17 07:59 3,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\audstub.sys
2007-12-09 08:33 . 2004-08-03 16:59 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2007-12-09 08:32 . 2004-08-03 18:56 74,240 --a------ C:\WINDOWS\SYSTEM32\usbui.dll
2007-12-09 08:32 . 2004-08-03 16:59 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\intelide.sys
2007-12-09 08:31 . 2007-12-09 15:40 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-12-09 08:30 . 2007-12-20 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2007-12-09 08:30 . 2007-12-09 08:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
2007-12-09 08:30 . 2004-08-04 06:00 1,086,058 -ra------ C:\WINDOWS\SET4.tmp
2007-12-09 08:30 . 2004-08-04 06:00 1,042,903 -ra------ C:\WINDOWS\SET3.tmp
2007-12-09 08:30 . 2004-08-04 06:00 13,753 -ra------ C:\WINDOWS\SET8.tmp
2007-12-09 08:27 . 2007-12-09 14:45 <DIR> d-------- C:\Documents and Settings
2007-12-09 08:24 . 2007-12-09 08:24 512 ---hs---- C:\bootsect.dos
2007-12-09 08:24 . 2007-12-09 14:43 261 --a------ C:\WINDOWS\SYSTEM32\$winnt$.inf
2007-12-09 08:24 . 2007-12-20 22:04 211 ---hs---- C:\boot.ini
2007-12-06 16:02 . 2007-12-06 16:02 19,247 ---hs---- C:\BOOTLOG.PRV
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 13:51 5,166 --sh--w C:\SUHDLOG.DAT
.
((((((((((((((((((((((((((((( snapshot@2007-12-20_19.20.47.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-21 04:03:50 75,520 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\cmdmon.sys
+ 2007-12-21 04:03:50 51,328 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\inspect.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E51DE0-640F-4107-9F1C-A9CC4B7ADB90}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F3755E4-0818-48C5-9EF5-148D27D8D784}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92C52EE7-03D5-4197-819A-DED03FAE6014}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1DEEB81-204C-4AFB-B361-F81114220DBF}]
2007-12-14 07:32 314624 --a------ C:\WINDOWS\system32\ssqpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 10:18]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"AVG7_CC"="C:\PROGRA~2\Grisoft\AVG7\avgcc.exe" [2007-12-11 08:05]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-12-20 22:03]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~2\Grisoft\AVG7\avgw.exe" [2007-12-11 08:05]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqpp.dll
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 01:17:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\ssqpp.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\ssqpp.dll
.
Completion time: 2007-12-21 1:18:01 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-20 19:21
__RiP_ChAiN_
2007-12-22, 06:22
Hello jebu82,
ok. heres the reports. again so sorry and is there a way to change that anyway?
Actually, yes.
Go to START then settings then control panel then User Accounts. Then click on your account name then click on "Change my name", then change it to something less deragatory and click "Change Name."
This will not however, change your current folders with your previous name already on them.
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\ppqss.ini2
C:\WINDOWS\SYSTEM32\ppqss.ini
C:\WINDOWS\SYSTEM32\ssqpp.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E51DE0-640F-4107-9F1C-A9CC4B7ADB90}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F3755E4-0818-48C5-9EF5-148D27D8D784}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92C52EE7-03D5-4197-819A-DED03FAE6014}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1DEEB81-204C-4AFB-B361-F81114220DBF}]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
Combofix.txt
A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix 07-12-21.4 - *** 2007-12-22 9:28:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.627 [GMT -6:00]
Running from: C:\Documents and Settings\***\Desktop\sims2\ComboFix.exe
Command switches used :: C:\Documents and Settings\***\My Documents\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\ppqss.ini
C:\WINDOWS\SYSTEM32\ppqss.ini2
C:\WINDOWS\SYSTEM32\ssqpp.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\ppqss.ini
C:\WINDOWS\SYSTEM32\ppqss.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.
