Hijack This log

Question

I just recently been having problems with my computer.  I've been getting a lot of pop-ups and some programs got installed to my computer that I don't know what they are.  I ran Hijack This and this is my results. Hopefully someone can help me fix my problem, thank you very much.   Logfile of HijackThis v1.99.1 Scan saved at 1:55:40 AM, on 9/23/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32undll32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\b3NjYXI\command.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Network Monitor
etmon.exe C:\WINDOWS\System32
vsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\pctspk.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\program files\popupwithcast\septpop06apsept.exe C:\WINDOWS\ms039194999208.exe C:\WINDOWS\Duce6.exe C:
wnmff_e12.exe C:\kybrdff_e12.exe C:\WINDOWS\win32089920891949.exe C:\dfndrff_e12.exe C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\sys010891949992.exe C:\Program Files\Common Files\{7C8695F7-081E-1033-0723-041118030001}\Update.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\MCROSO~1.NET	askmgr.exe C:\Documents and Settings\oscar\My Documents\?ystem\u?erinit.exe C:\WINDOWS\System32\crunner\cproc.exe C:\PROGRA~1\COMMON~1\qiii\qiiim.exe C:\PROGRA~1\COMMON~1\qiii\qiiia.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.184.45.123:3128 R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\wgaid.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hbhmnbk.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe O4 - HKLM\..\Run: [ms039194999208] C:\WINDOWS\ms039194999208.exe O4 - HKLM\..\Run: [loaddr] C:	opaff.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [newname] C:\nwnmff_e12.exe O4 - HKLM\..\Run: [bwgnoyoA] C:\WINDOWS\bwgnoyoA.exe O4 - HKLM\..\Run: [sys039194999208] C:\WINDOWS\sys039194999208.exe O4 - HKLM\..\Run: [keyboard] C:\kybrdff_e12.exe O4 - HKLM\..\Run: [win32089920891949] C:\WINDOWS\win32089920891949.exe O4 - HKLM\..\Run: [defender] C:\dfndrff_e12.exe O4 - HKLM\..\Run: [Internet Optimizer] 'C:\Program Files\Internet Optimizer\optimize.exe' O4 - HKLM\..\Run: [sys010891949992] C:\WINDOWS\sys010891949992.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe O4 - HKCU\..\Run: [Ltho] 'C:\PROGRA~1\MCROSO~1.NET	askmgr.exe' -vt yazb O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe O4 - HKCU\..\Run: [Cnwo] C:\Documents and Settings\oscar\My Documents\?ystem\u?erinit.exe O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe O4 - HKCU\..\Run: [qiii] C:\PROGRA~1\COMMON~1\qiii\qiiim.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\oscar\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.mmohsix.com O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - 'C:\PROGRA~1\MSNMES~1\msgrapp.dll' (file missing) O20 - AppInit_DLLs: dxclib303562752.dll O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\hr2u05f9e.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\b3NjYXI\command.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor
etmon.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bwgnoyo.exe

Shaba_FIN · Answer

Hi thejuego714

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- a fresh HijackThis log
- combofix report

