Smitfraud Strikes Again!

C

craigbert

New member
I see from the forum threads that smitfraud has caused a great deal of trouble. I'm quite a novice at much of this, but I've managed to acquire hjt which seems to be a tool used by those more skilled in the way of malware removal. I'm pretty sure that I followed the "Before You Post" steps, but please accept my humble apologies if I missed a step (or two).

Logfile of HijackThis v1.99.1
Scan saved at 6:27:06 PM, on

6/5/2007
Platform: Windows XP SP1 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP1

(6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust

Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust

Antivirus\InoRT.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust

Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program

Files\Canon\CAL\CALMAIN.exe
C:\Program

Files\Java\j2re1.4.2_03\bin\jusche

d.exe
C:\WINDOWS\System32\spool\DRIVERS\

W32X86\3\E_FATI9AA.EXE
C:\Program

Files\NETGEAR\WG511SCU\Utility\Gea

r511.exe
C:\Program

Files\QuickTime\qttask.exe
C:\Program

Files\iTunes\iTunesHelper.exe
C:\Program

Files\WinTouch\WinTouch.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\Documents and Settings\All

Users\Application

Data\claruxeb.exe
C:\Program

Files\iPod\bin\iPodService.exe
C:\Program Files\Common

Files\{D06C0CCE-069E-1033-0515-030

210020001}\Update.exe
C:\DOCUME~1\cabarber\MYDOCU~1\MANT

EC~1\arpa.exe
C:\Program

Files\?dobe\??erinit.exe
C:\Program

Files\Google\GoogleToolbarNotifier

\GoogleToolbarNotifier.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program Files\Microsoft

Money\System\urlmap.exe
C:\Program

Files\HijackThis\HijackThis.exe

R1 -

HKCU\Software\Microsoft\Windows\Cu

rrentVersion\Internet

Settings,ProxyServer =

http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143

SafeWeb.com
O1 - Hosts: 204.244.184.143

WWW.SafeWeb.com
O3 - Toolbar: EPSON Web-To-Page -

{EE5D279F-081B-4404-994D-C6B60AAEB

A6D} - C:\Program

Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082

467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5C

D4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange]

Ati2mdxx.exe
O4 - HKLM\..\Run: [DM_Server]

C:\PROGRA~1\COMETS~1\DM\bin\dmserv

er.exe /onreboot
O4 - HKLM\..\Run:

[SunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_03\bin\jusche

d.exe
O4 - HKLM\..\Run: [EPSON Stylus

CX4600 Series]

C:\WINDOWS\System32\spool\DRIVERS\

W32X86\3\E_FATI9AA.EXE /P26 "EPSON

Stylus CX4600 Series" /O6 "USB001"

/M "Stylus CX4600"
O4 - HKLM\..\Run:

[MoneyStartUp10.0] "C:\Program

Files\Microsoft

Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime

Monitor]

C:\PROGRA~1\CA\ETRUST~1\realmon.ex

e -s
O4 - HKLM\..\Run: [AS00_Gear511]

C:\Program

Files\NETGEAR\WG511SCU\Utility\Gea

r511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program

Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper]

"C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinTouch]

C:\Program

Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w]

C:\WINDOWS\nqxux.exe
O4 - HKLM\..\Run: [MsgCenterExe]

"C:\Program Files\Common

Files\Real\Update_OB\RealOneMessag

eCenter.exe" -osboot
O4 - HKLM\..\Run: [Configuration

Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms065202-79822]

C:\WINDOWS\ms065202-79822.exe
O4 - HKLM\..\Run: [avp]

C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SManager]

smanager.7.exe
O4 - HKLM\..\Run: [claruxeb.exe]

C:\Documents and Settings\All

Users\Application

Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc]

rundll32.exe

"C:\WINDOWS\System32\vvfmfbdu.dll"

,realset
O4 - HKCU\..\Run: [rfiq]

