Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

shodunkflu

10 Posts

1320

November 6th, 2006 01:00

help with viruses please

I'd like to think i'm more computer savy than the average person, but I really messed up my computer. I have pop-ups coming left and right from OuterInfo. The computer is running so slow also. I've been reading about how to fix the problem and so far have downloaded AVG Anti-Spyware, HiJack This, and Zone Alarm for future problems. advice would be very much appreciated. Also, here is my HiJack This Log:
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\IA\command.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\dfndrff_e49.exe
C:\kybrdff_e49.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\System32\rnnypbw.exe
C:\Program Files\Common Files\{20427CDB-086E-1033-0204-040804030001}\Update.exe
C:\WINDOWS\System32\g4slcld.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\MANTEC~1\ati2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John.JERRYOHEARN.000\My Documents\?ssembly\n?tdde.exe
C:\Documents and Settings\John.JERRYOHEARN.000\Desktop\HijackThis.exe
C:\PROGRA~1\COMMON~1\zrkw\zrkwm.exe
C:\PROGRA~1\COMMON~1\zrkw\zrkwa.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rumrl.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cpsvvak.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\System32\s9ndzm6.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D033156A-AE8E-FD28-8DA9-D928E47533CB} - C:\WINDOWS\System32\pvgyp.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e49.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e49.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e49.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [Kgjg] "C:\WINDOWS\System32\rnnypbw.exe"
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\MANTEC~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Axvlww] C:\Documents and Settings\John.JERRYOHEARN.000\My Documents\?ssembly\n?tdde.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe"  -startminimize
O4 - HKCU\..\Run: [zrkw] C:\PROGRA~1\COMMON~1\zrkw\zrkwm.exe
O4 - Global Startup: msconfig.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\System32\s9ndzm6.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
 
Thanks for your time and eagerly awaiting to her from someone.
 

Shaba_FIN

273 Posts

November 6th, 2006 16:00

Hi shodunkflu

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Send:

- a fresh HijackThis log
- combofix report

shodunkflu

10 Posts

November 6th, 2006 20:00

new hijack this log
 
Logfile of HijackThis v1.99.1
Scan saved at 5:48:00 PM, on 11/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Documents and Settings\John.JERRYOHEARN.000\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\System32\s9ndzm6.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D033156A-AE8E-FD28-8DA9-D928E47533CB} - C:\WINDOWS\System32\pvgyp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Kgjg] "C:\WINDOWS\System32\rnnypbw.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\MANTEC~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Axvlww] C:\Documents and Settings\John.JERRYOHEARN.000\My Documents\?ssembly\n?tdde.exe
O4 - HKCU\..\Run: [zrkw] C:\PROGRA~1\COMMON~1\zrkw\zrkwm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\System32\s9ndzm6.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
 
sorry there is so much stuff to look at, I really really appreciate this.

shodunkflu

10 Posts

November 6th, 2006 20:00

part 2
 

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))) 

