Results 1 to 4 of 4

Thread: Also having trouble getting rid of trojan.win32.obfuscated.kp

  1. 2007-11-13, 05:53 #1
    InfestedToo
    InfestedToo is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    4

    Default Also having trouble getting rid of trojan.win32.obfuscated.kp

    I read the previous thread started by user "Infested". I am also struggling with pop-ups caused by trojan.win32.obfuscated.kp.

    I followed the final steps listed and am still having problems. Any and all help is greatly appreciated, here are the three logs:


    VundoFix V6.5.11

    Checking Java version...

    Java version is 1.5.0.2
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.7
    Old versions of java are exploitable and should be removed.

    Scan started at 11:17:35 PM 11/12/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\ooeacc.dll

    Beginning removal...

    Performing Repairs to the registry.
    Done!


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:51:52 PM, on 11/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
    O2 - BHO: (no name) - {183807B8-BC07-48A2-8DAD-ABC96FA6C7A8} - C:\WINDOWS\SYSTEM32\hgghgdc.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: {0510f85d-05fb-8a98-e154-9ba0faa79d57} - {75d97aaf-0ab9-451e-89a8-bf50d58f0150} - C:\WINDOWS\system32\dmrmnpem.dll
    O2 - BHO: (no name) - {86D2214A-42AE-4582-9C8B-E339A9BFEAD0} - (no file)
    O2 - BHO: (no name) - {9B8CDB51-E8C6-40D7-9EC5-AFFC2EA6FCF4} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: (no name) - {AFD6662B-5ACD-454F-B6C1-F8162E183A17} - (no file)
    O2 - BHO: (no name) - {D4C11D05-A04F-4E70-B256-D40C33DB610B} - (no file)
    O2 - BHO: (no name) - {E3CC887F-30D1-43A1-9E7F-9D512D193149} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
    O4 - HKLM\..\Run: [444ede73] rundll32.exe "C:\WINDOWS\system32\bhevgdpr.dll",b
    O4 - HKCU\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /M "Stylus CX4600" /EF "HKCU"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdcc...d/tgctlins.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
    O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/Sa.../WalletCab.CAB
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - http://epson.synovate.com/epson/setup.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096528277717
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175279986828
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...dwnldr_ext.cab
    O20 - Winlogon Notify: hgghgdc - C:\WINDOWS\
    O20 - Winlogon Notify: laaeydno - C:\WINDOWS\SYSTEM32\laaeydno.dll
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
    O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 7743 bytes
  2. 2007-11-13, 05:55 #2
    InfestedToo
    InfestedToo is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    4

    Default

    And the combofix log:

    ComboFix 07-11-08.1 - John 2007-11-12 23:34:32.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
    Running from: C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\9D2KF308\ComboFix[1].exe
    * Created a new restore point
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\John\Application Data\Sskdmns.dll
    C:\Documents and Settings\John\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\John\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\John\Favorites\Online Security Guide.lnk
    C:\Program Files\pslister
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\bang-006.ico
    C:\WINDOWS\system32\guard.tmp
    C:\WINDOWS\system32\laaeydno.dllbox
    C:\WINDOWS\system32\qtutv.bak1
    C:\WINDOWS\system32\qtutv.bak2
    C:\WINDOWS\system32\qtutv.ini
    C:\WINDOWS\system32\qtutv.ini2
    C:\WINDOWS\system32\qtutv.tmp
    C:\WINDOWS\system32\vtutq.dll
    C:\WINDOWS\system32\zxdnt3d.cfg

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
    .