thejuego714 · Answer

I ran the combo.exe and I will post the results along with a fresh Hijack this log.  Thanks a lot for taking your time to help me.   combo.exe report: oscar - 06-09-23 16:20:17.01    Service Pack 1 ComboFix 06.09.23.2 - Running from: 'C:\Documents and Settings\oscar\Desktop' (((((((((((((((((((((((((((((((((((((((((((((   Look2Me's Log   ))))))))))))))))))))))))))))))))))))))))))))))))))   REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}] @='' [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}\Implemented Categories] @='' [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @='' [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}\InprocServer32] @='C:\WINDOWS\system32\kxdic.dll' 'ThreadingModel'='Apartment' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}] @='' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}\Implemented Categories] @='' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @='' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}\InprocServer32] @='C:\WINDOWS\system32\guard.tmp' 'ThreadingModel'='Apartment'   * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * FILES REMOVED: C:\WINDOWS\system32\demasf.dll C:\WINDOWS\system32\f20o0cd3ef0.dll C:\WINDOWS\system32\jtjo0713e.dll C:\WINDOWS\system32\m2280cfuef280.dll C:\WINDOWS\system32\guard.tmp  Granting sedebugprivilege to Administrators   ... successful     (((((((((((((((((((((((((((((((((((((((((((((   Qoologic's Log   )))))))))))))))))))))))))))))))))))))))))))))))))))     * * *  PRE-RUN - Filepaths extracted from the Registry  * * * * * * * * * * * * * * * * * * * * * * O4 - HKCU\...\Run C:\WINDOWS\system32\gvjedv.exe O4 - HKLM\...\Run C:\WINDOWS\System32\gvjedv.exe F2 -REG:system.ini: Shell C:\WINDOWS\System32\wgaid.exe F2 -REG:system.ini: UserInit C:\WINDOWS\system32\hbhmnbk.exe * * *  PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * * C:\WINDOWS\system32\gvjedv.exe C:\WINDOWS\system32\mdjeteu.dll C:\WINDOWS\system32\hbhmnbk.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xevfj.exe C:\WINDOWS\frqkt.dll C:\WINDOWS\system32\ltxho.dat C:\WINDOWS\system32\wgaid.exe * * *  POST-RUN - Files in the Quarantine folder  * * * * * * * * * * * * * * * * * * * * * * * * * 06-09-22  21:48            127488 ltxho.dat.qoo 06-09-22  21:48            127488 xevfj.exe.qoo 06-09-22  21:48             51712 mdjeteu.dll.qoo 06-09-22  21:48             28672 wgaid.exe.qoo 06-09-22  21:48             23552 hbhmnbk.exe.qoo 06-09-23  16:52             21504 gvjedv.exe.qoo 06-09-23  07:46                53 bcweve.dat.qoo DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO   (((((((((((((((((((((((((((((((((((((((((((   E-Give / Ssk's Log   ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\dxclib303562752.dll C:\Documents and Settings\oscar\Application Data\Dxcknwrd.dll C:\WINDOWS\system32\bkd.exe C:\Program Files\DeluxeCommunications\bak C:\Program Files\DeluxeCommunications\Dxc.exe C:\Program Files\DeluxeCommunications\DxcBho.dll C:\Program Files\DeluxeCommunications\DxcCore.dll * * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\Program Files\DeluxeCommunications\bak ((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))   C:\WINDOWS\Duce6.exe C:\dfndrff_e11.exe C:\dfndrff_e12.exe C:\drsmartload.exe C:\drsmartload45a45a45e.exe C:\deskbar.exe C:\kybrdff_e11.exe C:\kybrdff_e12.exe C:
wnmff_e11.exe C:
wnmff_e12.exe C:\Documents and Settings\oscar\Local Settings\Temporary Internet Files\Content.IE5\6JSBUFAL\dfndrff_e_uit[1].exe C:\Documents and Settings\oscar\Local Settings\Temporary Internet Files\Content.IE5\5E31XEKQ
wnmff_e[1].exe C:\Documents and Settings\oscar\Local Settings\Temporary Internet Files\Content.IE5\6JSBUFAL
wnmff_e[1].exe C:\WINDOWS\system32	suninst.exe C:\WINDOWS\system32\wapisu.exe C:\WINDOWS\offun.exe C:\WINDOWS\Eim03.exe C:\WINDOWS\uninstall_nmon.vbs C:\Documents and Settings\LocalService\Application Data\NetMon C:\Program Files\Common Files\misc002 C:\Program Files\Deskbar C:\Program Files\Inetget2 C:\Program Files\Common Files\{7C8695F7-081E-1033-0723-041118030001} C:\Program Files
etwork monitor C:\WINDOWS\system32\crunner C:\WINDOWS\b3NjYXI  ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1 C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1\u?erinit.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET C:\QooBox\Purity\Program Files\MCROSO~1.NET\bak C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET C:\QooBox\Purity\Program Files\MCROSO~1.NET	askmgr.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET\bak	askmgr.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0000 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0001 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0002 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0003 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0004 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0005 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0006 (((((((((((((((((((((((((((((((   Files Created from 2006-08-23 to 2006-09-23  ))))))))))))))))))))))))))))))))))   2006-09-23 17:24 106,496 --a------ C:\WINDOWS\Duce6.exe 2006-09-23 16:34 50,912 --a------ C:\WINDOWS\iconu.exe 2006-09-23 02:04 24,296 --a------ C:\WINDOWS\icont.exe 2006-09-23 01:22 21,504 --a------ C:	opaff.exe 2006-09-23 01:21 667,889 --a------ C:\deskbar_e12.exe 2006-09-23 01:21 217,276 --a------ C:\WINDOWS\srvtbfoymi.exe 2006-09-23 01:20 53,120 --a------ C:\WINDOWS\srvtyfvhsx.exe 2006-09-23 01:20 367,616 --a------ C:\919_133.exe 2006-09-22 22:24 21,504 --a------ C:\WINDOWS\win32089920891949.exe 2006-09-22 21:53 126,976 --a------ C:\WINDOWS\system32\ypk.dll 2006-09-22 21:50 758,784 -r-hs---- C:\WINDOWS\bwgnoyo.exe 2006-09-22 21:50 21,504 --a------ C:\WINDOWS\bwgnoyoA.exe 2006-09-22 21:48 554 --a------ C:\WINDOWS\frqkt.dll 2006-09-22 21:47 53,120 --a------ C:\WINDOWS\srvihemskz.exe 2006-09-22 21:47 53,120 --a------ C:\WINDOWS\optimize.exe 2006-09-22 21:47 32,768 --a------ C:\WINDOWS\unstall.exe 2006-09-22 21:47 32,768 --a------ C:\WINDOWS\DXCecho.exe 2006-09-22 21:47 32,256 --a------ C:\WINDOWS\system32\dmonwv.dll 2006-09-22 21:47 268,581 --a------ C:\WINDOWS\popupwithcast.exe 2006-09-22 21:47 217,276 --a------ C:\WINDOWS\srvrfuknmc.exe 2006-09-22 21:47 21,504 --a------ C:\WINDOWS\ms039194999208.exe 2006-09-15 13:56 21,504 --a------ C:\WINDOWS\sys010891949992.exe   ((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-23 17:43 -------- d-------- C:\Program Files\DeluxeCommunications 2006-09-23 17:39 -------- d-------- C:\Program Files\Symantec AntiVirus 2006-09-23 17:34 38 --a------ C:\Documents and Settings\oscar\Application Data\Dxcuknwrd.dll 2006-09-23 17:05 -------- d-------- C:\Program Files\Common Files 2006-09-23 16:53 -------- d-------- C:\Program Files\QuickTime 2006-09-23 16:53 -------- d-------- C:\Program Files\popupwithcast 2006-09-23 16:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2006-09-23 16:53 -------- d-------- C:\Program Files\Common Files\qiii 2006-09-23 12:18 -------- d-------- C:\Documents and Settings\oscar\Application Data\Google 2006-09-23 12:16 -------- d-------- C:\Program Files\Google 2006-09-23 12:05 -------- d-------- C:\Program Files\HijackThis 2006-09-23 11:52 -------- d-------- C:\Program Files\Windows Media Player 2006-09-23 01:23 -------- d-------- C:\Program Files\Windows NT 2006-09-23 00:23 -------- d---s---- C:\Documents and Settings\oscar\Application Data\Microsoft 2006-09-22 22:07 -------- d--h----- C:\Program Files\Common Files\cloader 2006-09-22 21:50 -------- d--h----- C:\Program Files\BHO Plugin 2006-09-22 21:47 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-09-21 18:25 -------- d-------- C:\Documents and Settings\oscar\Application Data\uTorrent 2006-09-21 17:35 -------- d-------- C:\Documents and Settings\oscar\Application Data\Skype 2006-09-03 16:05 -------- d-------- C:\Documents and Settings\oscar\Application Data\U3 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-28 18:16 -------- d-------- C:\Program Files\Yahoo! 2006-08-17 23:46 -------- d-------- C:\Documents and Settings\oscar\Application Data\Yahoo! Messenger 2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32
si50.dll 2006-08-11 09:05 155648 --a------ C:\WINDOWS\vSg21-d.exe 2006-08-09 20:27 65536 --a------ C:\WINDOWS\IFinst27.exe 2006-08-09 20:27 -------- d-------- C:\Program Files\Gravity 2006-08-08 21:53 -------- d-------- C:\Program Files\HTTP-Tunnel 2006-07-25 13:12 -------- d-------- C:\Documents and Settings\oscar\Application Data\ProxyCap 2006-06-07 10:55 3626 --a------ C:\Program Files\Common Files
ico.html   ((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))   *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe'='C:\WINDOWS\System32\ctfmon.exe' 'ProxyCap'='C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe' 'Ltho'='\'C:\PROGRA~1\MCROSO~1.NET\taskmgr.exe\' -vt yazb' 'Cnwo'='C:\Documents and Settings\oscar\My Documents\?ystem\u?erinit.exe' 'cprocsvc'='C:\WINDOWS\System32\crunner\cproc.exe' 'qiii'='C:\PROGRA~1\COMMON~1\qiii\qiiim.exe' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PCTVOICE'='pctspk.exe' 'NvMediaCenter'='RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit' 'Logitech Utility'='Logi_MwX.Exe' 'ccApp'='\'C:\Program Files\Common Files\Symantec Shared\ccApp.exe\'' 'vptray'='C:\PROGRA~1\SYMANT~1\VPTray.exe' 'NvCplDaemon'='RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup' 'QuickTime Task'='\'C:\Program Files\QuickTime\qttask.exe\' -atboottime' 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe' 'septpop06apsept'='C:\program files\popupwithcast\septpop06apsept.exe' 'ms039194999208'='C:\WINDOWS\ms039194999208.exe' 'loaddr'='C:\topaff.exe' 'bwgnoyoA'='C:\WINDOWS\bwgnoyoA.exe' 'sys039194999208'='C:\WINDOWS\sys039194999208.exe' 'win32089920891949'='C:\WINDOWS\win32089920891949.exe' 'sys010891949992'='C:\WINDOWS\sys010891949992.exe' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] 'Installed'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] 'Installed'='1' 'NoChange'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] 'Installed'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] 'AAW'='' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] 'DeskHtmlVersion'=dword:00000110 'DeskHtmlMinorVersion'=dword:00000005 'Settings'=dword:00000001 'GeneralFlags'=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] 'Source'='C:\Program Files\Windows NT\qufydudy.html' 'SubscribedURL'='' 'FriendlyName'='' 'Flags'=dword:00002000 'Position'=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\   03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 'CurrentState'=hex:01,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\   00,00,01,00,00,00 'RestoredStateInfo'=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\   00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] 'Source'='C:\Program Files\Common Files\nico.html' 'SubscribedURL'='' 'FriendlyName'='' 'Flags'=dword:00002000 'Position'=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\   03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 'CurrentState'=hex:01,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\   00,00,01,00,00,00 'RestoredStateInfo'=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\   00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2] 'Source'=' http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg' 'SubscribedURL'=' http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg' 'FriendlyName'='' 'Flags'=dword:00000001 'Position'=hex:2c,00,00,00,de,01,00,00,15,01,00,00,32,05,00,00,00,03,00,00,ec,\   03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 'CurrentState'=hex:01,00,00,00 'OriginalStateInfo'=hex:18,00,00,00,10,03,00,00,15,01,00,00,00,04,00,00,00,03,\   00,00,01,00,00,40 'RestoredStateInfo'=hex:dc,ff,ec,03,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\   e7,77,00,0e,1b,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3] 'Source'='About:Home' 'SubscribedURL'='About:Home' 'FriendlyName'='My Current Home Page' 'Flags'=dword:00000002 'Position'=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\   00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 'CurrentState'=hex:04,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\   ff,ff,04,00,00,00 'RestoredStateInfo'=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\   00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] '{AEB6717E-7E19-11d0-97EE-00C04FD91972}'='' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'dontdisplaylastusername'=dword:00000000 'legalnoticecaption'='' 'legalnoticetext'='' 'shutdownwithoutlogon'=dword:00000001 'undockwithoutlogon'=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 'PostBootReminder'='{7849596a-48ea-486e-8937-a2a3009f31a9}' 'CDBurn'='{fbeb8a05-beee-4442-804e-409d6c4515e9}' 'WebCheck'='{E6FB5E20-DE35-11CF-9C87-00AA005127ED}' 'SysTray'='{35CEC8A3-2BE6-11D2-8773-92E220524153}' HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Completion time: Sat 09/23/2006 17:44:06.40 ComboFix.txt