C:\Program Files\Common

Files\rfiq\rfiqm.exe
O4 - HKCU\..\Run: [Bsnp]

"C:\DOCUME~1\cabarber\MYDOCU~1\MAN

TEC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Rlbwn]

"C:\Program

Files\?dobe\??erinit.exe"
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier

\GoogleToolbarNotifier.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: Microsoft

Office.lnk = C:\Program

Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL

Toolbar search - res://C:\Program

Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item:

E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office1

0\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608

501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi1

42_03.dll
O9 - Extra 'Tools' menuitem: Sun

Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608

501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi1

42_03.dll
O9 - Extra button: Related -

{c95fe080-8f5d-11d2-a20b-00aa003c1

57a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show

&Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c1

57a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide -

{E023F504-0C5A-4750-A1E7-A9046DEA8

A21} - C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795

683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem:

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795

683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF

700} (Windows Genuine Advantage

Validation Tool) -

http://go.microsoft.com/fwlink/?li

nkid=39204
O16 - DPF:

{197AB1D7-A7DD-4C86-A938-1FCC0DB21

B85} (DMProxyCtl Class) -

http://dm.cometsystems.com/dm/dm_2

99.cab
O16 - DPF:

{406B5949-7190-4245-91A9-30A17DE16

AD0} (Snapfish Activia) -

http://photo.walgreens.com/Walgree

nsActivia.cab
O16 - DPF:

{56336BCB-3D8A-11D6-A00B-0050DA18D

E71} -

http://software-dl.real.com/0550bf

c4151e9abf8005/netzip/RdxIE601.cab
O16 - DPF:

{5F8469B4-B055-49DD-83F7-62B522420

ECC} (Facebook Photo Uploader

Control) -

http://upload.facebook.com/control

s/FacebookPhotoUploader.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E8

33C} (WUWebControl Class) -

http://update.microsoft.com/micros

oftupdate/v6/V5Controls/en/x86/cli

ent/wuweb_site.cab?1170342936513
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2

FC3} (MUWebControl Class) -

http://update.microsoft.com/micros

oftupdate/v6/V5Controls/en/x86/cli

ent/muweb_site.cab?1170342889225
O16 - DPF:

{A18962F6-E6ED-40B1-97C9-1FB36F38B

FA8} (Aurigma Image Uploader 3.5

Control) -

http://www.mpix.com/Customer/Uploa

ding/activex/ImageUploader3.cab
O17 -

HKLM\System\CCS\Services\Tcpip\Par

ameters: Domain =

student.secollege
O17 - HKLM\Software\..\Telephony:

DomainName = student.secollege
O17 -

HKLM\System\CS1\Services\Tcpip\Par

ameters: Domain =

student.secollege
O17 -

HKLM\System\CS2\Services\Tcpip\Par

ameters: Domain =

student.secollege
O17 -

HKLM\System\CS3\Services\Tcpip\Par

ameters: Domain =

student.secollege
O23 - Service: Ati HotKey Poller -

Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe

(file missing)
O23 - Service: Canon Camera Access

Library 8 (CCALib8) - Canon Inc. -

C:\Program

Files\Canon\CAL\CALMAIN.exe
O23 - Service: Client IP-IPX -

Unknown owner - ".exe (file

missing)
O23 - Service: Google Updater

Service (gusvc) - Google -

C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program

Files\Common

Files\InstallShield\Driver\11\Inte

l 32\IDriverT.exe
O23 - Service: eTrust Antivirus

RPC Server (InoRPC) - Computer

Associates International, Inc. -

C:\Program Files\CA\eTrust

Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus

Realtime Server (InoRT) - Computer

Associates International, Inc. -

C:\Program Files\CA\eTrust

Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus

Job Server (InoTask) - Computer

Associates International, Inc. -

C:\Program Files\CA\eTrust

Antivirus\InoTask.exe
O23 - Service: iPod Service -

Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown

owner - C:\WINDOWS\dls0523pmw.exe

(file missing)
 