2006-11-06 16:23 -------- d-------- C:\Program Files\Common Files
2006-11-05 23:06 -------- d-------- C:\Program Files\Common Files\zrkw
2006-11-05 22:37 -------- d-------- C:\Program Files\Zone Labs
2006-11-05 19:23 -------- d-------- C:\Program Files\Grisoft
2006-11-05 18:49 -------- d-------- C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Registry Cleaner
2006-11-05 18:37 -------- d-------- C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Adobe
2006-11-05 15:26 -------- d-------- C:\Program Files\Windows Media Player
2006-11-05 15:26 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-05 15:26 -------- d-------- C:\Program Files\IntelliMover Data Transfer Demo
2006-11-05 15:26 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-05 13:43 -------- d-------- C:\Program Files\Windows NT
2006-11-05 13:43 -------- d-------- C:\Program Files\Outlook Express
2006-11-05 13:43 -------- d-------- C:\Program Files\NetMeeting
2006-11-05 13:43 -------- d-------- C:\Program Files\Movie Maker
2006-11-05 13:43 -------- d-------- C:\Program Files\Messenger
2006-11-05 13:43 -------- d-------- C:\Program Files\Internet Explorer
2006-11-05 13:43 -------- d-------- C:\Program Files\Common Files\System
2006-11-05 13:43 -------- d-------- C:\Program Files\Common Files\Services
2006-11-05 12:23 -------- d-------- C:\Program Files\Hewlett-Packard
2006-11-05 12:20 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-04 20:04 -------- d-a-s---- C:\Program Files\NewDotNet
2006-11-04 19:41 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-04 18:19 -------- d-------- C:\Program Files\PSCastor
2006-11-04 18:19 -------- d-------- C:\Program Files\Common Files\àppPatch
2006-11-04 18:18 -------- d-------- C:\Program Files\em
2006-11-04 18:18 -------- d-------- C:\Program Files\Citrix
2006-11-04 18:18 -------- d-------- C:\Program Files\AIM
2006-11-04 17:58 32208 ---hs---- C:\Program Files\Common Files\Y1324OU.exe
2006-11-04 16:15 -------- d-------- C:\Program Files\webHancer
2006-10-26 15:33 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-10-26 15:32 -------- d-------- C:\Program Files\Macromedia
2006-10-23 14:13 -------- d-------- C:\Program Files\Common Files\Ahead
2006-10-20 07:35 -------- d-------- C:\Program Files\ISO Recorder
2006-10-17 16:22 -------- d-------- C:\Program Files\Cash Out
2006-10-06 13:04 -------- d-------- C:\Program Files\PartyGaming
2006-09-22 06:38 53248 --a------ C:\WINDOWS\109uninst.exe
2006-09-22 06:36 53248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-15 13:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 13:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-01 15:14 6042280 --a------ C:\Program Files\FirefoxGoogleToolbarSetup.exe
2006-08-22 11:35 649004 --a------ C:\WINDOWS\Pianos on Parade.scr
2006-08-22 11:35 4240768 --a------ C:\WINDOWS\Pianos on Parade.exe
2006-08-22 11:35 29696 --a------ C:\WINDOWS\mickey32.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Notn"="\"C:\\WINDOWS\\MANTEC~1\\ati2evxx.exe\" -vt yazb"
"Axvlww"="C:\\Documents and Settings\\John.JERRYOHEARN.000\\My Documents\\?ssembly\\n?tdde.exe"
"zrkw"="C:\\PROGRA~1\\COMMON~1\\zrkw\\zrkwm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"NAV CfgWiz"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"AlcxMonitor"="ALCXMNTR.EXE"
"LTMSG"="LTMSG.exe 7"
"_SetRes"="c:\\hp\\bin\\cloaker c:\\hp\\bin\\res.bat"
"IcoSet"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\IcoSet\\adjust.bat seticon"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"regcmdcons"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\cmdcons.cmd"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"Kgjg"="\"C:\\WINDOWS\\System32\\rnnypbw.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\tenyditi.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\rylo.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
  00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] 
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - John.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\WebReg 20061105122411.job
Completion time: 06-11-06 17:33:52.14
C:\ComboFix.txt ... 06-11-06 17:33

shodunkflu

10 Posts

November 6th, 2006 20:00

I'm putting it in 2 parts because it's saying i'm exceeding the max characters
 
combo fix report part one
 
John - 06-11-06 16:18:11.50    Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\John.JERRYOHEARN.000\Desktop"
(((((((((((((((((((((((((((((((((((((((((((((   Qoologic's Log   )))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
* * *  POST-RUN - Files in the Quarantine folder  * * * * * * * * * * * * * * * * * * * * * * * * *

06-11-05  12:21            127488 gikqw.dat.qoo
06-11-06  11:37               374 ygcuc.dll.qoo
06-11-05  15:26                53 lpvbbw.dat.qoo
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
 
