PDA

View Full Version : Tagasaurus and friends



tito184
2006-09-07, 09:24
I have been trying to hack away at these for about a week and I give up and need your help. My computer is updated and my Kaspersky AV isn't helping anymore. Windows defender keeps popping up with the Tagasaurus prompt but I am unable to remove it. Any help would be more than appreciated.

My Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:50 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hyjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [w9aa5775.dll] RUNDLL32.EXE w9aa5775.dll,I2 0007213b09aa5775
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kqio] C:\PROGRA~1\COMMON~1\kqio\kqiom.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156627444490
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157232828125
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)


And my combofix log:

Stephanie - 06-09-06 7:44:17.40
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Stephanie\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-26 15:20 211 tpepp.dll.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\iniwin32.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\keyboard111.dat
C:\WINDOWS\winsysupd1.dat
C:\WINDOWS\winsysupd41.dat
C:\WINDOWS\winsysupd71.dat
C:\deskbar3.exe
C:\WINDOWS\system32\ad.html
C:\Program Files\Common Files\download
C:\Program Files\Common Files\windows


((((((((((((((((((((((((((((((( Files Created from 2006-08-06 to 2006-09-06 ))))))))))))))))))))))))))))))))))


2006-09-04 19:22 40,960 --a------ C:\Look2Me-Destroyer.exe
2006-09-04 11:46 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-09-04 01:34 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-09-03 17:32 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-03 14:20 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-03 02:37 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-02 20:04 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-02 20:04 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-02 20:04 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-09-02 20:04 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-02 20:04 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-02 20:04 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-09-02 20:04 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-02 20:04 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-02 20:04 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2006-09-02 20:04 243,200 --a------ C:\WINDOWS\system32\es.dll
2006-09-02 20:04 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-02 20:04 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-02 20:04 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-02 20:04 101,376 --a------ C:\WINDOWS\system32\txflog.dll
2006-09-02 20:04 1,285,120 --a------ C:\WINDOWS\system32\ole32.dll
2006-09-02 20:04 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-02 20:01 77,312 --a------ C:\WINDOWS\system32\browser.dll
2006-09-02 20:01 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-09-02 20:01 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2006-09-02 20:01 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-09-02 19:44 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-09-02 19:44 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-09-02 19:44 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-09-02 19:44 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-09-02 19:44 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-09-02 19:44 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-09-02 19:44 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-09-02 19:44 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-09-02 19:44 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-09-02 19:44 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-09-02 19:44 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-09-02 19:44 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-09-02 19:44 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-09-02 19:44 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-09-02 19:44 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-09-02 19:44 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-09-02 19:44 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-09-02 19:36 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-09-02 19:20 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-09-02 18:42 24,296 --a------ C:\WINDOWS\icont.exe
2006-08-26 15:17 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-08-26 15:17 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-08-26 15:17 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2006-08-26 15:17 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2006-08-26 15:17 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-08-26 14:28 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-08-26 14:28 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-08-26 14:28 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-08-26 14:28 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-08-26 14:28 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-08-26 14:28 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-08-26 14:27 86,094 --a------ C:\WINDOWS\BPMNT.dll
2006-08-26 14:27 71,749 --a------ C:\WINDOWS\hcextoutput.dll
2006-08-26 14:27 176,709 --a------ C:\WINDOWS\tsc.exe
2006-08-26 14:27 1,101,904 --a------ C:\WINDOWS\vsapi32.dll
2006-08-26 14:26 69,689 --a------ C:\WINDOWS\UNZIP.DLL
2006-08-26 14:26 507,904 --a------ C:\WINDOWS\TMUPDATE.DLL
2006-08-26 14:26 286,720 --a------ C:\WINDOWS\PATCH.EXE
2006-08-23 00:31 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-08-23 00:31 5,906,432 --------- C:\WINDOWS\system32\ieframe.dll
2006-08-23 00:31 457,728 --------- C:\WINDOWS\system32\msfeeds.dll
2006-08-23 00:31 175,616 --------- C:\WINDOWS\system32\ieui.dll
2006-08-23 00:18 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-08-23 00:13 11,776 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-08-23 00:11 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-08-23 00:10 61,440 --------- C:\WINDOWS\system32\icardie.dll
2006-08-23 00:09 262,656 --------- C:\WINDOWS\system32\iertutil.dll
2006-08-22 23:36 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-06 07:45 -------- d-------- C:\Program Files\Common Files
2006-09-05 23:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-05 23:45 -------- d-------- C:\Program Files\Java
2006-09-04 18:58 -------- d-------- C:\Program Files\Yazzle Snowball Wars
2006-09-04 18:20 -------- d-------- C:\Documents and Settings\Stephanie\Application Data\Talkback
2006-09-04 18:19 -------- d-------- C:\Documents and Settings\Stephanie\Application Data\Mozilla
2006-09-04 11:56 -------- d-------- C:\Program Files\Internet Explorer
2006-09-04 11:24 -------- d-------- C:\Program Files\EQTraffic
2006-09-04 10:58 -------- d-------- C:\Program Files\Windows Defender
2006-09-04 10:58 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-04 03:36 -------- d-------- C:\Program Files\Messenger
2006-09-04 03:34 -------- d-------- C:\Program Files\Windows Media Player
2006-09-04 03:25 -------- d-------- C:\Program Files\Outlook Express
2006-09-04 03:25 -------- d-------- C:\Program Files\Common Files\System
2006-09-04 01:44 -------- d---s---- C:\Documents and Settings\Stephanie\Application Data\Microsoft
2006-09-03 21:22 438 --a------ C:\WINDOWS\tfhcf.dll
2006-09-03 15:09 -------- d-------- C:\Program Files\Movie Maker
2006-09-03 14:53 -------- d-------- C:\Program Files\Windows NT
2006-09-03 14:53 -------- d-------- C:\Program Files\NetMeeting
2006-09-02 18:38 -------- d-------- C:\Documents and Settings\Stephanie\Application Data\Macromedia
2006-09-02 18:09 -------- d-------- C:\Program Files\Kaspersky Lab
2006-09-02 14:50 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-08-26 15:13 -------- d-------- C:\Program Files\etea
2006-08-26 15:13 -------- d-------- C:\Program Files\Common Files\kqio
2006-08-26 14:28 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-23 00:31 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-08-23 00:31 225792 --a------ C:\WINDOWS\system32\webcheck.dll
2006-08-23 00:31 152064 --a------ C:\WINDOWS\system32\msls31.dll
2006-08-23 00:18 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-08-23 00:17 40448 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-08-23 00:17 105472 --a------ C:\WINDOWS\system32\url.dll
2006-08-23 00:17 100352 --a------ C:\WINDOWS\system32\occache.dll
2006-08-23 00:16 16896 --a------ C:\WINDOWS\system32\corpol.dll
2006-08-23 00:14 378368 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-08-23 00:14 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-08-23 00:13 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-08-23 00:13 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-08-23 00:13 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-08-23 00:13 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-08-23 00:13 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-08-23 00:13 122880 --a------ C:\WINDOWS\system32\advpack.dll
2006-08-23 00:10 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-08-23 00:07 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-08-22 23:37 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-08-22 23:30 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-08 20:11 -------- d-------- C:\Documents and Settings\Stephanie\Application Data\Sun
2006-07-08 14:56 -------- d-------- C:\Program Files\Common Files\Java
2006-06-29 08:05 26112 --------- C:\WINDOWS\system32\idndl.dll
2006-06-29 08:05 23552 --------- C:\WINDOWS\system32\normaliz.dll
2006-06-28 17:59 24576 --------- C:\WINDOWS\system32\nlsdl.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"w9aa5775.dll"="RUNDLL32.EXE w9aa5775.dll,I2 0007213b09aa5775"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal Pro\\kav.exe\" /minimize"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"kqio"="C:\\PROGRA~1\\COMMON~1\\kqio\\kqiom.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"wshfvi"="C:\\WINDOWS\\System32\\wshfvi.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\System32\\ad.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Compliant"="bwgarn.exe"
"FCHelp"="\"C:\\Program Files\\FCHelp\\FCHelp.exe\""
"Usrr"="\"C:\\Program Files\\etea\\rpen.exe\" -vt yazr"
"qxlno"="C:\\WINDOWS\\System32\\ukauni.exe reg_run"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"lintde"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"lintde"="C:\\WINDOWS\\System32\\lintde.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Compliant"="bwgarn.exe"
"FCHelp"="\"C:\\Program Files\\FCHelp\\FCHelp.exe\""
"Usrr"="\"C:\\Program Files\\etea\\rpen.exe\" -vt yazr"
"qxlno"="C:\\WINDOWS\\System32\\ukauni.exe reg_run"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"lintde"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"lintde"="C:\\WINDOWS\\System32\\lintde.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Wed 09/06/2006 7:53:25.68
ComboFix.txt

LonnyRJones
2006-09-12, 07:28
Welcome to the forum

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"w9aa5775.dll"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kqio"=-
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Compliant"=-
"FCHelp"=-
"Usrr"=-
"qxlno"=-
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"lintde"=-
[-HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Compliant"=-
"FCHelp"=-
"Usrr"=-
"qxlno"=-
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"lintde"=""
[-HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

Post another hijackthis and combofix logs

tito184
2006-09-16, 03:45
here is the combofix:

Stephanie - 06-09-15 16:20:17.40
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Stephanie\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-15 to 2006-09-15 ))))))))))))))))))))))))))))))))))


2006-09-04 19:22 40,960 --a------ C:\Look2Me-Destroyer.exe
2006-09-04 11:46 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-09-04 01:34 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-09-03 17:32 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-03 14:20 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-03 02:37 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-02 20:04 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-02 20:04 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-02 20:04 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-09-02 20:04 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-02 20:04 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-02 20:04 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-09-02 20:04 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-02 20:04 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-02 20:04 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2006-09-02 20:04 243,200 --a------ C:\WINDOWS\system32\es.dll
2006-09-02 20:04 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-02 20:04 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-02 20:04 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-02 20:04 101,376 --a------ C:\WINDOWS\system32\txflog.dll
2006-09-02 20:04 1,285,120 --a------ C:\WINDOWS\system32\ole32.dll
2006-09-02 20:04 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-02 20:01 77,312 --a------ C:\WINDOWS\system32\browser.dll
2006-09-02 20:01 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-09-02 20:01 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2006-09-02 20:01 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-09-02 19:44 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-09-02 19:44 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-09-02 19:44 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-09-02 19:44 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-09-02 19:44 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-09-02 19:44 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-09-02 19:44 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-09-02 19:44 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-09-02 19:44 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-09-02 19:44 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-09-02 19:44 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-09-02 19:44 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-09-02 19:44 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-09-02 19:44 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-09-02 19:44 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-09-02 19:44 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-09-02 19:44 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-09-02 19:36 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-09-02 19:20 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-09-02 18:42 24,296 --a------ C:\WINDOWS\icont.exe
2006-08-26 15:17 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-08-26 15:17 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-08-26 15:17 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2006-08-26 15:17 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2006-08-26 15:17 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-08-26 14:28 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-08-26 14:28 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-08-26 14:28 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-08-26 14:28 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-08-26 14:28 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-08-26 14:28 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-08-26 14:27 86,094 --a------ C:\WINDOWS\BPMNT.dll
2006-08-26 14:27 71,749 --a------ C:\WINDOWS\hcextoutput.dll
2006-08-26 14:27 176,709 --a------ C:\WINDOWS\tsc.exe
2006-08-26 14:27 1,101,904 --a------ C:\WINDOWS\vsapi32.dll
2006-08-26 14:26 69,689 --a------ C:\WINDOWS\UNZIP.DLL
2006-08-26 14:26 507,904 --a------ C:\WINDOWS\TMUPDATE.DLL
2006-08-26 14:26 286,720 --a------ C:\WINDOWS\PATCH.EXE
2006-08-23 00:31 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-08-23 00:31 5,906,432 --------- C:\WINDOWS\system32\ieframe.dll
2006-08-23 00:31 457,728 --------- C:\WINDOWS\system32\msfeeds.dll
2006-08-23 00:31 175,616 --------- C:\WINDOWS\system32\ieui.dll
2006-08-23 00:18 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-08-23 00:13 11,776 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-08-23 00:11 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-08-23 00:10 61,440 --------- C:\WINDOWS\system32\icardie.dll
2006-08-23 00:09 262,656 --------- C:\WINDOWS\system32\iertutil.dll
2006-08-22 23:36 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-15 00:55 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-06 07:45 -------- d-------- C:\Program Files\Common Files
2006-09-05 23:45 -------- d-------- C:\Program Files\Java
2006-09-04 18:58 -------- d-------- C:\Program Files\Yazzle Snowball Wars
2006-09-04 18:20 -------- d-------- C:\Documents and Settings\Stephanie\Application Data\Talkback
2006-09-04 18:19 -------- d-------- C:\Documents and Settings\Stephanie\Application Data\Mozilla
2006-09-04 11:56 -------- d-------- C:\Program Files\Internet Explorer
2006-09-04 11:24 -------- d-------- C:\Program Files\EQTraffic
2006-09-04 10:58 -------- d-------- C:\Program Files\Windows Defender
2006-09-04 10:58 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-04 03:36 -------- d-------- C:\Program Files\Messenger
2006-09-04 03:34 -------- d-------- C:\Program Files\Windows Media Player
2006-09-04 03:25 -------- d-------- C:\Program Files\Outlook Express
2006-09-04 03:25 -------- d-------- C:\Program Files\Common Files\System
2006-09-04 01:44 -------- d---s---- C:\Documents and Settings\Stephanie\Application Data\Microsoft
2006-09-03 21:22 438 --a------ C:\WINDOWS\tfhcf.dll
2006-09-03 15:09 -------- d-------- C:\Program Files\Movie Maker
2006-09-03 14:53 -------- d-------- C:\Program Files\Windows NT
2006-09-03 14:53 -------- d-------- C:\Program Files\NetMeeting
2006-09-02 18:38 -------- d-------- C:\Documents and Settings\Stephanie\Application Data\Macromedia
2006-09-02 18:09 -------- d-------- C:\Program Files\Kaspersky Lab
2006-09-02 14:50 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-08-26 15:13 -------- d-------- C:\Program Files\etea
2006-08-26 15:13 -------- d-------- C:\Program Files\Common Files\kqio
2006-08-26 14:28 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-23 00:31 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-08-23 00:31 225792 --a------ C:\WINDOWS\system32\webcheck.dll
2006-08-23 00:31 152064 --a------ C:\WINDOWS\system32\msls31.dll
2006-08-23 00:18 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-08-23 00:17 40448 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-08-23 00:17 105472 --a------ C:\WINDOWS\system32\url.dll
2006-08-23 00:17 100352 --a------ C:\WINDOWS\system32\occache.dll
2006-08-23 00:16 16896 --a------ C:\WINDOWS\system32\corpol.dll
2006-08-23 00:14 378368 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-08-23 00:14 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-08-23 00:13 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-08-23 00:13 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-08-23 00:13 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-08-23 00:13 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-08-23 00:13 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-08-23 00:13 122880 --a------ C:\WINDOWS\system32\advpack.dll
2006-08-23 00:10 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-08-23 00:07 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-08-22 23:37 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-08-22 23:30 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-06-29 08:05 26112 --------- C:\WINDOWS\system32\idndl.dll
2006-06-29 08:05 23552 --------- C:\WINDOWS\system32\normaliz.dll
2006-06-28 17:59 24576 --------- C:\WINDOWS\system32\nlsdl.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal Pro\\kav.exe\" /minimize"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"lintde"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"lintde"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Fri 09/15/2006 16:31:20.04
ComboFix.txt
ComboFix2.txt




Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 5:44:50 PM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hyjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156627444490
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157232828125
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

LonnyRJones
2006-09-16, 04:30
Delete these folders
C:\Program Files\Common Files\kqio
C:\Program Files\EQTraffic
C:\Program Files\Yazzle Snowball Wars
C:\Program Files\etea

------------------------------------------
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

tito184
2006-09-17, 09:18
I deleted those files and ran the SDFix. I really do appreciate your help.




SDFix: Version 1.20
-------------------------

Scan Time/Date:

11:10 PM
Sat 09/16/2006

Microsoft Windows XP [Version 5.1.2600]

Running from:
C:\Documents and Settings\Stephanie\Desktop\SDFix


Stage One...


Checking Services...

Service Name:
------------------

lsass
haxdrv

File Path:
------------

C:\WINDOWS\lsass.exe
\??\C:\WINDOWS\system32\haxdrv.sys

Removing Services:
------------------------

SUCCESS
SUCCESS


Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!



Logfile of HijackThis v1.99.1
Scan saved at 11:17:11 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hyjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156627444490
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157232828125
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe

LonnyRJones
2006-09-17, 12:26
Looks good

Hows that PC acting ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

tito184
2006-09-18, 01:20
PC seems fine now.

Thanks a bunch!

LonnyRJones
2006-09-21, 15:28
Great

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).