Hi,

Above log is impossible to read... so, in notepad:
On top, click Format >uncheck Word Wrap

Then, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
 
reformatted hjt log

:oops: I followed your instructions. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 11:30:15 PM, on 6/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\claruxeb.exe
C:\Program Files\Common Files\{D06C0CCE-069E-1033-0515-030210020001}\Update.exe
C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1\arpa.exe
C:\Program Files\?dobe\??erinit.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\DOCUME~1\cabarber\LOCALS~1\Temp\powermon.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Analyse.exe
C:\Program Files\Microsoft Money\System\urlmap.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F69073C-B3B4-49C9-8982-8CD2459EBE37} - C:\WINDOWS\System32\qoppn.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\System32\wvusstr.dll
O2 - BHO: (no name) - {64E8A742-438D-1871-A340-68E33A9FAA9B} - C:\WINDOWS\System32\hftvumc.dll (file missing)
O2 - BHO: (no name) - {75579BE8-67D0-4BF3-A053-234FDCC4A1B5} - C:\WINDOWS\System32\ptkytpiy.dll
O2 - BHO: (no name) - {87E6D82C-77B8-47AF-800C-6985C50A9034} - \
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBDD0576-41DD-44FA-AC8F-474A3928FEDB} - C:\WINDOWS\System32\efeec.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\dnsersnd.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\System32\pouknoth.dll
O2 - BHO: (no name) - {E0011D1B-A2F5-DF5F-D909-FEADD9932092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: (no name) - {E1011D6E-A2F5-AF5C-D907-8CADDE972092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: 0 - {E383D2E5-017F-4E15-52A7-694FDB691A15} - C:\Program Files\Internet Explorer\laduxa.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\nqxux.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms065202-79822] C:\WINDOWS\ms065202-79822.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\System32\vvfmfbdu.dll",realset
O4 - HKLM\..\Run: [j5201931] rundll32 C:\WINDOWS\System32\j5201931.dll sook
O4 - HKCU\..\Run: [rfiq] C:\Program Files\Common Files\rfiq\rfiqm.exe
O4 - HKCU\..\Run: [Bsnp] "C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Rlbwn] "C:\Program Files\?dobe\??erinit.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_299.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0550bfc4151e9abf8005/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170342936513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170342889225
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\Software\..\Telephony: DomainName = student.secollege
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = student.secollege
O20 - Winlogon Notify: efeec - C:\WINDOWS\System32\efeec.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winfvj32 - C:\WINDOWS\SYSTEM32\winfvj32.dll
O20 - Winlogon Notify: wvusstr - C:\WINDOWS\SYSTEM32\wvusstr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
 
Hi,

Perform next steps in the right order please..

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

WinTouch
Owlforce
TSA
Think Adz
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.

Reboot when done! Really important!

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: (no name) - {0F69073C-B3B4-49C9-8982-8CD2459EBE37} - C:\WINDOWS\System32\qoppn.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\System32\wvusstr.dll
O2 - BHO: (no name) - {64E8A742-438D-1871-A340-68E33A9FAA9B} - C:\WINDOWS\System32\hftvumc.dll (file missing)
O2 - BHO: (no name) - {75579BE8-67D0-4BF3-A053-234FDCC4A1B5} - C:\WINDOWS\System32\ptkytpiy.dll
O2 - BHO: (no name) - {87E6D82C-77B8-47AF-800C-6985C50A9034} - \
O2 - BHO: (no name) - {BBDD0576-41DD-44FA-AC8F-474A3928FEDB} - C:\WINDOWS\System32\efeec.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\dnsersnd.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\System32\pouknoth.dll
O2 - BHO: (no name) - {E0011D1B-A2F5-DF5F-D909-FEADD9932092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: (no name) - {E1011D6E-A2F5-AF5C-D907-8CADDE972092} - C:\WINDOWS\System32\huphs.dll
O2 - BHO: 0 - {E383D2E5-017F-4E15-52A7-694FDB691A15} - C:\Program Files\Internet Explorer\laduxa.dll
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\nqxux.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms065202-79822] C:\WINDOWS\ms065202-79822.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\System32\vvfmfbdu.dll",realset
O4 - HKLM\..\Run: [j5201931] rundll32 C:\WINDOWS\System32\j5201931.dll sook
O4 - HKCU\..\Run: [rfiq] C:\Program Files\Common Files\rfiq\rfiqm.exe
O4 - HKCU\..\Run: [Bsnp] "C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Rlbwn] "C:\Program Files\?dobe\??erinit.exe"
O4 - Startup: TA_Start.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_299.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0550bfc4...p/RdxIE601.cab
O20 - Winlogon Notify: winfvj32 - C:\WINDOWS\SYSTEM32\winfvj32.dll
O20 - Winlogon Notify: wvusstr - C:\WINDOWS\SYSTEM32\wvusstr.dll
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
 