thejuego714 · Answer

Hijack This log: oscar - 06-09-23 16:20:17.01    Service Pack 1 ComboFix 06.09.23.2 - Running from: 'C:\Documents and Settings\oscar\Desktop' (((((((((((((((((((((((((((((((((((((((((((((   Look2Me's Log   ))))))))))))))))))))))))))))))))))))))))))))))))))   REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}] @='' [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}\Implemented Categories] @='' [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @='' [HKEY_CLASSES_ROOT\CLSID\{4CE3DD32-A757-45E1-AE73-B53C20F2C875}\InprocServer32] @='C:\WINDOWS\system32\kxdic.dll' 'ThreadingModel'='Apartment' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}] @='' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}\Implemented Categories] @='' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @='' [HKEY_CLASSES_ROOT\CLSID\{F000A3FF-A520-449C-989B-03663EBED2C6}\InprocServer32] @='C:\WINDOWS\system32\guard.tmp' 'ThreadingModel'='Apartment'   * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * FILES REMOVED: C:\WINDOWS\system32\demasf.dll C:\WINDOWS\system32\f20o0cd3ef0.dll C:\WINDOWS\system32\jtjo0713e.dll C:\WINDOWS\system32\m2280cfuef280.dll C:\WINDOWS\system32\guard.tmp  Granting sedebugprivilege to Administrators   ... successful     (((((((((((((((((((((((((((((((((((((((((((((   Qoologic's Log   )))))))))))))))))))))))))))))))))))))))))))))))))))     * * *  PRE-RUN - Filepaths extracted from the Registry  * * * * * * * * * * * * * * * * * * * * * * O4 - HKCU\...\Run C:\WINDOWS\system32\gvjedv.exe O4 - HKLM\...\Run C:\WINDOWS\System32\gvjedv.exe F2 -REG:system.ini: Shell C:\WINDOWS\System32\wgaid.exe F2 -REG:system.ini: UserInit C:\WINDOWS\system32\hbhmnbk.exe * * *  PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * * C:\WINDOWS\system32\gvjedv.exe C:\WINDOWS\system32\mdjeteu.dll C:\WINDOWS\system32\hbhmnbk.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xevfj.exe C:\WINDOWS\frqkt.dll C:\WINDOWS\system32\ltxho.dat C:\WINDOWS\system32\wgaid.exe * * *  POST-RUN - Files in the Quarantine folder  * * * * * * * * * * * * * * * * * * * * * * * * * 06-09-22  21:48            127488 ltxho.dat.qoo 06-09-22  21:48            127488 xevfj.exe.qoo 06-09-22  21:48             51712 mdjeteu.dll.qoo 06-09-22  21:48             28672 wgaid.exe.qoo 06-09-22  21:48             23552 hbhmnbk.exe.qoo 06-09-23  16:52             21504 gvjedv.exe.qoo 06-09-23  07:46                53 bcweve.dat.qoo DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO   (((((((((((((((((((((((((((((((((((((((((((   E-Give / Ssk's Log   ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\dxclib303562752.dll C:\Documents and Settings\oscar\Application Data\Dxcknwrd.dll C:\WINDOWS\system32\bkd.exe C:\Program Files\DeluxeCommunications\bak C:\Program Files\DeluxeCommunications\Dxc.exe C:\Program Files\DeluxeCommunications\DxcBho.dll C:\Program Files\DeluxeCommunications\DxcCore.dll * * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\Program Files\DeluxeCommunications\bak ((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))   C:\WINDOWS\Duce6.exe C:\dfndrff_e11.exe C:\dfndrff_e12.exe C:\drsmartload.exe C:\drsmartload45a45a45e.exe C:\deskbar.exe C:\kybrdff_e11.exe C:\kybrdff_e12.exe C:
wnmff_e11.exe C:
wnmff_e12.exe C:\Documents and Settings\oscar\Local Settings\Temporary Internet Files\Content.IE5\6JSBUFAL\dfndrff_e_uit[1].exe C:\Documents and Settings\oscar\Local Settings\Temporary Internet Files\Content.IE5\5E31XEKQ
wnmff_e[1].exe C:\Documents and Settings\oscar\Local Settings\Temporary Internet Files\Content.IE5\6JSBUFAL
wnmff_e[1].exe C:\WINDOWS\system32	suninst.exe C:\WINDOWS\system32\wapisu.exe C:\WINDOWS\offun.exe C:\WINDOWS\Eim03.exe C:\WINDOWS\uninstall_nmon.vbs C:\Documents and Settings\LocalService\Application Data\NetMon C:\Program Files\Common Files\misc002 C:\Program Files\Deskbar C:\Program Files\Inetget2 C:\Program Files\Common Files\{7C8695F7-081E-1033-0723-041118030001} C:\Program Files
etwork monitor C:\WINDOWS\system32\crunner C:\WINDOWS\b3NjYXI  ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1 C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1\u?erinit.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET C:\QooBox\Purity\Program Files\MCROSO~1.NET\bak C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET C:\QooBox\Purity\Program Files\MCROSO~1.NET	askmgr.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET\bak	askmgr.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0000 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0001 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0002 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0003 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0004 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0005 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0006 (((((((((((((((((((((((((((((((   Files Created from 2006-08-23 to 2006-09-23  ))))))))))))))))))))))))))))))))))   2006-09-23 17:24 106,496 --a------ C:\WINDOWS\Duce6.exe 2006-09-23 16:34 50,912 --a------ C:\WINDOWS\iconu.exe 2006-09-23 02:04 24,296 --a------ C:\WINDOWS\icont.exe 2006-09-23 01:22 21,504 --a------ C:	opaff.exe 2006-09-23 01:21 667,889 --a------ C:\deskbar_e12.exe 2006-09-23 01:21 217,276 --a------ C:\WINDOWS\srvtbfoymi.exe 2006-09-23 01:20 53,120 --a------ C:\WINDOWS\srvtyfvhsx.exe 2006-09-23 01:20 367,616 --a------ C:\919_133.exe 2006-09-22 22:24 21,504 --a------ C:\WINDOWS\win32089920891949.exe 2006-09-22 21:53 126,976 --a------ C:\WINDOWS\system32\ypk.dll 2006-09-22 21:50 758,784 -r-hs---- C:\WINDOWS\bwgnoyo.exe 2006-09-22 21:50 21,504 --a------ C:\WINDOWS\bwgnoyoA.exe 2006-09-22 21:48 554 --a------ C:\WINDOWS\frqkt.dll 2006-09-22 21:47 53,120 --a------ C:\WINDOWS\srvihemskz.exe 2006-09-22 21:47 53,120 --a------ C:\WINDOWS\optimize.exe 2006-09-22 21:47 32,768 --a------ C:\WINDOWS\unstall.exe 2006-09-22 21:47 32,768 --a------ C:\WINDOWS\DXCecho.exe 2006-09-22 21:47 32,256 --a------ C:\WINDOWS\system32\dmonwv.dll 2006-09-22 21:47 268,581 --a------ C:\WINDOWS\popupwithcast.exe 2006-09-22 21:47 217,276 --a------ C:\WINDOWS\srvrfuknmc.exe 2006-09-22 21:47 21,504 --a------ C:\WINDOWS\ms039194999208.exe 2006-09-15 13:56 21,504 --a------ C:\WINDOWS\sys010891949992.exe   ((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-23 17:43 -------- d-------- C:\Program Files\DeluxeCommunications 2006-09-23 17:39 -------- d-------- C:\Program Files\Symantec AntiVirus 2006-09-23 17:34 38 --a------ C:\Documents and Settings\oscar\Application Data\Dxcuknwrd.dll 2006-09-23 17:05 -------- d-------- C:\Program Files\Common Files 2006-09-23 16:53 -------- d-------- C:\Program Files\QuickTime 2006-09-23 16:53 -------- d-------- C:\Program Files\popupwithcast 2006-09-23 16:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2006-09-23 16:53 -------- d-------- C:\Program Files\Common Files\qiii 2006-09-23 12:18 -------- d-------- C:\Documents and Settings\oscar\Application Data\Google 2006-09-23 12:16 -------- d-------- C:\Program Files\Google 2006-09-23 12:05 -------- d-------- C:\Program Files\HijackThis 2006-09-23 11:52 -------- d-------- C:\Program Files\Windows Media Player 2006-09-23 01:23 -------- d-------- C:\Program Files\Windows NT 2006-09-23 00:23 -------- d---s---- C:\Documents and Settings\oscar\Application Data\Microsoft 2006-09-22 22:07 -------- d--h----- C:\Program Files\Common Files\cloader 2006-09-22 21:50 -------- d--h----- C:\Program Files\BHO Plugin 2006-09-22 21:47 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-09-21 18:25 -------- d-------- C:\Documents and Settings\oscar\Application Data\uTorrent 2006-09-21 17:35 -------- d-------- C:\Documents and Settings\oscar\Application Data\Skype 2006-09-03 16:05 -------- d-------- C:\Documents and Settings\oscar\Application Data\U3 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-28 18:16 -------- d-------- C:\Program Files\Yahoo! 2006-08-17 23:46 -------- d-------- C:\Documents and Settings\oscar\Application Data\Yahoo! Messenger 2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32
si50.dll 2006-08-11 09:05 155648 --a------ C:\WINDOWS\vSg21-d.exe 2006-08-09 20:27 65536 --a------ C:\WINDOWS\IFinst27.exe 2006-08-09 20:27 -------- d-------- C:\Program Files\Gravity 2006-08-08 21:53 -------- d-------- C:\Program Files\HTTP-Tunnel 2006-07-25 13:12 -------- d-------- C:\Documents and Settings\oscar\Application Data\ProxyCap 2006-06-07 10:55 3626 --a------ C:\Program Files\Common Files
ico.html   ((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))   *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe'='C:\WINDOWS\System32\ctfmon.exe' 'ProxyCap'='C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe' 'Ltho'='\'C:\PROGRA~1\MCROSO~1.NET\taskmgr.exe\' -vt yazb' 'Cnwo'='C:\Documents and Settings\oscar\My Documents\?ystem\u?erinit.exe' 'cprocsvc'='C:\WINDOWS\System32\crunner\cproc.exe' 'qiii'='C:\PROGRA~1\COMMON~1\qiii\qiiim.exe' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PCTVOICE'='pctspk.exe' 'NvMediaCenter'='RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit' 'Logitech Utility'='Logi_MwX.Exe' 'ccApp'='\'C:\Program Files\Common Files\Symantec Shared\ccApp.exe\'' 'vptray'='C:\PROGRA~1\SYMANT~1\VPTray.exe' 'NvCplDaemon'='RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup' 'QuickTime Task'='\'C:\Program Files\QuickTime\qttask.exe\' -atboottime' 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe' 'septpop06apsept'='C:\program files\popupwithcast\septpop06apsept.exe' 'ms039194999208'='C:\WINDOWS\ms039194999208.exe' 'loaddr'='C:\topaff.exe' 'bwgnoyoA'='C:\WINDOWS\bwgnoyoA.exe' 'sys039194999208'='C:\WINDOWS\sys039194999208.exe' 'win32089920891949'='C:\WINDOWS\win32089920891949.exe' 'sys010891949992'='C:\WINDOWS\sys010891949992.exe' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] 'Installed'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] 'Installed'='1' 'NoChange'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] 'Installed'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] 'AAW'='' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] 'DeskHtmlVersion'=dword:00000110 'DeskHtmlMinorVersion'=dword:00000005 'Settings'=dword:00000001 'GeneralFlags'=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] 'Source'='C:\Program Files\Windows NT\qufydudy.html' 'SubscribedURL'='' 'FriendlyName'='' 'Flags'=dword:00002000 'Position'=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 'CurrentState'=hex:01,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\  00,00,01,00,00,00 'RestoredStateInfo'=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\  00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] 'Source'='C:\Program Files\Common Files\nico.html' 'SubscribedURL'='' 'FriendlyName'='' 'Flags'=dword:00002000 'Position'=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 'CurrentState'=hex:01,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\  00,00,01,00,00,00 'RestoredStateInfo'=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\  00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2] 'Source'=' http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg' 'SubscribedURL'=' http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg' 'FriendlyName'='' 'Flags'=dword:00000001 'Position'=hex:2c,00,00,00,de,01,00,00,15,01,00,00,32,05,00,00,00,03,00,00,ec,\  03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 'CurrentState'=hex:01,00,00,00 'OriginalStateInfo'=hex:18,00,00,00,10,03,00,00,15,01,00,00,00,04,00,00,00,03,\  00,00,01,00,00,40 'RestoredStateInfo'=hex:dc,ff,ec,03,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\  e7,77,00,0e,1b,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3] 'Source'='About:Home' 'SubscribedURL'='About:Home' 'FriendlyName'='My Current Home Page' 'Flags'=dword:00000002 'Position'=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 'CurrentState'=hex:04,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\  ff,ff,04,00,00,00 'RestoredStateInfo'=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\  00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] '{AEB6717E-7E19-11d0-97EE-00C04FD91972}'='' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'dontdisplaylastusername'=dword:00000000 'legalnoticecaption'='' 'legalnoticetext'='' 'shutdownwithoutlogon'=dword:00000001 'undockwithoutlogon'=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 'PostBootReminder'='{7849596a-48ea-486e-8937-a2a3009f31a9}' 'CDBurn'='{fbeb8a05-beee-4442-804e-409d6c4515e9}' 'WebCheck'='{E6FB5E20-DE35-11CF-9C87-00AA005127ED}' 'SysTray'='{35CEC8A3-2BE6-11D2-8773-92E220524153}'

thejuego714 · Answer

Continuation of Hijack This log:   HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll   Completion time: Sat 09/23/2006 17:44:06.40 ComboFix.txt Logfile of HijackThis v1.99.1 Scan saved at 6:16:47 PM, on 9/23/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32
vsvc32.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\bwgnoyo.exe C:\WINDOWS\System32\pctspk.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.184.45.123:3128 R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe O4 - HKLM\..\Run: [ms039194999208] C:\WINDOWS\ms039194999208.exe O4 - HKLM\..\Run: [loaddr] C:	opaff.exe O4 - HKLM\..\Run: [bwgnoyoA] C:\WINDOWS\bwgnoyoA.exe O4 - HKLM\..\Run: [sys039194999208] C:\WINDOWS\sys039194999208.exe O4 - HKLM\..\Run: [win32089920891949] C:\WINDOWS\win32089920891949.exe O4 - HKLM\..\Run: [sys010891949992] C:\WINDOWS\sys010891949992.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe O4 - HKCU\..\Run: [Ltho] 'C:\PROGRA~1\MCROSO~1.NET	askmgr.exe' -vt yazb O4 - HKCU\..\Run: [Cnwo] C:\Documents and Settings\oscar\My Documents\?ystem\u?erinit.exe O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe O4 - HKCU\..\Run: [qiii] C:\PROGRA~1\COMMON~1\qiii\qiiim.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\oscar\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.mmohsix.com O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - 'C:\PROGRA~1\MSNMES~1\msgrapp.dll' (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bwgnoyo.exe

Shaba_FIN · Answer

Hi Looking already better :) First we'll need to backup registry: Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save. Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Doubleclick fix.reg, press Yes and ok. Open HijackThis, click do a system scan only and checkmark these: R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exeO4 - HKLM\..\Run: [ms039194999208] C:\WINDOWS\ms039194999208.exeO4 - HKLM\..\Run: [loaddr] C:	opaff.exeO4 - HKLM\..\Run: [bwgnoyoA] C:\WINDOWS\bwgnoyoA.exeO4 - HKLM\..\Run: [sys039194999208] C:\WINDOWS\sys039194999208.exeO4 - HKLM\..\Run: [win32089920891949] C:\WINDOWS\win32089920891949.exeO4 - HKLM\..\Run: [sys010891949992] C:\WINDOWS\sys010891949992.exeO4 - HKCU\..\Run: [Ltho] 'C:\PROGRA~1\MCROSO~1.NET	askmgr.exe' -vt yazbO4 - HKCU\..\Run: [Cnwo] C:\Documents and Settings\oscar\My Documents\?ystem\u?erinit.exeO4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exeO4 - HKCU\..\Run: [qiii] C:\PROGRA~1\COMMON~1\qiii\qiiim.exeO15 - Trusted Zone: *.mmohsix.comO23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bwgnoyo.exe Close all windows including browser and press fix checked. Please click Start > Run and type in: services.msc Click OK In the Services window find: Windows Overlay Components Select/highlight and right click the entry, and choose: Properties On the General tab, under Service Status click the Stop button Beside: Startup Type, in the drop menu, select: Disabled Click Apply, then OK Now, go to Start > Run, and copy/paste the following into the Open box: sc delete 'Windows Overlay Components' Click: OK Please download the Killbox. Unzip it to the desktop Please run Killbox. Select ' Delete on Reboot'. Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\WINDOWS\Duce6.exe C:\WINDOWS\iconu.exe C:\WINDOWS\icont.exe C:	opaff.exe C:\deskbar_e12.exe C:\WINDOWS\srvtbfoymi.exe C:\WINDOWS\srvtyfvhsx.exe C:\919_133.exe C:\WINDOWS\win32089920891949.exe C:\WINDOWS\system32\ypk.dll C:\WINDOWS\bwgnoyo.exe C:\WINDOWS\bwgnoyoA.exe C:\WINDOWS\frqkt.dll C:\WINDOWS\srvihemskz.exe C:\WINDOWS\optimize.exe C:\WINDOWS\unstall.exe C:\WINDOWS\DXCecho.exe C:\WINDOWS\system32\dmonwv.dll C:\WINDOWS\popupwithcast.exe C:\WINDOWS\srvrfuknmc.exe C:\WINDOWS\ms039194999208.exe C:\WINDOWS\sys010891949992.exe C:\Documents and Settings\oscar\Application Data\Dxcuknwrd.dll C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Program Files\Common Files\Yazzle1281OinAdmin.exe C:\WINDOWS\system32
si50.dll C:\WINDOWS\vSg21-d.exe C:\WINDOWS\IFinst27.exe C:\Program Files\Common Files
ico.html Return to Killbox, go to the File menu, and choose ' Paste from Clipboard'. Click the red-and-white ' Delete File' button. Click ' Yes' at the Delete on Reboot prompt. Click ' No' at the Pending Operations prompt. If you receive a message such as: 'Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.' when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.. If your computer does not restart automatically, please restart it manually. Delete these folders: C:\Program Files\popupwithcast C:\Program Files\Common Files\qiii Empty Recycle Bin Re-run combofix To access the Uninstall Manager you would do the following: 1. Start HijackThis 2. Click on the Config button 3. Click on the Misc Tools button 4. Click on the Open Uninstall Manager button. You will now be presented with a screen similar to the one below: 5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Send: - a fresh HijackThis log - combofix report - uninstall list