2007-12-20 23:02 . 2007-12-20 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 23:00 . 2007-12-20 23:01 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-20 22:05 . 2007-12-20 22:05 <DIR> d-------- C:\Documents and Settings\***\Application Data\Comodo
2007-12-20 22:05 . 2007-12-20 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-12-20 22:04 . 2007-12-09 14:36 211 --a------ C:\boot.ini.comodofirewall
2007-12-20 22:03 . 2007-12-20 22:03 <DIR> d-------- C:\Program Files\Comodo
2007-12-20 16:37 . 2007-12-20 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 15:51 . 2007-12-20 15:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-20 15:51 . 2007-12-20 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-20 14:48 . 2007-12-20 15:49 151 --a------ C:\WINDOWS\wininit.ini
2007-12-20 14:16 . 2007-12-20 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-15 11:49 . 2007-12-15 11:49 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-12-14 09:45 . 2007-12-14 09:45 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-14 09:41 . 2007-12-14 09:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-11 17:14 . 2007-12-11 17:14 <DIR> d-------- C:\Program Files\Google
2007-12-11 09:12 . 2007-12-11 09:12 2,422 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-12-11 08:29 . 2007-12-11 08:29 <DIR> d-------- C:\Documents and Settings\***\Application Data\Grisoft
2007-12-11 08:29 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-11 08:05 . 2007-12-11 08:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-11 08:05 . 2007-12-22 09:09 <DIR> d-------- C:\Documents and Settings\***\Application Data\AVG7
2007-12-11 08:05 . 2007-12-11 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-11 08:05 . 2007-12-11 08:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-11 08:05 . 2007-12-11 08:05 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-11 08:05 . 2007-12-11 08:05 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-10 05:24 . 2007-12-10 05:24 <DIR> d---s---- C:\Documents and Settings\***\UserData
2007-12-09 16:31 . 2007-12-09 16:31 <DIR> d-------- C:\Program Files\Marvell
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d-------- C:\WINDOWS\VirtualEar
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 16:29 . 2007-12-09 16:31 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-09 16:29 . 2007-12-09 16:29 <DIR> d-------- C:\Program Files\Analog Devices
2007-12-09 15:05 . 2007-12-09 16:23 <DIR> d-------- C:\Program Files\EA GAMES
2007-12-09 15:05 . 2004-08-17 20:14 442,368 -ra------ C:\WINDOWS\SYSTEM32\vp6vfw.dll
2007-12-09 14:49 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2007-12-09 14:47 . 2007-12-09 14:47 <DIR> d-------- C:\Program Files\Intel
2007-12-09 14:47 . 2007-12-09 16:29 11,001 --a------ C:\WINDOWS\Ascd_tmp.ini
2007-12-09 14:47 . 2005-04-30 06:30 5,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASUSHWIO.SYS
2007-12-09 14:44 . 2007-12-09 14:44 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2007-12-09 14:44 . 2007-12-09 14:44 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-09 14:42 . 2004-08-04 06:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
2007-12-09 14:41 . 2007-12-09 14:41 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-12-09 14:40 . 2007-12-20 15:51 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-12-09 14:40 . 2007-12-09 14:41 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2007-12-09 14:40 . 2004-08-04 06:00 4,399,505 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nls302en.lex
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-09 14:40 . 2007-12-09 14:40 749 -rah----- C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
2007-12-09 14:40 . 2007-12-09 14:40 488 -rah----- C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
2007-12-09 14:40 . 2007-12-09 14:40 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-09 14:37 . 2007-12-09 14:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\MsDtc
2007-12-09 08:34 . 2001-08-17 07:59 3,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\audstub.sys
2007-12-09 08:33 . 2004-08-03 16:59 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2007-12-09 08:32 . 2004-08-03 18:56 74,240 --a------ C:\WINDOWS\SYSTEM32\usbui.dll
2007-12-09 08:32 . 2004-08-03 16:59 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\intelide.sys
2007-12-09 08:31 . 2007-12-09 15:40 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-12-09 08:30 . 2007-12-22 00:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2007-12-09 08:30 . 2007-12-09 08:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
2007-12-09 08:30 . 2004-08-04 06:00 1,086,058 -ra------ C:\WINDOWS\SET4.tmp
2007-12-09 08:30 . 2004-08-04 06:00 1,042,903 -ra------ C:\WINDOWS\SET3.tmp
2007-12-09 08:30 . 2004-08-04 06:00 13,753 -ra------ C:\WINDOWS\SET8.tmp
2007-12-09 08:27 . 2007-12-09 14:45 <DIR> d-------- C:\Documents and Settings
2007-12-09 08:24 . 2007-12-09 08:24 512 ---hs---- C:\bootsect.dos
2007-12-09 08:24 . 2007-12-09 14:43 261 --a------ C:\WINDOWS\SYSTEM32\$winnt$.inf
2007-12-09 08:24 . 2007-12-20 22:04 211 ---hs---- C:\boot.ini
2007-12-06 16:02 . 2007-12-06 16:02 19,247 ---hs---- C:\BOOTLOG.PRV
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 13:51 5,166 --sh--w C:\SUHDLOG.DAT
.
((((((((((((((((((((((((((((( snapshot@2007-12-20_19.20.47.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-11 14:05:37 3,968 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2007-12-21 15:02:56 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
- 2007-12-11 14:05:37 19,904 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-12-21 15:02:53 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-12-21 04:03:50 75,520 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\cmdmon.sys
+ 2007-12-21 04:03:50 51,328 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\inspect.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62674E13-79D9-4CD3-B99A-016339C50E1E}]
C:\WINDOWS\system32\ssqpp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F3755E4-0818-48C5-9EF5-148D27D8D784}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1DEEB81-204C-4AFB-B361-F81114220DBF}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 10:18]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"AVG7_CC"="C:\PROGRA~2\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:02]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-12-20 22:03]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~2\Grisoft\AVG7\avgw.exe" [2007-12-11 08:05]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 09:31:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-22 9:31:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-21 01:18
C:\ComboFix3.txt ... 2007-12-20 19:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:27 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~2\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62674E13-79D9-4CD3-B99A-016339C50E1E} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5486 bytes
Ok, every scan i've done with spybot and AVG has been clean and AVG resident shield doesn't keep popping up showing an infection.
__RiP_ChAiN_
2007-12-23, 08:24
Hello jebu82,
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: (no name) - {62674E13-79D9-4CD3-B99A-016339C50E1E} - C:\WINDOWS\system32\ssqpp.dll (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
__RiP_ChAiN_
2008-01-04, 05:46
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.
In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.
Everyone else please begin a New Topic.