Followed steps with some questions

When I tried to uninstall WinTouch (that was the only one I noticed in the add/remove programs list) I received the following error:

C:\PROGRA~1\WinTouch\WTUNIN~1.EXE
The NTVDM CPU has encountered an illegal instruction.
CS: 0dd3 IP:0135 OP:63 65 69 76 65 Choose ‘close’ to terminate the application

with the options “Close” or Ignore”

I tried clicking "close" and "ignore" with the intent of using add/remove programs to uninstall but it didn't seem to work... Should I try it again?

Combofix log:
"cabarber" - 2007-06-07 12:49:31 Service Pack 1 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\cabarber\Desktop\"


Unable to gain System Privileges

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cexgafyt.dll
C:\WINDOWS\system32\hpfmusqv.dll
C:\WINDOWS\system32\pouknoth.dll
C:\WINDOWS\system32\ptkytpiy.dll
C:\WINDOWS\system32\winfvj32.dll
C:\WINDOWS\system32\ceefe.bak1
C:\WINDOWS\system32\ceefe.bak2
C:\WINDOWS\system32\ceefe.ini
C:\WINDOWS\system32\ceefe.bak1
C:\WINDOWS\system32\ceefe.bak2
C:\WINDOWS\system32\ceefe.ini
C:\WINDOWS\system32\efeec.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\12482976.exe
C:\75336680.exe
C:\DOCUME~1\cabarber\APPLIC~1.\.rdr.ini
C:\DOCUME~1\cabarber\MYDOCU~1\MANTEC~1
C:\DOCUME~1\cabarber\MYDOCU~1\YMBOLS~1
C:\Program Files\Common Files\{306C0~1
C:\Program Files\Common Files\{306C0~1\Bar888.dll
C:\Program Files\Common Files\{306C0~1\UnInstall.exe
C:\Program Files\Common Files\{D06C0~1
C:\Program Files\Common Files\{D06C0~1\Update.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\Internet Explorer\promymy.html
C:\Program Files\YSTEM3~1
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\avp.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\Duce6.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu11.exe
C:\WINDOWS\sammy3.exe
C:\WINDOWS\Setup89.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\SSEMBL~1
C:\WINDOWS\stub_mma1.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\dlltk67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\d5ll.exe
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\uninst108.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\Client IP-IPX
-------\core
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-07 12:56 58,420 --a------ C:\WINDOWS\system32\nrwgwerm.dll
2007-06-07 12:53 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\evgnctuj.exe
2007-06-07 12:52 93,696 --a------ C:\WINDOWS\system32\drvwiv.dll
2007-06-07 12:52 33,302 --a------ C:\WINDOWS\system32\qomjhhg.dll
2007-06-07 12:44 131,124 --a------ C:\WINDOWS\system32\lgppkbmk.dll
2007-06-05 21:51 14,868 --a------ C:\WINDOWS\system32\ceachgac.exe
2007-06-05 21:51 10,752 --a------ C:\WINDOWS\system32\j5201931.dll
2007-06-05 20:20 33,302 --a------ C:\WINDOWS\system32\yaywxxw.dll
2007-06-05 15:52 <DIR> d-------- C:\DOCUME~1\cabarber\APPLIC~1\Lavasoft
2007-06-05 15:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 15:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-05 15:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-05 15:44 <DIR> d-------- C:\Program Files\Safer Networking
2007-06-05 13:13 <DIR> d-------- C:\SafetyTools
2007-06-04 22:25 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-06-04 21:36 2,580 --a------ C:\WINDOWS\system32\ujptxyhf.exe
2007-06-04 21:34 131,124 --a------ C:\WINDOWS\system32\vvfmfbdu.dll
2007-06-04 21:28 93,696 --a------ C:\WINDOWS\system32\drvmun.dll
2007-06-04 21:28 33,302 --a------ C:\WINDOWS\system32\rqroonl.dll
2007-06-03 16:01 93,696 --a------ C:\WINDOWS\system32\drvwag.dll