 
(((((((((((((((((((((((((((((((((((((((((((   E-Give / Ssk's Log   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\John.JERRYOHEARN\Application Data\Dxcknwrd.dll
C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Dxccwrd.dll
C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Dxcknwrd.dll
C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Owner\Application Data\Dxccwrd.dll
C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll
C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcCore.dll

* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\Duce6.exe
C:\WINDOWS\teller2.chk
C:\dfndrff_e49.exe
C:\dfndrff_e50.exe
C:\drsmartload.exe
C:\deskbar.exe
C:\deskbar_e49.exe
C:\kybrdff_e49.exe
C:\kybrdff_e50.exe
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\nwnmff_e49.exe
C:\RDFX4.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wtssvcc.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\batty2
C:\Program Files\Deskbar
C:\Program Files\Inetget2
C:\Program Files\outlook
C:\Program Files\winupdates
C:\Program Files\Common Files\{20427CDB-086E-1033-0204-040804030001}
C:\Program Files\Ipwins
C:\Program Files\network monitor
C:\WINDOWS\IA
 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\John.JERRYOHEARN.000\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\John.JERRYOHEARN.000\My Documents\SSEMBL~1\n?tdde.exe
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\MANTEC~1\??mantec
C:\QooBox\Purity\WINDOWS\SMANTE~1\n?tepad.exe

(((((((((((((((((((((((((((((((   Files Created from 2006-10-06 to 2006-11-06  ))))))))))))))))))))))))))))))))))
 
 
2006-11-05 19:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-05 18:37 126,976 --a------ C:\WINDOWS\system32\pvgyp.dll
2006-11-05 18:35 32,768 --a------ C:\Documents and Settings\John.JERRYOHEARN.000\setup9X.exe
2006-11-05 18:35 204 --a------ C:\Documents and Settings\John.JERRYOHEARN.000\jdkfjdskfjkdsjf.bat
2006-11-05 15:26 19,456 --a------ C:\DXC9.exe
2006-11-05 15:26 143,360 --a------ C:\yz02.exe
2006-11-05 15:25 434,176 --a------ C:\mpnaaq7.exe
2006-11-05 15:25 28,672 --a------ C:\WINDOWS\system32\histuay.exe
2006-11-05 15:25 204,800 --a------ C:\WINDOWS\system32\s9ndzm6.dll
2006-11-05 15:25 1,126,400 --a------ C:\WINDOWS\system32\rnnypbw.exe
2006-11-05 15:24 434,176 --a------ C:\windows.exe
2006-11-05 15:23 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-05 14:02 77,440 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-11-05 14:02 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2006-11-05 14:02 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-05 14:02 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-11-05 14:02 55,680 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2006-11-05 14:02 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-11-05 14:02 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-11-05 14:02 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-11-05 14:02 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-11-05 14:02 21,760 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-11-05 14:02 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-11-05 14:02 159,360 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-11-05 14:02 142,208 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-11-05 14:02 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-11-05 12:21 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2006-11-05 12:21 0 --a------ C:\WINDOWS\system32\taskkill.exe
2006-11-05 12:09 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-11-05 12:08 81,920 --a------ C:\WINDOWS\system32\mplaw7.dll
2006-11-05 12:08 81,920 --a------ C:\WINDOWS\system32\mplaa6.dll
2006-11-05 12:08 69,632 --a------ C:\WINDOWS\system32\mplapx.dll
2006-11-05 12:08 69,632 --a------ C:\WINDOWS\system32\mplam6.dll
2006-11-05 12:08 49,152 --a------ C:\WINDOWS\system32\cpuinf32.dll
2006-11-05 12:08 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2006-11-05 12:08 1,675,264 --a------ C:\WINDOWS\system32\mplva6.dll
2006-11-05 12:08 1,630,208 --a------ C:\WINDOWS\system32\mplvw7.dll
2006-11-05 12:08 1,581,056 --a------ C:\WINDOWS\system32\mplvm6.dll
2006-11-05 12:08 1,150,976 --a------ C:\WINDOWS\system32\mplvpx.dll
2006-11-05 12:05 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2006-11-05 12:05 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2006-11-05 11:15 163,840 --a------ C:\WINDOWS\ms04282515412.exe
2006-11-04 19:41 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-11-04 17:58 32,768 --a------ C:\WINDOWS\brzwtrjh.exe
2006-11-04 17:57 102,400 --a------ C:\WINDOWS\cfg32r.dll
2006-11-04 17:57 1,067,824 -r-hs---- C:\WINDOWS\pfubzasA.exe
2006-11-04 17:56 45,056 --a------ C:\WINDOWS\pfubzas.exe
2006-11-04 17:56 45,056 --a------ C:\WINDOWS\cfg32s.dll
2006-11-04 17:56 397,312 --a------ C:\WINDOWS\cfg32p.dll
2006-11-04 17:56 2,560 --a------ C:\WINDOWS\ac3_0008.exe
2006-11-04 17:56 110,592 --a------ C:\WINDOWS\cfg32o.dll
2006-11-04 17:55 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-11-04 17:54 217,276 --a------ C:\WINDOWS\srvineta.exe
2006-11-04 17:54 20,480 --a------ C:\WINDOWS\stub_mm3.exe
2006-11-04 17:51 163,840 --a------ C:\WINDOWS\win3207515412282.exe
2006-11-04 16:16 36,864 --a------ C:\WINDOWS\unstall.exe
2006-11-04 16:16 25,105 --a------ C:\WINDOWS\idlemg.exe
2006-11-04 16:15 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-11-04 16:15 45,056 --a------ C:\WINDOWS\octeltpop.exe
2006-11-04 16:15 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-11-04 16:15 217,346 --a------ C:\WINDOWS\Setup90.exe
2006-11-04 16:15 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-11-04 16:15 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe

Shaba_FIN

273 Posts

November 7th, 2006 05:00

Hi
 
Good, combofix removed most of the active infections
 
Open HijackThis, click do a system scan only and checkmark these:
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\System32\s9ndzm6.dll
'O2 - BHO: (no name) - {D033156A-AE8E-FD28-8DA9-D928E47533CB} - C:\WINDOWS\System32\pvgyp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Kgjg] "C:\WINDOWS\System32\rnnypbw.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\MANTEC~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Axvlww] C:\Documents and Settings\John.JERRYOHEARN.000\My Documents\?ssembly\n?tdde.exe
O4 - HKCU\..\Run: [zrkw] C:\PROGRA~1\COMMON~1\zrkw\zrkwm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\System32\s9ndzm6.dll
 
Close all windows including browser and press fix checked
 
Boot in safe mode
 
Delete these if found:
 
C:\WINDOWS\system32\pvgyp.dll
C:\Documents and Settings\John.JERRYOHEARN.000\setup9X.exe
C:\Documents and Settings\John.JERRYOHEARN.000\jdkfjdskfjkdsjf.bat
C:\DXC9.exe
C:\yz02.exe
C:\mpnaaq7.exe
C:\WINDOWS\system32\histuay.exe
C:\WINDOWS\system32\s9ndzm6.dll
C:\WINDOWS\system32\rnnypbw.exe
C:\windows.exe
C:\WINDOWS\ms04282515412.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\brzwtrjh.exe
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\pfubzasA.exe
C:\WINDOWS\pfubzas.exe
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cfg32p.dll
C:\WINDOWS\ac3_0008.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\srvineta.exe
C:\WINDOWS\stub_mm3.exe
C:\WINDOWS\win3207515412282.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\idlemg.exe
C:\WINDOWS\TIELT001.exe
C:\WINDOWS\octeltpop.exe
C:\WINDOWS\hancerdoem.exe
C:\WINDOWS\Setup90.exe
C:\WINDOWS\MirarSetup_876057.exe
C:\Program Files\Common Files\zrkw
C:\Program Files\NewDotNet
C:\Program Files\PSCastor
C:\Program Files\Common Files\àppPatch
C:\Program Files\em
C:\Program Files\Common Files\Y1324OU.exe
C:\Program Files\webHancer
C:\WINDOWS\109uninst.exe
C:\WINDOWS\uni_7eh.exe
C:\WINDOWS\uninst108.exe
C:\WINDOWS\uni_e6h.exe
 
