Google links redirecting to other sites

cornflake · Apr 24, 2008

Primary issue:
When I click on Google links, they usually automatically redirect to other sites. Also, I can't just use the Back button on the browser to go back unless I hit it twice in fast succession. I can usually make it to the intended site when I try again, though.

Secondary non-essential issue: (I assume this is easy to fix, sorry for such a dumb problem)
Also, I have many more files in my Internet history than I want. I tried to clear much of my history in different places, but a large number of files remain. I think these files greatly increase the time it takes to scan my system. How do I remove them?

Anyway, here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:44 PM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f} - C:\WINDOWS\dqrgvmla.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [xohozyzw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xohozyzw.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysinv] C:\WINDOWS\System32\sysinv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [WpOT0VnZ8y] C:\WINDOWS\ojevqxit.exe
O4 - HKLM\..\Policies\Explorer\Run: [ePJGyVnZ8y] C:\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://my.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7443 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 9:54:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 722707
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 853612
Number of viruses found: 15
Number of infected objects: 43
Number of suspicious objects: 4
Duration of the scan process: 17:53:15

Infected Object Name / Virus Name / Last Action
C:\184.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\184.tmp NSIS: infected - 1 skipped
C:\185.tmp/stream/data0002 Infected: not-a-virus

ownloader.Win32.Agent.q skipped
C:\185.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\185.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\185.tmp NSIS: infected - 3 skipped
C:\18A.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\18A.tmp NSIS: infected - 1 skipped
C:\18B.tmp/stream/data0002 Infected: not-a-virus

ownloader.Win32.Agent.q skipped
C:\18B.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\18B.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\18B.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe Infected: Trojan.Win32.Obfuscated.we skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1275OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\BatSetup.exe Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\Documents and Settings\Owner\Local Settings\Temp\ismtpa15.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\Documents and Settings\Owner\Local Settings\Temp\ismtpa15.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\Documents and Settings\Owner\Local Settings\Temp\ismtpa15.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\msiexec.exe Infected: Trojan-Clicker.Win32.Agent.tg skipped
C:\Documents and Settings\Owner\Local Settings\Temp\syswcc32.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\syswcc32.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\syswcc32.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\syswcc32.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\syswcc32.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\ZLT054da.TMP Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2VI9U9SL\qwoizlkhgf[1].html Infected: Trojan-Downloader.JS.Psyme.gy skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9RY7QLEN\1[1].exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9RY7QLEN\1[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C54TUBKX\qwoizlkhgf[1].html Infected: Trojan-Downloader.JS.Psyme.gy skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UHCT4PYV\marchjewelers[1].html Infected: Trojan-Clicker.HTML.IFrame.fh skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Bat\Bat.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP870\A0070458.exe Object is locked skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070483.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070503.exe Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070505.exe Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070507.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070509.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe/file36 Infected: not-a-virus

SWTool.Win32.PWDump.2 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe/file64 Infected: not-a-virus

SWTool.Win32.PWDump.d skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe/file65 Infected: not-a-virus

SWTool.Win32.PWDump.d skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe Inno: infected - 3 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070781.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP873\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\STUDY.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\000090.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\WINDOWS\system32\000090.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\WINDOWS\system32\000090.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\L4E02.tmp Infected: Trojan-Downloader.Win32.Small.uny skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba · Apr 24, 2008

Hi cornflake

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

cornflake · Apr 25, 2008

First of all, thank you so much for the help.

The ComboFix took a long time to run on my computer. I'd estimate a few hours. I presume this is due to the large number of files on my machine. As I mentioned, I think a large number of them are Internet files that I'd like to get rid of. The ComboFix finally ended OK.

Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:25 PM, on 4/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f} - C:\WINDOWS\dqrgvmla.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysinv] C:\WINDOWS\System32\sysinv.exe
O4 - HKLM\..\Policies\Explorer\Run: [WpOT0VnZ8y] C:\WINDOWS\ojevqxit.exe
O4 - HKLM\..\Policies\Explorer\Run: [ePJGyVnZ8y] C:\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://my.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7225 bytes

ComboFix 08-04-22.5 - Owner 2008-04-24 11:58:26.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\PerfInfo
C:\WINDOWS\system32\000090.exe

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 03:29 . 2003-02-20 14:01 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-24 03:29 . 2003-02-20 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-04-24 03:29 . 2003-02-21 11:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-24 03:29 . 2003-02-20 13:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-04-24 03:29 . 2003-02-20 14:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-24 03:29 . 2003-02-20 13:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-24 03:29 . 2008-04-24 03:29 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-24 03:29 . 2008-04-24 12:54 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 22:43 . 2008-04-23 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 22:09 . 2008-04-23 22:09 94,208 --a------ C:\WINDOWS\system32\kdetgdst.exe
2008-04-23 01:56 . 2008-04-23 01:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-23 01:56 . 2008-04-23 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 00:32 . 2008-04-23 00:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 00:32 . 2008-04-23 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 23:47 . 2008-04-20 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-20 23:46 . 2008-04-20 23:46 <DIR> d-------- C:\WINDOWS\mgwwgmke
2008-04-20 23:46 . 2008-04-20 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ohmjelyv
2008-04-20 23:45 . 2008-04-20 23:45 192,512 --a------ C:\WINDOWS\narytwji.dll
2008-04-20 23:45 . 2008-04-20 23:45 65,024 --a------ C:\WINDOWS\dqrgvmla.dll
2008-04-20 23:45 . 2008-04-20 23:45 65,024 --a------ C:\Documents and Settings\All Users\Application Data\xohozyzw.dll
2008-04-20 15:11 . 2008-04-23 00:16 <DIR> d-------- C:\Program Files\Bat
2008-04-20 15:10 . 2008-04-20 15:10 8,268 --a------ C:\WINDOWS\system32\L4E02.tmp
2008-04-20 15:10 . 2008-04-20 15:10 398 --a------ C:\WINDOWS\system32\L5499.tmp
2008-04-20 15:10 . 2008-04-20 15:10 398 --a------ C:\WINDOWS\system32\L53DE.tmp
2008-04-20 15:10 . 2008-04-20 15:10 398 --a------ C:\WINDOWS\system32\L52A5.tmp
2008-04-20 15:10 . 2008-04-20 15:10 398 --a------ C:\WINDOWS\system32\L5025.tmp
2008-04-08 23:50 . 2008-04-08 23:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 23:50 . 2008-04-08 23:50 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 13:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-18 17:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-09 16:04 --------- d-----w C:\Program Files\MySpace
2008-04-09 05:26 2,622,976 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2008-04-09 05:26 2,621,440 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2008-01-29 17:51 2,700,288 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2008-01-29 17:51 2,600,448 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2007-05-21 03:52 6,181,783 ----a-w C:\Documents and Settings\Application Data\win2k_xp14103.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}]
2008-04-20 23:45 65024 --a------ C:\WINDOWS\dqrgvmla.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 17:18 1670144]
"sysinv"="C:\WINDOWS\System32\sysinv.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 10:01 155648]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"nwiz"="nwiz.exe" [2002-09-10 01:35 372736 C:\WINDOWS\system32\nwiz.exe]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 20:40 1197648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 11:22 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42 267064]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-03 10:21 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZoneAlarm.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe [2003-07-30 22:55:02 623720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"WpOT0VnZ8y"= C:\WINDOWS\ojevqxit.exe
"ePJGyVnZ8y"= C:\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidBlaster]
C:\Program Files\RapidBlaster\rb32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2002-11-26 20:14 131072 C:\Program Files\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\System32\Drivers\ubVeo532.sys [2002-07-01 19:30]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 14:32:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-24 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 14:00:04 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 16:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 17:00:03 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 18:00:03 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 19:00:03 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 21:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-23 22:00:04 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-23 23:00:05 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 00:00:04 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 01:00:05 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 03:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 05:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 06:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 07:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 08:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 09:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 10:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 11:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 12:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 13:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 14:00:05 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 15:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 16:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 17:00:04 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 18:00:04 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 19:00:04 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 20:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 21:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-23 22:00:04 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-23 23:00:06 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 00:00:05 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 01:00:06 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 02:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 03:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 04:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 15:52:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-24 16:00:25
ComboFix-quarantined-files.txt 2008-04-24 21:00:21