    2007-11-12 23:33 145,984 --a------ C:\WINDOWS\system32\laaeydno.dll
    2007-11-12 23:33 145,984 --a------ C:\WINDOWS\system32\hxrsbxmd.dll
    2007-11-12 23:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-12 23:27 81,472 --a------ C:\WINDOWS\system32\dmrmnpem.dll
    2007-11-12 23:25 89,664 --a------ C:\WINDOWS\system32\bhevgdpr.dll
    2007-11-12 23:25 71,232 --a------ C:\WINDOWS\system32\hhexymqd.exe
    2007-11-12 23:17 <DIR> d-------- C:\VundoFix Backups
    2007-11-12 23:07 115,712 --a------ C:\Program Files\VundoFix.exe
    2007-11-12 22:31 <DIR> d-------- C:\PERepairData
    2007-11-12 22:31 <DIR> d-------- C:\Documents and Settings\John\Application Data\Spybot - Search & Destroy
    2007-11-12 22:02 81,472 --a------ C:\WINDOWS\system32\cciirvwm.dll
    2007-11-12 21:56 89,664 --a------ C:\WINDOWS\system32\ujosamca.dll
    2007-11-12 21:46 81,472 --a------ C:\WINDOWS\system32\gmugewdn.dll
    2007-11-12 21:32 81,472 --a------ C:\WINDOWS\system32\fpxkkfxt.dll
    2007-11-12 20:52 89,664 --a------ C:\WINDOWS\system32\ramdqvvh.dll
    2007-11-12 20:46 81,472 --a------ C:\WINDOWS\system32\hufyoaxo.dll
    2007-11-12 19:09 401,720 --a------ C:\Program Files\HiJackThis.exe
    2007-11-12 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-12 19:03 7,467,056 --a------ C:\Program Files\spybotsd15.exe
    2007-11-12 18:15 81,472 --a------ C:\WINDOWS\system32\ofkfsixs.dll
    2007-11-12 14:25 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2007-11-12 14:25 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2007-11-12 14:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2007-11-12 14:22 2,112,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-11-12 14:22 26,656 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-11-12 14:21 <DIR> d-------- C:\KAV
    2007-11-12 14:21 24,760,584 --a------ C:\kav7.0.0.125en.exe
    2007-11-12 02:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-11-12 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-12 01:40 6,021,960 --a------ C:\Program Files\Firefox Setup 2.0.0.9.exe
    2007-11-11 18:14 79,936 --a------ C:\WINDOWS\system32\fbftqulp.dll
    2007-11-02 00:46 <DIR> d-------- C:\WINFTP
    2007-10-27 17:49 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
    2007-10-27 17:49 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
    2007-10-16 01:27 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
    2007-10-16 01:27 <DIR> d-------- C:\Program Files\Replay Media Catcher

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-13 04:42 3,548 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-11-13 04:42 29,348 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2007-11-13 02:08 --------- d-----w C:\Documents and Settings\John\Application Data\BSplayer
    2007-11-13 00:10 7,826 ----a-w C:\Program Files\hijackthis.log
    2007-11-12 23:53 --------- d-----w C:\Program Files\America Online 9.0
    2007-11-12 23:53 --------- d-----w C:\Program Files\AIM
    2007-11-12 07:21 --------- d-----w C:\Documents and Settings\John\Application Data\OpenOffice.org2
    2007-11-11 08:01 --------- d-----w C:\Program Files\Poker Tracker V2
    2007-11-10 14:55 --------- d-----w C:\Program Files\PokerStars
    2007-11-08 08:56 --------- d-----w C:\Program Files\Full Tilt Poker
    2007-11-05 19:27 --------- d-----w C:\Program Files\Poker Tracker Omaha
    2007-10-22 05:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-16 07:08 --------- d-----w C:\Program Files\WMR11
    2007-10-16 06:38 --------- d-----w C:\Program Files\Windows Media Connect 2
    2007-09-25 10:53 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
    2007-09-25 10:53 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
    2007-09-25 10:51 4,301,387 ----a-w C:\Program Files\Shareaza_2.2.5.0.exe
    2007-09-25 10:51 --------- d-----w C:\Program Files\Shareaza
    2007-09-25 10:51 --------- d-----w C:\Documents and Settings\John\Application Data\Shareaza
    2007-09-23 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\sentinel
    2007-01-31 09:51 36,808,256 ----a-w C:\Program Files\iTunesSetup.exe
    2006-05-17 06:20 17 ----a-w C:\Program Files\d.bat
    2006-03-20 20:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}]
    C:\WINDOWS\SYSTEM32\hgghgdc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75d97aaf-0ab9-451e-89a8-bf50d58f0150}]
    2007-11-12 23:27 81472 --a------ C:\WINDOWS\system32\dmrmnpem.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86D2214A-42AE-4582-9C8B-E339A9BFEAD0}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B8CDB51-E8C6-40D7-9EC5-AFFC2EA6FCF4}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFD6662B-5ACD-454F-B6C1-F8162E183A17}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4C11D05-A04F-4E70-B256-D40C33DB610B}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3CC887F-30D1-43A1-9E7F-9D512D193149}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-10-25 18:58]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
    "444ede73"="C:\WINDOWS\system32\bhevgdpr.dll" [2007-11-12 23:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-11 00:10]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}"= C:\WINDOWS\SYSTEM32\hgghgdc.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghgdc]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\laaeydno]
    laaeydno.dll 2007-11-12 23:33 145984 C:\WINDOWS\system32\laaeydno.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtutq.dll
    "Notification Packages"= scecli scecli