Reboot
 
Re-run combofix
 
Send:
 
- a fresh HijackThis log
- combofix report



shodunkflu

10 Posts

November 7th, 2006 14:00

New Combo Fix Log
 
John - 06-11-07 11:31:43.48    Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\John.JERRYOHEARN.000\Desktop"
((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 
C:\Documents and Settings\LocalService\Application Data\NetMon
 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\John.JERRYOHEARN.000\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\John.JERRYOHEARN.000\My Documents\SSEMBL~1\n?tdde.exe
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\MANTEC~1\??mantec
C:\QooBox\Purity\WINDOWS\SMANTE~1\n?tepad.exe
 
(((((((((((((((((((((((((((((((   Files Created from 2006-10-07 to 2006-11-07  ))))))))))))))))))))))))))))))))))
 
 
2006-11-05 19:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-05 15:23 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-05 14:02 77,440 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-11-05 14:02 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2006-11-05 14:02 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-05 14:02 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-11-05 14:02 55,680 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2006-11-05 14:02 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-11-05 14:02 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-11-05 14:02 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-11-05 14:02 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-11-05 14:02 21,760 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-11-05 14:02 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-11-05 14:02 159,360 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-11-05 14:02 142,208 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-11-05 14:02 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-11-05 12:21 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2006-11-05 12:21 0 --a------ C:\WINDOWS\system32\taskkill.exe
2006-11-05 12:09 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-11-05 12:08 81,920 --a------ C:\WINDOWS\system32\mplaw7.dll
2006-11-05 12:08 81,920 --a------ C:\WINDOWS\system32\mplaa6.dll
2006-11-05 12:08 69,632 --a------ C:\WINDOWS\system32\mplapx.dll
2006-11-05 12:08 69,632 --a------ C:\WINDOWS\system32\mplam6.dll
2006-11-05 12:08 49,152 --a------ C:\WINDOWS\system32\cpuinf32.dll
2006-11-05 12:08 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2006-11-05 12:08 1,675,264 --a------ C:\WINDOWS\system32\mplva6.dll
2006-11-05 12:08 1,630,208 --a------ C:\WINDOWS\system32\mplvw7.dll
2006-11-05 12:08 1,581,056 --a------ C:\WINDOWS\system32\mplvm6.dll
2006-11-05 12:08 1,150,976 --a------ C:\WINDOWS\system32\mplvpx.dll
2006-11-05 12:05 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2006-11-05 12:05 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2006-11-04 17:57 1,067,824 -r-hs---- C:\WINDOWS\pfubzasA.exe
2006-11-04 16:15 2,560 --a------ C:\WINDOWS\ac3_0002.exe

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))) 

2006-11-07 11:08 -------- d-------- C:\Program Files\Common Files
2006-11-06 17:44 -------- d-------- C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Template
2006-11-05 22:37 -------- d-------- C:\Program Files\Zone Labs
2006-11-05 19:23 -------- d-------- C:\Program Files\Grisoft
2006-11-05 18:49 -------- d-------- C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Registry Cleaner
2006-11-05 18:37 -------- d-------- C:\Documents and Settings\John.JERRYOHEARN.000\Application Data\Adobe
2006-11-05 15:26 -------- d-------- C:\Program Files\Windows Media Player
2006-11-05 15:26 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-05 15:26 -------- d-------- C:\Program Files\IntelliMover Data Transfer Demo
2006-11-05 15:26 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-05 13:43 -------- d-------- C:\Program Files\Windows NT
2006-11-05 13:43 -------- d-------- C:\Program Files\Outlook Express
2006-11-05 13:43 -------- d-------- C:\Program Files\NetMeeting
2006-11-05 13:43 -------- d-------- C:\Program Files\Movie Maker
2006-11-05 13:43 -------- d-------- C:\Program Files\Messenger
2006-11-05 13:43 -------- d-------- C:\Program Files\Internet Explorer
2006-11-05 13:43 -------- d-------- C:\Program Files\Common Files\System
2006-11-05 13:43 -------- d-------- C:\Program Files\Common Files\Services
2006-11-05 12:23 -------- d-------- C:\Program Files\Hewlett-Packard
2006-11-05 12:20 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-04 19:41 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-04 18:18 -------- d-------- C:\Program Files\Citrix
2006-11-04 18:18 -------- d-------- C:\Program Files\AIM
2006-11-04 17:58 32208 ---hs---- C:\Program Files\Common Files\Y1324OU.exe
2006-10-26 15:33 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-10-26 15:32 -------- d-------- C:\Program Files\Macromedia
2006-10-23 14:13 -------- d-------- C:\Program Files\Common Files\Ahead
2006-10-20 07:35 -------- d-------- C:\Program Files\ISO Recorder
2006-10-17 16:22 -------- d-------- C:\Program Files\Cash Out
2006-10-06 13:04 -------- d-------- C:\Program Files\PartyGaming
2006-09-01 15:14 6042280 --a------ C:\Program Files\FirefoxGoogleToolbarSetup.exe
2006-08-22 11:35 649004 --a------ C:\WINDOWS\Pianos on Parade.scr
2006-08-22 11:35 4240768 --a------ C:\WINDOWS\Pianos on Parade.exe
2006-08-22 11:35 29696 --a------ C:\WINDOWS\mickey32.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"LTMSG"="LTMSG.exe 7"
"_SetRes"="c:\\hp\\bin\\cloaker c:\\hp\\bin\\res.bat"
"IcoSet"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\IcoSet\\adjust.bat seticon"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"regcmdcons"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\cmdcons.cmd"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\tenyditi.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\rylo.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
  00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] 
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - John.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\WebReg 20061105122411.job
Completion time: 06-11-07 11:46:41.67
C:\ComboFix.txt ... 06-11-07 11:46

shodunkflu

10 Posts

November 7th, 2006 14:00

New HighJack This Log
 
Logfile of HijackThis v1.99.1
Scan saved at 11:50:57 AM, on 11/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\John.JERRYOHEARN.000\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

Shaba_FIN

273 Posts

November 7th, 2006 15:00

Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

Doubleclick fix.reg, press Yes and ok.

Please download the Killbox.
Unzip it to the desktop

Please run Killbox.

Select " Delete on Reboot" and " All Files".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Program Files\Windows Media Player\rylo.html
C:\Program Files\ComPlus Applications\tenyditi.html
C:\Program Files\Common Files\Y1324OU.exe
C:\WINDOWS\pfubzasA.exe
C:\WINDOWS\ac3_0002.exe

Return to Killbox, go to the File menu, and choose " Paste from Clipboard".

Click the red-and-white " Delete File" button. Click " Yes" at the Delete on Reboot prompt. Click " No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Please run this online scan:

Panda ActiveScan

  • Once you are on the Panda site, click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
- panda report

shodunkflu

10 Posts

November 10th, 2006 01:00

I'm having a problem with the Panda ActiveScan. The scan looks like it's going to take about a day. Which would be fine except, I leave my computer to let it scan and eventually it goes out of the window and back to the log in window, this stops the scan process. I have my screen saver properties on none and have played with some other properties, but it always eventually goes back to the log in window, which keeps stopping the scan. So, I don't and can't sit by my computer for about 10 hours for it to scan fully. Please help,
 
John O

Shaba_FIN

273 Posts

November 10th, 2006 15:00

Hi

Let's try this instead of Panda:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav:


  • Unzip it to its predetermined directory (C:\Kaspersky)
  • Locate kavupd.exe in the new folder and double-click to Update.
  • If your firewall gives any messages about this program accessing to internet, allow it.
  • If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
  • When you see Updates Downloaded Successfully, hit Enter to continue.
  • Restart onto Safe Mode and locate the Kaspersky folder.
  • Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
Now lets do the settings:

  • Leave the Default Settings checked.
  • Add a check to Drives
  • This will light up All Drives
  • Add a check to Scan all Files
  • Click Scan Clean to begin.