Pre-Run: 23,759,147,008 bytes free
Post-Run: 45,825,675,264 bytes free

212 --- E O F --- 2007-11-26 03:56:04

Shaba · Apr 25, 2008

Hi

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\kdetgdst.exe
C:\WINDOWS\narytwji.dll
C:\WINDOWS\dqrgvmla.dll
C:\Documents and Settings\All Users\Application Data\xohozyzw.dll
C:\WINDOWS\system32\L4E02.tmp
C:\WINDOWS\system32\L5499.tmp
C:\WINDOWS\system32\L53DE.tmp
C:\WINDOWS\system32\L52A5.tmp
C:\WINDOWS\system32\L5025.tmp

Folder::
C:\Program Files\Bat
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\mgwwgmke
C:\Documents and Settings\All Users\Application Data\ohmjelyv

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysinv"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"WpOT0VnZ8y"=-
"ePJGyVnZ8y"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidBlaster]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

cornflake · Apr 25, 2008

Thank you so much for spending the time to help me.
Here are the logs.

ComboFix 08-04-22.5 - Owner 2008-04-25 11:18:36.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\xohozyzw.dll
C:\WINDOWS\dqrgvmla.dll
C:\WINDOWS\narytwji.dll
C:\WINDOWS\system32\kdetgdst.exe
C:\WINDOWS\system32\L4E02.tmp
C:\WINDOWS\system32\L5025.tmp
C:\WINDOWS\system32\L52A5.tmp
C:\WINDOWS\system32\L53DE.tmp
C:\WINDOWS\system32\L5499.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ohmjelyv
C:\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\All Users\Application Data\xohozyzw.dll
C:\Program Files\Bat
C:\Program Files\Bat\Bat.dll
C:\WINDOWS\dqrgvmla.dll
C:\WINDOWS\mgwwgmke
C:\WINDOWS\mgwwgmke\1.png
C:\WINDOWS\mgwwgmke\2.png
C:\WINDOWS\mgwwgmke\3.png
C:\WINDOWS\mgwwgmke\4.png
C:\WINDOWS\mgwwgmke\5.png
C:\WINDOWS\mgwwgmke\6.png
C:\WINDOWS\mgwwgmke\7.png
C:\WINDOWS\mgwwgmke\8.png
C:\WINDOWS\mgwwgmke\9.png
C:\WINDOWS\mgwwgmke\bottom-rc.gif
C:\WINDOWS\mgwwgmke\config.png
C:\WINDOWS\mgwwgmke\content.png
C:\WINDOWS\mgwwgmke\download.gif
C:\WINDOWS\mgwwgmke\frame-bg.gif
C:\WINDOWS\mgwwgmke\frame-bottom-left.gif
C:\WINDOWS\mgwwgmke\frame-h1bg.gif
C:\WINDOWS\mgwwgmke\head.png
C:\WINDOWS\mgwwgmke\icon.png
C:\WINDOWS\mgwwgmke\indexwp.html
C:\WINDOWS\mgwwgmke\main.css
C:\WINDOWS\mgwwgmke\memory-prots.png
C:\WINDOWS\mgwwgmke\net.png
C:\WINDOWS\mgwwgmke\pc-mag.gif
C:\WINDOWS\mgwwgmke\pc.gif
C:\WINDOWS\mgwwgmke\poloska1.png
C:\WINDOWS\mgwwgmke\poloska2.png
C:\WINDOWS\mgwwgmke\poloska3.png
C:\WINDOWS\mgwwgmke\promowp1.html
C:\WINDOWS\mgwwgmke\promowp2.html
C:\WINDOWS\mgwwgmke\promowp3.html
C:\WINDOWS\mgwwgmke\promowp4.html
C:\WINDOWS\mgwwgmke\promowp5.html
C:\WINDOWS\mgwwgmke\reg.png
C:\WINDOWS\mgwwgmke\repair.png
C:\WINDOWS\mgwwgmke\scr-1.png
C:\WINDOWS\mgwwgmke\scr-2.png
C:\WINDOWS\mgwwgmke\start.png
C:\WINDOWS\mgwwgmke\styles.css
C:\WINDOWS\mgwwgmke\Thumbs.db
C:\WINDOWS\mgwwgmke\top-rc.gif
C:\WINDOWS\mgwwgmke\vline.gif
C:\WINDOWS\mgwwgmke\wp.png
C:\WINDOWS\narytwji.dll
C:\WINDOWS\system32\L5025.tmp
C:\WINDOWS\system32\L52A5.tmp
C:\WINDOWS\system32\L53DE.tmp
C:\WINDOWS\system32\L5499.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 03:29 . 2003-02-20 14:01 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-24 03:29 . 2003-02-20 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2008-04-24 03:29 . 2003-02-21 11:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-24 03:29 . 2003-02-20 13:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-04-24 03:29 . 2003-02-20 14:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-24 03:29 . 2003-02-20 13:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-24 03:29 . 2008-04-24 03:29 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-24 03:29 . 2008-04-24 12:54 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 22:43 . 2008-04-23 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 01:56 . 2008-04-23 01:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-23 01:56 . 2008-04-23 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 00:32 . 2008-04-23 00:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 00:32 . 2008-04-23 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 23:50 . 2008-04-08 23:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 23:50 . 2008-04-08 23:50 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 13:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-18 17:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-09 16:04 --------- d-----w C:\Program Files\MySpace
2008-04-09 05:26 2,622,976 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2008-04-09 05:26 2,621,440 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2008-01-29 17:51 2,700,288 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2008-01-29 17:51 2,600,448 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2007-05-21 03:52 6,181,783 ----a-w C:\Documents and Settings\Application Data\win2k_xp14103.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_15.59.55.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 16:50:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 21:19:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-09 16:01:16 46,284 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-24 21:22:32 46,284 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-09 16:01:16 365,406 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-24 21:22:32 365,406 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 17:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 10:01 155648]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"nwiz"="nwiz.exe" [2002-09-10 01:35 372736 C:\WINDOWS\system32\nwiz.exe]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 20:40 1197648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 11:22 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42 267064]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-03 10:21 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZoneAlarm.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe [2003-07-30 22:55:02 623720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2002-11-26 20:14 131072 C:\Program Files\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\System32\Drivers\ubVeo532.sys [2002-07-01 19:30]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 14:32:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 14:00:04 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 16:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 17:00:03 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 18:00:03 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 19:00:03 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 21:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 22:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 23:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 00:00:04 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 01:00:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 03:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 05:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 06:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 07:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 08:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 09:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 10:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 11:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 12:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 13:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 14:00:04 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 15:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 16:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 17:00:04 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 18:00:04 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 19:00:04 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-24 20:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 21:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 22:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 23:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 00:00:05 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 01:00:01 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 02:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 03:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-25 04:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\System32\eCYwfJU5.exe
"2008-04-24 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
"2008-04-25 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\6Rq4TVqN.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 11:32:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-25 11:39:34
ComboFix-quarantined-files.txt 2008-04-25 16:39:17
ComboFix2.txt 2008-04-24 21:00:26

Pre-Run: 45,763,796,992 bytes free
Post-Run: 45,794,000,896 bytes free

266 --- E O F --- 2007-11-26 03:56:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:53 AM, on 4/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://my.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6898 bytes

Shaba · Apr 25, 2008

Hi

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\System32\6Rq4TVqN.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

cornflake · Apr 25, 2008

Done.

C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.
C:\WINDOWS\Tasks\At25.job moved successfully.
C:\WINDOWS\Tasks\At26.job moved successfully.
C:\WINDOWS\Tasks\At27.job moved successfully.
C:\WINDOWS\Tasks\At28.job moved successfully.
C:\WINDOWS\Tasks\At29.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At30.job moved successfully.
C:\WINDOWS\Tasks\At31.job moved successfully.
C:\WINDOWS\Tasks\At32.job moved successfully.
C:\WINDOWS\Tasks\At33.job moved successfully.
C:\WINDOWS\Tasks\At34.job moved successfully.
C:\WINDOWS\Tasks\At35.job moved successfully.
C:\WINDOWS\Tasks\At36.job moved successfully.
C:\WINDOWS\Tasks\At37.job moved successfully.
C:\WINDOWS\Tasks\At38.job moved successfully.
C:\WINDOWS\Tasks\At39.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At40.job moved successfully.
C:\WINDOWS\Tasks\At41.job moved successfully.
C:\WINDOWS\Tasks\At42.job moved successfully.
C:\WINDOWS\Tasks\At43.job moved successfully.
C:\WINDOWS\Tasks\At44.job moved successfully.
C:\WINDOWS\Tasks\At45.job moved successfully.
C:\WINDOWS\Tasks\At46.job moved successfully.
C:\WINDOWS\Tasks\At47.job moved successfully.
C:\WINDOWS\Tasks\At48.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
File/Folder C:\WINDOWS\System32\6Rq4TVqN.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04252008_124804

Shaba · Apr 25, 2008

Hi

Empty this folder:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\

Delete these:

C:\184.tmp
C:\185.tmp
C:\18A.tmp
C:\18B.tmp

Empty Recycle Bin.

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

cornflake · Apr 26, 2008

Thanks again! Here they are:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:37 PM, on 4/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://my.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6852 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 7:57:36 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/04/2008
Kaspersky Anti-Virus database records: 725500
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 80032
Number of viruses found: 8
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 02:31:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\ohmjelyv\ixmfmzgx.exe.vir Infected: Trojan.Win32.Obfuscated.we skipped
C:\QooBox\Quarantine\C\Program Files\Bat\Bat.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP870\A0070458.exe Object is locked skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070483.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070503.exe Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070505.exe Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070507.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070508.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP871\A0070509.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe/file36 Infected: not-a-virus

SWTool.Win32.PWDump.2 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe/file64 Infected: not-a-virus

SWTool.Win32.PWDump.d skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe/file65 Infected: not-a-virus

SWTool.Win32.PWDump.d skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070764.exe Inno: infected - 3 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP872\A0070781.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP875\A0070914.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP875\A0070914.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP875\A0070914.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP875\A0070961.exe Object is locked skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP876\A0070970.exe Infected: Trojan.Win32.Obfuscated.we skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP876\A0070971.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP876\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\STUDY.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9A79662F-FAA3-4C1F-B03A-F3159142A4E9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT01be2.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP876\change.log Object is locked skipped

Scan process completed.

Shaba · Apr 26, 2008

Hi

Empty this folder:

C:\QooBox\Quarantine

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

cornflake · Apr 26, 2008

No other problems that I know of. In this infection I had, did I have anything that could have been stealing passwords? Just wondering.

Shaba,
Thank you so much for all of the help you've given me. Plus, being an American that doesn't get out much (at all), I've been bragging to my family that someone all the way from Finland has been helping me fix my computer. That may seem trivial, but it's pretty cool to me. Anyway, the main thing is a big thank you, though. This has really been appreciated!

Marvin

Shaba · Apr 26, 2008

Hi

No there was no such malware present.

Any other concerns left?

Shaba · May 1, 2008

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Google links redirecting to other sites

cornflake

New member

Shaba

Security Expert: Emeritus

cornflake

New member

Shaba

Security Expert: Emeritus

cornflake

New member

Shaba

Security Expert: Emeritus

cornflake

New member

Shaba

Security Expert: Emeritus

cornflake

New member

Shaba

Security Expert: Emeritus

cornflake

New member

Shaba

Security Expert: Emeritus

Shaba

Security Expert: Emeritus