2007-06-03 16:01 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
2007-06-03 16:00 33,302 --a------ C:\WINDOWS\system32\wvusstr.dll
2007-06-03 14:53 <DIR> d-------- C:\VundoFix Backups
2007-06-03 14:39 2,580 --a------ C:\WINDOWS\system32\hhuxdkmn.exe
2007-06-03 12:30 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-05-30 10:44 93,696 --a------ C:\WINDOWS\system32\drvdam.dll
2007-05-30 10:44 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-05-30 10:43 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-30 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-30 10:42 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-30 10:41 <DIR> d-------- C:\Program Files\Ofb11
2007-05-30 10:40 46,592 --a------ C:\WINDOWS\bxhxxae.exe
2007-05-30 10:40 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-05-30 10:40 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-30 10:40 <DIR> d-------- C:\WINDOWS\system32\T5QaSQ
2007-05-30 10:40 <DIR> d-------- C:\Temp
2007-05-28 18:01 60,928 --a------ C:\WINDOWS\system32\huphs.dll
2007-05-19 12:35 <DIR> d-------- C:\DOCUME~1\cabarber\G2IP
2007-05-18 18:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-05-18 15:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-15 22:50 <DIR> d-------- C:\Program Files\WinTouch


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 19:39:49 -------- d-----w C:\Program Files\Yahoo!
2007-06-05 03:24:06 -------- d-----w C:\Program Files\Messenger
2007-06-01 13:56:48 -------- d-----w C:\Program Files\Audacity
2007-05-28 22:01:26 -------- d-----w C:\Program Files\?dobe
2007-05-18 22:42:29 -------- d-----w C:\Program Files\Common Files\Real
2007-05-01 23:59:07 -------- d-----w C:\DOCUME~1\cabarber\APPLIC~1\Google
2007-05-01 20:05:41 -------- d-----w C:\Program Files\Google
2007-05-01 01:14:19 -------- d-----w C:\Program Files\Kodak
2007-04-08 16:17:32 -------- d-----w C:\Program Files\Common Files\rfiq
2007-04-06 19:27:01 139,264 ----a-w C:\TTC.dll
2007-03-29 15:04:04 5,171,867 ----a-w C:\WINDOWS\system32\WBLog.dat
2007-03-23 16:29:06 1,426 ----a-w C:\WINDOWS\system32\Wbconf.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{54CBB12C-3481-4C5D-942D-4976C0F0A406}=C:\WINDOWS\system32\wvusstr.dll [2007-06-03 16:00]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-01 16:05]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-28 11:45]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\System32\nrwgwerm.dll [2007-06-07 12:56]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}=C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2004-02-10 15:08]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 11:00]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"@"="" []
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 15:14]
"SYSWB6"="SYSWB6" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2007-05-18 18:41]
"evgnctuj.exe"="C:\Documents and Settings\All Users\Application Data\evgnctuj.exe" [2007-06-07 12:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 11:45]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\promymy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54CBB12C-3481-4C5D-942D-4976C0F0A406}"="C:\WINDOWS\system32\wvusstr.dll" [2007-06-03 16:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusstr]
wvusstr.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-17 22:27:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-03-06 08:27:55 C:\WINDOWS\tasks\Disk Cleanup.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 13:13:46
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 13:17:38
C:\ComboFix-quarantined-files.txt ... 2007-06-07 13:17

--- E O F ---

New HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 13:23, on 2007-06-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\evgnctuj.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\Analyse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\wvusstr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\nrwgwerm.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [evgnctuj.exe] C:\Documents and Settings\All Users\Application Data\evgnctuj.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170342936513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170342889225
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\Software\..\Telephony: DomainName = student.secollege
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = student.secollege
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvusstr - C:\WINDOWS\SYSTEM32\wvusstr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


I couldn't find this entry in HJT: O2 - BHO: (no name) - {BBDD0576-41DD-44FA-AC8F-474A3928FEDB} - C:\WINDOWS\System32\efeec.dll

Thank you for your help.
 
Hi,

Don't worry if you received the error from WinTouch when trying to uninstall it. We'll deal with it manually..
Looks like this system is already infected for a while.. Why did you wait so long?

But first... * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\Internet Explorer\promymy.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

Then,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\nrwgwerm.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\evgnctuj.exe
C:\WINDOWS\system32\drvwiv.dll
C:\WINDOWS\system32\qomjhhg.dll
C:\WINDOWS\system32\lgppkbmk.dll
C:\WINDOWS\system32\ceachgac.exe
C:\WINDOWS\system32\j5201931.dll
C:\WINDOWS\system32\yaywxxw.dll
C:\WINDOWS\system32\ujptxyhf.exe
C:\WINDOWS\system32\vvfmfbdu.dll
C:\WINDOWS\system32\drvmun.dll
C:\WINDOWS\system32\rqroonl.dll
C:\WINDOWS\system32\drvwag.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
C:\WINDOWS\system32\wvusstr.dll
C:\WINDOWS\system32\hhuxdkmn.exe
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\bxhxxae.exe
C:\WINDOWS\system32\huphs.dll
C:\TTC.dll
C:\WINDOWS\system32\drvdam.dll
C:\WINDOWS\system32\winsys64.exe

Folder::
C:\VundoFix Backups
C:\Program Files\myCleanerPC
C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
C:\Program Files\Ofb11
C:\Program Files\WinTouch
C:\Program Files\Common Files\rfiq
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T5QaSQ
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E12BFF69-38A7-406e-A8EF-2738107A7831}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54CBB12C-3481-4C5D-942D-4976C0F0A406}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"evgnctuj.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54CBB12C-3481-4C5D-942D-4976C0F0A406}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusstr]
Click to expand...

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Combo-Do.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
 
Obedient and grateful

My wife just graduated from college... and we've moved... busy busy busy...

"cabarber" - 2007-06-07 14:30:48 Service Pack 1 NTFS
Command switches used :: ""C:\Documents and Settings\cabarber\Desktop\ComboFix-Do.txt""


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\rqqss.bak1
C:\WINDOWS\system32\rqqss.ini
C:\WINDOWS\system32\rqqss.bak1
C:\WINDOWS\system32\rqqss.ini
C:\WINDOWS\system32\ssqqr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\evgnctuj.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC\Signatures.dat
C:\Program Files\Common Files\rfiq
C:\Program Files\Common Files\rfiq\rfiqa.exe
C:\Program Files\Common Files\rfiq\rfiqd\class-barrel
C:\Program Files\Common Files\rfiq\rfiqd\rfiqc.dll
C:\Program Files\Common Files\rfiq\rfiqd\vocabulary
C:\Program Files\Common Files\rfiq\rfiqp.exe
C:\Program Files\myCleanerPC
C:\Program Files\myCleanerPC\clean.swf
C:\Program Files\myCleanerPC\clean1.swf
C:\Program Files\myCleanerPC\MyCleanerPCInner.EXE
C:\Program Files\myCleanerPC\Setup.INI
C:\Program Files\Ofb11
C:\Program Files\Ofb11\Ofb11.dll
C:\Program Files\Ofb11\sites.ini
C:\Program Files\WinTouch
C:\Program Files\WinTouch\fusion.cfg.8f41d6581ffd5eefdffdad55f36acc2f.23f8467dc9506233dd552d1c9411d981
C:\Program Files\WinTouch\wintouch.cfg
C:\Program Files\WinTouch\WinTouch.exe
C:\Program Files\WinTouch\WTUninstaller.exe
C:\Temp
C:\TTC.dll
C:\VundoFix Backups
C:\VundoFix Backups\feapmnno.dll.bad
C:\VundoFix Backups\ghhjl.ini.bad
C:\VundoFix Backups\gtuwhbwj.dll.bad
C:\VundoFix Backups\jwbhwutg.ini.bad
C:\VundoFix Backups\ljhhg.dll.bad
C:\VundoFix Backups\nppoq.bak1.bad
C:\VundoFix Backups\nppoq.bak2.bad
C:\VundoFix Backups\nppoq.ini.bad
C:\VundoFix Backups\nppoq.ini2.bad
C:\VundoFix Backups\nppoq.tmp.bad
C:\VundoFix Backups\onnmpaef.ini.bad
C:\VundoFix Backups\qoppn.dll.bad
C:\VundoFix Backups\tuvtuss.dll.bad
C:\VundoFix Backups\xixmyavi.dll.bad
C:\VundoFix Backups\yeicbxco.dll.bad
C:\WINDOWS\bxhxxae.exe
C:\WINDOWS\system32\ceachgac.exe
C:\WINDOWS\system32\drvdam.dll
C:\WINDOWS\system32\drvmun.dll
C:\WINDOWS\system32\drvwag.dll
C:\WINDOWS\system32\drvwiv.dll
C:\WINDOWS\system32\hhuxdkmn.exe
C:\WINDOWS\system32\huphs.dll
C:\WINDOWS\system32\j5201931.dll
C:\WINDOWS\system32\lgppkbmk.dll
C:\WINDOWS\system32\nrwgwerm.dll
C:\WINDOWS\system32\qomjhhg.dll
C:\WINDOWS\system32\rqroonl.dll
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\T5QaSQ
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\dlwr.exe
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\TQ0\dl52.exe
C:\WINDOWS\system32\ujptxyhf.exe
C:\WINDOWS\system32\vvfmfbdu.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\wvusstr.dll
C:\WINDOWS\system32\yaywxxw.dll


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-07 14:41 0 --ah----- C:\StashIMAPI.bin
2007-06-07 14:40 <DIR> d-------- C:\WINDOWS\TEM
2007-06-07 13:29 131,124 --a------ C:\WINDOWS\system32\kwtrhbqe.dll
2007-06-07 13:17 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 15:52 <DIR> d-------- C:\DOCUME~1\cabarber\APPLIC~1\Lavasoft
2007-06-05 15:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 15:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-05 15:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-05 15:44 <DIR> d-------- C:\Program Files\Safer Networking
2007-06-05 13:13 <DIR> d-------- C:\SafetyTools
2007-06-04 22:25 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-05-30 10:42 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-19 12:35 <DIR> d-------- C:\DOCUME~1\cabarber\G2IP
2007-05-18 18:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-05-18 15:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 19:39:49 -------- d-----w C:\Program Files\Yahoo!
2007-06-05 03:24:06 -------- d-----w C:\Program Files\Messenger
2007-06-01 13:56:48 -------- d-----w C:\Program Files\Audacity
2007-05-28 22:01:26 -------- d-----w C:\Program Files\?dobe
2007-05-18 22:42:29 -------- d-----w C:\Program Files\Common Files\Real
2007-05-01 23:59:07 -------- d-----w C:\DOCUME~1\cabarber\APPLIC~1\Google
2007-05-01 20:05:41 -------- d-----w C:\Program Files\Google
2007-05-01 01:14:19 -------- d-----w C:\Program Files\Kodak
2007-03-29 15:04:04 5,171,867 ----a-w C:\WINDOWS\system32\WBLog.dat
2007-03-23 16:29:06 1,426 ----a-w C:\WINDOWS\system32\Wbconf.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-01 16:05]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-28 11:45]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}=C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2004-02-10 15:08]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 11:00]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"@"="" []
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 15:14]
"SYSWB6"="SYSWB6" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2007-05-18 18:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 11:45]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-17 22:27:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-03-06 08:27:55 C:\WINDOWS\tasks\Disk Cleanup.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 14:41:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 14:43:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 14:43
C:\ComboFix2.txt ... 2007-06-07 13:17