This scan might take around 3+ hours to finish when set to scan everything.

  • Please be sure it has finished before proceeding.
  • Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
  • Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
  • Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
Reboot into normal Windows and post the results here along with a fresh HijackThis log.

shodunkflu

10 Posts

November 13th, 2006 03:00

when i double click on kavupd.exe a new window flashes really fast and then does nothing, same thing no matter how many times i click on it.

Shaba_FIN

273 Posts

November 13th, 2006 14:00

Hi

Try then without updating; just run a scan with mwav.

shodunkflu

10 Posts

November 15th, 2006 01:00

hijack this log
 
Logfile of HijackThis v1.99.1
Scan saved at 9:54:56 PM, on 11/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\John.JERRYOHEARN.000\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

shodunkflu

10 Posts

November 15th, 2006 01:00

escan virus log
 

Object "target saver Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "virtumonde Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "spywarequake Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.

Object "spywarequake Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "desktop scam Trojan-Downloader" found in File System! Action Taken: No Action Taken.

Object "desktop scam Trojan-Downloader" found in File System! Action Taken: No Action Taken.

Object "elite toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.

Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.

Entry "HKCR\Adobe.Illustrator.dwg" refers to invalid object "{C0ED15F0-61BB-11d3-B6CA-00C04F6A0D06}". Action Taken: No Action Taken.

Entry "HKCR\Adobe.Illustrator.dxf" refers to invalid object "{C0ED15F0-61BB-11d3-B6CA-00C04F6A0D06}". Action Taken: No Action Taken.

Entry "HKCR\Adobe.Illustrator.pict" refers to invalid object "{C0ED15F0-61BB-11d3-B6CA-00C04F6A0D06}". Action Taken: No Action Taken.

Entry "HKCR\CalcData.Picture" refers to invalid object "{73387FE0-1178-5686-155A-F4DB34EDA166}". Action Taken: No Action Taken.

Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.

Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.

Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\Qtrqbffy.Jkzlbfarb" refers to invalid object "{754515CD-5059-4133-B6D5-3757DD84D6C0}". Action Taken: No Action Taken.

Entry "HKCR\Qtrqbffy.Jkzlbfarb.1" refers to invalid object "{754515CD-5059-4133-B6D5-3757DD84D6C0}". Action Taken: No Action Taken.

Entry "HKCR\Shoebox.Binder.2" refers to invalid object "{78603FEC-D224-19FA-76B1-05406AD94B3B}". Action Taken: No Action Taken.

Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.

Entry "HKCR\WECAPI5.MSPID.3" refers to invalid object "{CE5C9D20-E50E-00C3-058A-A9814F7DDBE9}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\temp\Install.wse.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\temp\config.ini". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\temp\templates.zip". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\msxml3a.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary File Cache\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\temp\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\Start Menu\Programs\Zone.com Deluxe Games\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Start Menu\Programs\PrintMe Internet Printing\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Adobe\Adobe Version Cue CS2\plugin\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Adobe\Adobe Version Cue CS2\__installer__\". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "DBTB00001.DBTB00001Deskbar". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828035". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Display". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Gamma2". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Info2". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Overlay". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "TSA". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "webnexus". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1A655D51-1423-48A3-B748-8F5A0BE294C8}". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{3877C2CD-F137-4144-BDB2-0A811492F920}". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{A394E835-C8D6-4B4B-884B-D2709059F3BE}". Action Taken: No Action Taken.