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hhlugh.exe]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hhlugh.exe
    backup=C:\WINDOWS\pss\hhlugh.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
    backup=C:\WINDOWS\pss\svchost.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^taskmgr.exe]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
    backup=C:\WINDOWS\pss\taskmgr.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ulxpk.exe]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ulxpk.exe
    backup=C:\WINDOWS\pss\ulxpk.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^xxih.exe]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xxih.exe
    backup=C:\WINDOWS\pss\xxih.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^AdDestroyer.lnk]
    path=C:\Documents and Settings\John\Start Menu\Programs\Startup\AdDestroyer.lnk
    backup=C:\WINDOWS\pss\AdDestroyer.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
    path=C:\Documents and Settings\John\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
    backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Think-Adz.lnk]
    path=C:\Documents and Settings\John\Start Menu\Programs\Startup\Think-Adz.lnk
    backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\444ede73]
    rundll32.exe "C:\WINDOWS\system32\jbqdwuhd.dll",b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
    C:\WINDOWS\v1201.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
    "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
    "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMFibula]
    "C:\Program Files\CMFibula\CMFibula.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cuqgdv]
    C:\WINDOWS\system32\cdmodx.exe reg_run

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
    C:\\dfndrff_16.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
    C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
    C:\Program Files\DIGStream\digstream.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epcrmon]
    C:\Program Files\EPSON\epcrmon\epcrmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
    C:\WINDOWS\system32\lwinlpex.exe GEN001

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
    C:\PROGRA~1\Web Offer\wo.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
    "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    C:\Program Files\Google\Google Talk\googletalk.exe /autostart

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ikqz]
    C:\PROGRA~1\COMMON~1\ikqz\ikqzm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    C:\Program Files\Ahead\InCD\InCD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
    C:\\kybrdff_16.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5200 series]
    "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    ???

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
    Logi_MwX.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms051954811460]
    C:\WINDOWS\ms051954811460.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
    "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Narrator]
    C:\WINDOWS\system32\wwkiaw.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    C:\WINDOWS\System32\\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
    C:\\nwnmff_16.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2p networking]
    p2pnetworking.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
    "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSLister]
    "C:\Program Files\PSLister\PSLister.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
    ???
  3. 2007-11-13, 05:56 #3
    InfestedToo
    InfestedToo is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    4

    Default

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SESync]
    "C:\Program Files\SED\SED.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
    C:\Program Files\SurfSideKick 3\Ssk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
    C:\WINDOWS\Duce6.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    %systemroot%\system32\dumprep 0 -u

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
    C:\PROGRA~1\VBouncer\VirtualBouncer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    "C:\Program Files\Save\Save.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    C:\Program Files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsync]
    C:\WINDOWS\system32\wwkiaw.exe reg_run

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlo]
    D:\Install\WorkFlow.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wqc17088]
    RUNDLL32.EXE wef50a50.dll,n 0041708400000003ef50a50

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wwffhzvA]
    C:\WINDOWS\wwffhzvA.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrwhf]
    C:\WINDOWS\system32\cdmodx.exe reg_run

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
    C:\Program Files\Logitech\iTouch\iTouch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "TrkWks"=2 (0x2)
    "iPod Service"=3 (0x3)
    "AOL ACS"=2 (0x2)

    R2 SetupNT;SetupNT;C:\WINDOWS\system32\SetupNT.sys
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\7b37f4c3-da65-492b-ae81-2981aed630f3]
    C:\WINDOWS\system32\hhqzih.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-12 23:43:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-12 23:45:47 - machine was rebooted
    .
    --- E O F ---
  4. 2007-11-13, 22:49 #4
    InfestedToo
    InfestedToo is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    4

    Default

    Someone please help! The pop-ups and other problems are getting worse.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules