PDA

View Full Version : Surf Sidekick and others



mhill
2006-07-20, 21:23
This is my first post so I apologize if I do this incorrectly. Quite a few of our company's computers were hit with a plethera of viruses and spyware earlier this week. I was able to clean all computers except mine. :( I have posted a highjack this log that I just ran. Hopefully it will help someone help me. I am not sure what I have been infected with but everytime I run spybot and restart my computer, spybot does not automatically run to clean up any unclean files. Please help!!!!!!!!!!!!

Here is my higjack log

Logfile of HijackThis v1.99.1
Scan saved at 1:16:00 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\taskib.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\dfndrdd_6.exe
C:\kybrddd_6.exe
C:\WINDOWS\system32\rundll32.exe
C:\nwnmdd_6.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\iqugj.exe
F2 - REG:system.ini: UserInit=userinit.exe,tlbktws.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [defender] C:\\dfndrdd_6.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrddd_6.exe
O4 - HKLM\..\Run: [zstcbd16] RUNDLL32.EXE w1459dd9.dll,n 001cbd15000000031459dd9
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmdd_6.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120562956578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\SNCLIENT.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
O23 - Service: CA BrightStor Universal Agent (CASUniversalAgent) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bW9uaWth\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Network Station Task Manager (TSKIB) - Unknown owner - C:\WINDOWS\taskib.exe

tashi
2006-07-24, 10:52
Hello and sorry you are waiting.

If you are still in need of assistance please go here and post a link back to this topic to flag a helper.

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

LonnyRJones
2006-07-25, 02:18
Current log


Thank you for responding. I have tried to run the progrmas listed under command service problems. The pop-ups have stopped but i am not sure if i got everything. here's a new highjackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:07:20 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz (http://www.dell4me.com/mywaybiz)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usam-midwest.com/ (http://www.usam-midwest.com/)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz (http://www.dell4me.com/mywaybiz)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz (http://www.dell4me.com/mywaybiz)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://go.microsoft.com/fwlink/?linkid=39204)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab (http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab)
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120562956578 (http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120562956578)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab (http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
O23 - Service: CA BrightStor Universal Agent (CASUniversalAgent) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Network Station Task Manager (TSKIB) - Unknown owner - C:\WINDOWS\taskib.exe (file missing)

Thanks again!

LonnyRJones
2006-07-25, 02:24
Hi
Open a command prompt (start run type cmd press enter) type
sc delete "TSKIB"
press enter, type exit and press enter to exit the command prompt

Start Hijackthis and place a check next to these items If there.
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

mhill
2006-07-25, 16:48
I fixed the 3 files you named in HIghjackthis. Here is a new combofix log:

Start Time= Tue 07/25/2006 8:39:21.23
Running from: C:\Documents and Settings\mhill\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report

)))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-25 08:28 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-25 06:25 <DIR> C:\Program Files\symantec antivirus
2006-07-25 06:24 534,843,392 C:\hiberfil.sys
2006-07-25 06:24 <DIR> C:\Program Files\common files
2006-07-24 16:22 <DIR> C:\Documents and Settings\mhill\Application

Data\soliddocuments
2006-07-24 12:29 <DIR> C:\Program Files\aim toolbar
2006-07-21 09:00 444 C:\WINDOWS\qckjb.dll
2006-07-20 12:12 <DIR> C:\Program Files\msn gaming zone
2006-07-20 10:35 11,264 C:\setup32.exe
2006-07-20 00:01 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-20 00:00 <DIR> C:\Program Files\netmeeting
2006-07-19 20:16 9,728 C:\rundll.exe
2006-07-19 18:24 9,216 C:\system64.exe
2006-07-19 17:27 9,216 C:\system32.exe
2006-07-19 16:36 9,216 C:\install32.exe
2006-07-19 14:57 9,216 C:\ins32.exe
2006-07-19 14:51 9,728 C:\install.exe
2006-07-19 08:25 <DIR> C:\Program Files\Common Files\irmi
2006-07-19 06:20 <DIR> C:\Program Files\spybot - search & destroy
2006-07-19 06:13 242,230 C:\siteerror.exe
2006-07-18 16:27 9,728 C:\setup.exe
2006-07-18 16:06 28,672 C:\WINDOWS\system32\drivers\co_mon.sys
2006-07-18 16:06 <DIR> C:\Documents and Settings\mhill\Application

Data\wholesecurity
2006-07-18 16:03 <DIR> C:\Program Files\symantec
2006-07-18 16:01 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-18 15:48 <DIR> C:\Program Files\symnetdrv
2006-07-18 06:27 523,518 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-10 13:31 22,801 C:\Documents and Settings\mhill\Application

Data\comma separated values (windows).adr
2006-07-07 12:51 <DIR> C:\Documents and Settings\mhill\Application

Data\weatherbug
2006-06-21 08:14 <DIR> C:\Documents and Settings\mhill\Application

Data\adobeum
2006-06-21 06:12 <DIR> C:\Program Files\internet explorer
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-07 12:55 3,753 C:\Program Files\Common Files\kyke.html
2006-06-06 16:50 <DIR> C:\Documents and Settings\mhill\Application

Data\webshots
2006-05-30 18:09 24,576 C:\WINDOWS\uninstall.exe
2006-05-19 07:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 07:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 07:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll
2006-05-15 18:24 466,944 C:\WINDOWS\system32\capicom.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days

)))))))))))))))))))))))))))))))))))))))))))


2006-07-21 11:00 534,843,392 C:\hiberfil.sys
2006-07-20 11:17 10,752 C:\dscf.exe
2006-07-20 00:01 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-19 20:16 9,728 C:\rundll.exe
2006-07-19 18:24 9,216 C:\system64.exe
2006-07-19 17:27 9,216 C:\system32.exe
2006-07-19 15:27 9,216 C:\install32.exe
2006-07-19 14:57 9,216 C:\ins32.exe
2006-07-19 14:51 9,728 C:\install.exe
2006-07-19 14:12 73,728 C:\WINDOWS\system32\pv.exe
2006-07-19 14:12 39,184 C:\WINDOWS\system32\Ntrights.exe
2006-07-19 14:12 175,616 C:\WINDOWS\system32\strings.exe
2006-07-19 14:12 16,384 C:\WINDOWS\system32\restart.exe
2006-07-19 14:12 126,976 C:\WINDOWS\system32\zip.exe
2006-07-19 14:12 11,254 C:\WINDOWS\system32\locate.com
2006-07-19 06:13 242,230 C:\siteError.exe
2006-07-18 16:22 9,728 C:\setup.exe
2006-07-18 15:39 11,264 C:\setup32.exe
2006-07-18 12:20 940,000 C:\WINDOWS\zhpmrdn.exe
2006-07-18 12:20 444 C:\WINDOWS\qckjb.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"GoToMyPC"="C:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe -logon"
"TkBellExe"="\"C:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat

7.0\\Distillr\\Acrotray.exe\""
@=""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\"

/minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00

,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff

,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00

,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"irmi"="C:\\PROGRA~1\\COMMON~1\\irmi\\irmim.exe"
"ouovk"="C:\\WINDOWS\\system32\\sgdcjr.exe reg_run"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explo

rer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"irmi"="C:\\PROGRA~1\\COMMON~1\\irmi\\irmim.exe"
"ouovk"="C:\\WINDOWS\\system32\\sgdcjr.exe reg_run"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explo

rer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shared

taskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelle

xecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: Tue 07/25/2006 8:39:48.70
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt
ComboFix7-21-06.txt


Thanks!!!!

mhill
2006-07-25, 16:57
oops. i forgot to restart my computer first. here's the new combofix log:

Start Time= Tue 07/25/2006 8:54:31.98
Running from: C:\Documents and Settings\mhill\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report

)))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-25 08:52 <DIR> C:\Program Files\symantec antivirus
2006-07-25 08:52 <DIR> C:\Program Files\common files
2006-07-25 08:51 534,843,392 C:\hiberfil.sys
2006-07-25 08:28 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-24 16:22 <DIR> C:\Documents and Settings\mhill\Application

Data\soliddocuments
2006-07-24 12:29 <DIR> C:\Program Files\aim toolbar
2006-07-21 09:00 444 C:\WINDOWS\qckjb.dll
2006-07-20 12:12 <DIR> C:\Program Files\msn gaming zone
2006-07-20 10:35 11,264 C:\setup32.exe
2006-07-20 00:01 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-20 00:00 <DIR> C:\Program Files\netmeeting
2006-07-19 20:16 9,728 C:\rundll.exe
2006-07-19 18:24 9,216 C:\system64.exe
2006-07-19 17:27 9,216 C:\system32.exe
2006-07-19 16:36 9,216 C:\install32.exe
2006-07-19 14:57 9,216 C:\ins32.exe
2006-07-19 14:51 9,728 C:\install.exe
2006-07-19 08:25 <DIR> C:\Program Files\Common Files\irmi
2006-07-19 06:20 <DIR> C:\Program Files\spybot - search & destroy
2006-07-19 06:13 242,230 C:\siteerror.exe
2006-07-18 16:27 9,728 C:\setup.exe
2006-07-18 16:06 28,672 C:\WINDOWS\system32\drivers\co_mon.sys
2006-07-18 16:06 <DIR> C:\Documents and Settings\mhill\Application

Data\wholesecurity
2006-07-18 16:03 <DIR> C:\Program Files\symantec
2006-07-18 16:01 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-18 15:48 <DIR> C:\Program Files\symnetdrv
2006-07-18 06:27 523,518 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-10 13:31 22,801 C:\Documents and Settings\mhill\Application

Data\comma separated values (windows).adr
2006-07-07 12:51 <DIR> C:\Documents and Settings\mhill\Application

Data\weatherbug
2006-06-21 08:14 <DIR> C:\Documents and Settings\mhill\Application

Data\adobeum
2006-06-21 06:12 <DIR> C:\Program Files\internet explorer
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-07 12:55 3,753 C:\Program Files\Common Files\kyke.html
2006-06-06 16:50 <DIR> C:\Documents and Settings\mhill\Application

Data\webshots
2006-05-30 18:09 24,576 C:\WINDOWS\uninstall.exe
2006-05-19 07:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 07:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 07:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll
2006-05-15 18:24 466,944 C:\WINDOWS\system32\capicom.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days

)))))))))))))))))))))))))))))))))))))))))))


2006-07-21 11:00 534,843,392 C:\hiberfil.sys
2006-07-20 11:17 10,752 C:\dscf.exe
2006-07-20 00:01 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-19 20:16 9,728 C:\rundll.exe
2006-07-19 18:24 9,216 C:\system64.exe
2006-07-19 17:27 9,216 C:\system32.exe
2006-07-19 15:27 9,216 C:\install32.exe
2006-07-19 14:57 9,216 C:\ins32.exe
2006-07-19 14:51 9,728 C:\install.exe
2006-07-19 14:12 73,728 C:\WINDOWS\system32\pv.exe
2006-07-19 14:12 39,184 C:\WINDOWS\system32\Ntrights.exe
2006-07-19 14:12 175,616 C:\WINDOWS\system32\strings.exe
2006-07-19 14:12 16,384 C:\WINDOWS\system32\restart.exe
2006-07-19 14:12 126,976 C:\WINDOWS\system32\zip.exe
2006-07-19 14:12 11,254 C:\WINDOWS\system32\locate.com
2006-07-19 06:13 242,230 C:\siteError.exe
2006-07-18 16:22 9,728 C:\setup.exe
2006-07-18 15:39 11,264 C:\setup32.exe
2006-07-18 12:20 940,000 C:\WINDOWS\zhpmrdn.exe
2006-07-18 12:20 444 C:\WINDOWS\qckjb.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"GoToMyPC"="C:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe -logon"
"TkBellExe"="\"C:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat

7.0\\Distillr\\Acrotray.exe\""
@=""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\"

/minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCom

ponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00

,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff

,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00

,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"irmi"="C:\\PROGRA~1\\COMMON~1\\irmi\\irmim.exe"
"ouovk"="C:\\WINDOWS\\system32\\sgdcjr.exe reg_run"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explo

rer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"irmi"="C:\\PROGRA~1\\COMMON~1\\irmi\\irmim.exe"
"ouovk"="C:\\WINDOWS\\system32\\sgdcjr.exe reg_run"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explo

rer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shared

taskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelle

xecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: Tue 07/25/2006 8:55:00.62
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt
ComboFix7-21-06.txt



thanks again!

LonnyRJones
2006-07-25, 19:33
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4
;
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"irmi"=-
"ouovk"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"irmi"=-
"ouovk"=-


Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.


Go here http://www.virustotal.com/flash/index_en.html
and submit each of these files
C:\siteError.exe
C:\setup.exe
C:\setup32.exe
C:\WINDOWS\zhpmrdn.exe
C:\WINDOWS\qckjb.dll
C:\dscf.exe
C:\rundll.exe
C:\system64.exe
C:\system32.exe
C:\install32.exe
C:\ins32.exe
C:\install.exe
Let me know if anything is found for each


C:\Program Files\Common Files\kyke.html < delete file
C:\Program Files\Common Files\irmi < delete folder
C:\WINDOWS\bW9uaWth < delete folder

mhill
2006-07-26, 00:03
I deleted the 3 files.
The virustotal definitely found some thing. I copied and pasted the responses for all of the files that did not come back clean.


STATUS: FINISHED
Complete scanning result of "setup.exe", received in VirusTotal at 07.25.2006, 20:53:01 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.24.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 no virus found
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found





STATUS: FINISHED
Complete scanning result of "setup32.exe", received in VirusTotal at 07.25.2006, 21:40:57 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.24.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 no virus found
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found


STATUS: FINISHED
Complete scanning result of "dscf.exe", received in VirusTotal at 07.25.2006, 21:56:25 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 TR/Dldr.Adload.DB.11
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 Downloader.Generic2.HBN
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot


STATUS: FINISHED
Complete scanning result of "rundll.exe", received in VirusTotal at 07.25.2006, 22:03:29 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.24.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 no virus found
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found


STATUS: FINISHED
Complete scanning result of "system64.exe", received in VirusTotal at 07.25.2006, 22:23:02 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.25.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 Suspicious file
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found



STATUS: FINISHED
Complete scanning result of "system32.exe", received in VirusTotal at 07.25.2006, 22:30:51 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.25.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 Suspicious file
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found


STATUS: FINISHED
Complete scanning result of "install32.exe", received in VirusTotal at 07.25.2006, 22:46:01 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.25.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 Suspicious file
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found


STATUS: FINISHED
Complete scanning result of "ins32.exe", received in VirusTotal at 07.25.2006, 22:51:39 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.25.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 Suspicious file
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found



STATUS: FINISHED
Complete scanning result of "install.exe", received in VirusTotal at 07.25.2006, 22:54:20 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.25.2006 no virus found
Authentium 4.93.8 07.24.2006 no virus found
Avast 4.7.844.0 07.24.2006 no virus found
AVG 386 07.25.2006 no virus found
BitDefender 7.2 07.25.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 07.25.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.25.2006 no virus found
DrWeb 4.33 07.25.2006 Adware.DollarRevenue
eTrust-InoculateIT 23.72.77 07.25.2006 no virus found
eTrust-Vet 12.6.2308 07.25.2006 no virus found
Ewido 4.0 07.25.2006 no virus found
Fortinet 2.77.0.0 07.25.2006 no virus found
F-Prot 3.16f 07.25.2006 no virus found
F-Prot4 4.2.1.29 07.24.2006 no virus found
Ikarus 0.2.65.0 07.25.2006 no virus found
Kaspersky 4.0.2.24 07.25.2006 Trojan-Downloader.Win32.Adload.db
McAfee 4814 07.25.2006 no virus found
Microsoft 1.1508 07.25.2006 no virus found
NOD32v2 1.1678 07.25.2006 Win32/TrojanDownloader.Adload.NAQ
Norman 5.90.23 07.25.2006 no virus found
Panda 9.0.0.4 07.25.2006 no virus found
Sophos 4.07.0 07.25.2006 Troj/Adload-HU
Symantec 8.0 07.25.2006 no virus found
TheHacker 5.9.8.181 07.25.2006 no virus found
UNA 1.83 07.25.2006 no virus found
VBA32 3.11.0 07.25.2006 no virus found
VirusBuster 4.3.7:9 07.25.2006 no virus found

Thank you SO MUCH for the help you are giving me. Also, I have to leave town early Thursday morning so I will not be able to do anything to my computer after about 5:00 tomorrow (Wednesday) night. I am really worried about leaving my computer if it is not completely clean.

LonnyRJones
2006-07-26, 04:57
Go ahead and manualy delete those files
I suggest you send (submit) them to symantec first
C:\siteError.exe
C:\setup.exe
C:\setup32.exe
C:\WINDOWS\zhpmrdn.exe
C:\WINDOWS\qckjb.dll
C:\dscf.exe
C:\rundll.exe
C:\system64.exe
C:\system32.exe
C:\install32.exe
C:\ins32.exe
C:\install.exe

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Post back with a new hijackthis log when you get back

tashi
2006-08-03, 23:02
This topic has been closed to prevent others with similar issues posting in it.
To be re-opened please send me or your helper a pm and provide a link to the thread. :)

Applies only to the original topic starter.