File C:\WINDOWS\Setup.exe infected by "Backdoor.Win32.IRCBot.qc" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\mshtml2.exe infected by "Trojan-Downloader.Win32.PurityScan.ds" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\mst21.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\mst24.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\mst72.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\mstE.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\upd25.exe tagged as "not-a-virus:RiskTool.Win32.PsKill.q". Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\win12.tmp.exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\win15.tmp.exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\win1A.tmp.exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp\winC.tmp.exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5\45IFKDYB\deliver46860[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5\45IFKDYB\wlzip32[1].exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5\GPUBO12R\mulbin32[1].exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5\I938PSV6\popup[2].php infected by "Trojan-Clicker.HTML.Agent.a" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5\J603RHG9\wlzip32[1].exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5\WLMZKXI3\upd[1].exe tagged as "not-a-virus:RiskTool.Win32.PsKill.q". Action Taken: No Action Taken.

File C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5\ZZX3NDWW\mulbin32[1].exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\!KillBox\ac3_0002.exe infected by "Trojan-Downloader.Win32.Small.cyh" Virus! Action Taken: No Action Taken.

File C:\!KillBox\tenyditi.html infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\john\Local Settings\Temp\ICD1.tmp\UWA6P_0001_N73M1004NetInstaller.exe tagged as not-a-virus:Downloader.Win32.WinFixer.f. No Action Taken.

File C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\4XCQTV0M\dl[1] infected by "Trojan-Dropper.DOS.Agent.b" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\mshtml2.exe infected by "Trojan-Downloader.Win32.PurityScan.ds" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\mst21.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\mst24.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\mst72.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\mstE.tmp infected by "PECompact" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\upd25.exe tagged as "not-a-virus:RiskTool.Win32.PsKill.q". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\win12.tmp.exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\win15.tmp.exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\win1A.tmp.exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp\winC.tmp.exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temporary Internet Files\Content.IE5\45IFKDYB\deliver46860[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temporary Internet Files\Content.IE5\45IFKDYB\wlzip32[1].exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temporary Internet Files\Content.IE5\GPUBO12R\mulbin32[1].exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temporary Internet Files\Content.IE5\I938PSV6\popup[2].php infected by "Trojan-Clicker.HTML.Agent.a" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temporary Internet Files\Content.IE5\J603RHG9\wlzip32[1].exe tagged as "not-a-virus:AdWare.Win32.Softomate.u". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temporary Internet Files\Content.IE5\WLMZKXI3\upd[1].exe tagged as "not-a-virus:RiskTool.Win32.PsKill.q". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temporary Internet Files\Content.IE5\ZZX3NDWW\mulbin32[1].exe infected by "Trojan-Downloader.Win32.PurityScan.dc" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARNOLD\install.exe tagged as "not-a-virus:RiskTool.Win32.PsKill.q". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARNOLD\Local Settings\Temp\b111.exe infected by "Trojan-Downloader.Win32.VB.afa" Virus! Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARNOLD\Local Settings\Temp\cmdinst.exe tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARNOLD\Local Settings\Temp\mit3E36.tmp tagged as "not-a-virus:AdWare.Win32.Mirar.a". Action Taken: No Action Taken.

File C:\Documents and Settings\John.JERRYOHEARNOLD\Local Settings\Temp\mit3E36.tmp.cab tagged as "not-a-virus:AdWare.Win32.Mirar.a". Action Taken: No Action Taken.

Shaba_FIN

273 Posts

November 15th, 2006 05:00

Hi
 
Empty these folders:
 
C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\Temp
 C:\DOCUME~1\JOHNJE~1.000\LOCALS~1\TEMPOR~1\Content.IE5
C:\!KillBox
C:\Documents and Settings\John.JERRYOHEARN.000\Local Settings\Temp
 
Delete this:
 
C:\WINDOWS\Setup.exe
 
Empty Recycle Bin
 
Re-scan with escan
 
Send:
 
- a fresh hijackthis log
- escan results

Was this post helpful?

View All

No Events found!

Top