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 14:45, on 2007-06-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\Analyse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170342936513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170342889225
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\Software\..\Telephony: DomainName = student.secollege
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.secollege
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = student.secollege
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe



Thank you for your assistance.
 
Hi,

Your HijackThislog looks clean again, but we're not finished yet.

Navigate to and Delete next file:

C:\WINDOWS\system32\kwtrhbqe.dll

Also delete next folder:

C:\Program Files\?dobe <== BE Careful here!!! This folder may look like Adobe, so it could be possible that you have two Adobe folders present in your Program Files folder. The good Adobe folder and a bad one.
The good one contains the subfolders: Adobe Help Viewer and Reader. Don't delete that folder!
The bad adobe folder is created/modified 2007-05-28 22:01:26 and is most probably an empty folder.
If in doubt, just leave it and tell me.

Delete the C:\Qoobox - folder as well. This since it contains backups of the files Combofix deleted previously and we don't want them anymore.

Also, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now.

As a sidenote, you may want to reconsider an other Antivirus - because I am disappointed that it didn't delete so many infected files on your system.
Also, recent Antivirus comparison tests showed that CA eTrust Antivirus was one of the Antivirus worst in detection.
Also read here: http://www.pcmag.com/article2/0,1895,2135092,00.asp and full results here: http://www.sunbelt-software.com/ihs/alex/marx/detections_2007q2.htm

There are some great freeware Antivirus out there as well. Take a look here: http://users.telenet.be/bluepatchy/miekiemoes/Links.html#AntiVirus Scanners
One of my personal favorites is Avira which is free and great in detection and removal. Ofcourse the choice is yours if you choose to keep your current Antivirus or install a new one.
Keep in mind, when you decide to install another Antivirus, uninstall your current one first. This because more than one Antivirus installed are not compatible with eachother, cause a serious slowdown and may cause crashes as well.
 
Wonderful!

Things seem to be working great now... no more smitfraud, my pc is working much FASTER and I'm leaving the computer desk with a smile instead of greater destructive tendencies.

2 questions:
  1. When I tried to install the new Java, it said that I should have Windows XP sp 2 or higher. Should I go ahead and install sp 2? I assume that the system is clean now (I read in some of the other forums that sp 2 doesn't work well on infected systems)
  2. Would you mind posting a direct link to your personal favorite antivirus program. I'm afraid of false sites that would lure me into clicking on them only to bombard me with more garbage.

Thank you for your help. I'm most grateful!
 
Hi,

Yes, go ahead and install Service Pack 2.

Would you mind posting a direct link to your personal favorite antivirus program. I'm afraid of false sites that would lure me into clicking on them only to bombard me with more garbage.
Click to expand...
The previous link I gave you is from a page I made where I made a collection of Antivirus/Firewalls/Antispyware I recommend. When you click the icons, it will go to the correct site, so really don't worry :)

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
 
You must log in or register to reply here.
Back
Top