thejuego714 · Answer

Hi, how are you?  Here's the list of logs requested.  Thanks a lot. Combofix log: oscar - 06-09-24 13:40:36.04    Service Pack 1 ComboFix 06.09.23.2 - Running from: 'C:\Documents and Settings\oscar\My Documents\download' (((((((((((((((((((((((((((((((((((((((((((((   Qoologic's Log   )))))))))))))))))))))))))))))))))))))))))))))))))))     * * *  POST-RUN - Files in the Quarantine folder  * * * * * * * * * * * * * * * * * * * * * * * * * 06-09-22  21:48            127488 ltxho.dat.qoo 06-09-22  21:48            127488 xevfj.exe.qoo 06-09-22  21:48             51712 mdjeteu.dll.qoo 06-09-22  21:48             28672 wgaid.exe.qoo 06-09-22  21:48             23552 hbhmnbk.exe.qoo 06-09-23  16:52             21504 gvjedv.exe.qoo 06-09-23  07:46                53 bcweve.dat.qoo DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO   (((((((((((((((((((((((((((((((((((((((((((   E-Give / Ssk's Log   ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\oscar\Application Data\Dxcuknwrd.dll C:\Program Files\DeluxeCommunications\bak * * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\Program Files\DeluxeCommunications\bak ((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))   C:\Documents and Settings\LocalService\Application Data\NetMon  ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1 C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1\u?erinit.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET C:\QooBox\Purity\Program Files\MCROSO~1.NET\bak C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET C:\QooBox\Purity\Program Files\MCROSO~1.NET	askmgr.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET\bak	askmgr.exe C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0000 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0001 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0002 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0003 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0004 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0005 C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0006   (((((((((((((((((((((((((((((((   Files Created from 2006-08-24 to 2006-09-24  ))))))))))))))))))))))))))))))))))   2006-09-23 16:34 50,912 --a------ C:\WINDOWS\iconu.exe 2006-09-23 02:04 24,296 --a------ C:\WINDOWS\icont.exe 2006-09-23 01:22 21,504 --a------ C:	opaff.exe 2006-09-23 01:21 667,889 --a------ C:\deskbar_e12.exe 2006-09-23 01:21 217,276 --a------ C:\WINDOWS\srvtbfoymi.exe 2006-09-23 01:20 53,120 --a------ C:\WINDOWS\srvtyfvhsx.exe 2006-09-23 01:20 367,616 --a------ C:\919_133.exe 2006-09-22 22:24 21,504 --a------ C:\WINDOWS\win32089920891949.exe 2006-09-22 21:53 126,976 --a------ C:\WINDOWS\system32\ypk.dll 2006-09-22 21:50 758,784 -r-hs---- C:\WINDOWS\bwgnoyo.exe 2006-09-22 21:50 21,504 --a------ C:\WINDOWS\bwgnoyoA.exe 2006-09-22 21:48 554 --a------ C:\WINDOWS\frqkt.dll 2006-09-22 21:47 53,120 --a------ C:\WINDOWS\srvihemskz.exe 2006-09-22 21:47 53,120 --a------ C:\WINDOWS\optimize.exe 2006-09-22 21:47 32,768 --a------ C:\WINDOWS\unstall.exe 2006-09-22 21:47 32,768 --a------ C:\WINDOWS\DXCecho.exe 2006-09-22 21:47 268,581 --a------ C:\WINDOWS\popupwithcast.exe 2006-09-22 21:47 217,276 --a------ C:\WINDOWS\srvrfuknmc.exe 2006-09-22 21:47 21,504 --a------ C:\WINDOWS\ms039194999208.exe 2006-09-15 13:56 21,504 --a------ C:\WINDOWS\sys010891949992.exe   ((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-24 13:46 -------- d-------- C:\Program Files\Symantec AntiVirus 2006-09-24 13:37 -------- d-------- C:\Program Files\Common Files 2006-09-24 13:22 -------- d-------- C:\Program Files\HijackThis 2006-09-23 17:43 -------- d-------- C:\Program Files\DeluxeCommunications 2006-09-23 16:53 -------- d-------- C:\Program Files\QuickTime 2006-09-23 16:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2006-09-23 12:18 -------- d-------- C:\Documents and Settings\oscar\Application Data\Google 2006-09-23 12:16 -------- d-------- C:\Program Files\Google 2006-09-23 11:52 -------- d-------- C:\Program Files\Windows Media Player 2006-09-23 01:23 -------- d-------- C:\Program Files\Windows NT 2006-09-23 00:23 -------- d---s---- C:\Documents and Settings\oscar\Application Data\Microsoft 2006-09-22 22:07 -------- d--h----- C:\Program Files\Common Files\cloader 2006-09-22 21:50 -------- d--h----- C:\Program Files\BHO Plugin 2006-09-22 21:47 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-09-21 18:25 -------- d-------- C:\Documents and Settings\oscar\Application Data\uTorrent 2006-09-21 17:35 -------- d-------- C:\Documents and Settings\oscar\Application Data\Skype 2006-09-03 16:05 -------- d-------- C:\Documents and Settings\oscar\Application Data\U3 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-28 18:16 -------- d-------- C:\Program Files\Yahoo! 2006-08-17 23:46 -------- d-------- C:\Documents and Settings\oscar\Application Data\Yahoo! Messenger 2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32
si50.dll 2006-08-11 09:05 155648 --a------ C:\WINDOWS\vSg21-d.exe 2006-08-09 20:27 65536 --a------ C:\WINDOWS\IFinst27.exe 2006-08-09 20:27 -------- d-------- C:\Program Files\Gravity 2006-08-08 21:53 -------- d-------- C:\Program Files\HTTP-Tunnel 2006-07-25 13:12 -------- d-------- C:\Documents and Settings\oscar\Application Data\ProxyCap 2006-06-07 10:55 3626 --a------ C:\Program Files\Common Files
ico.html   ((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))   *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe'='C:\WINDOWS\System32\ctfmon.exe' 'ProxyCap'='C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PCTVOICE'='pctspk.exe' 'NvMediaCenter'='RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit' 'Logitech Utility'='Logi_MwX.Exe' 'ccApp'='\'C:\Program Files\Common Files\Symantec Shared\ccApp.exe\'' 'vptray'='C:\PROGRA~1\SYMANT~1\VPTray.exe' 'NvCplDaemon'='RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup' 'QuickTime Task'='\'C:\Program Files\QuickTime\qttask.exe\' -atboottime' 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] 'Installed'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] 'Installed'='1' 'NoChange'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] 'Installed'='1' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] 'DeskHtmlVersion'=dword:00000110 'DeskHtmlMinorVersion'=dword:00000005 'Settings'=dword:00000001 'GeneralFlags'=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] 'Source'=' http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg' 'SubscribedURL'=' http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg' 'FriendlyName'='' 'Flags'=dword:00000001 'Position'=hex:2c,00,00,00,de,01,00,00,15,01,00,00,32,05,00,00,00,03,00,00,e8,\   03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 'CurrentState'=hex:01,00,00,00 'OriginalStateInfo'=hex:18,00,00,00,10,03,00,00,15,01,00,00,00,04,00,00,00,03,\   00,00,01,00,00,40 'RestoredStateInfo'=hex:dc,ff,ec,03,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\   e7,77,00,0e,1b,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] 'Source'='About:Home' 'SubscribedURL'='About:Home' 'FriendlyName'='My Current Home Page' 'Flags'=dword:00000002 'Position'=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\   00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 'CurrentState'=hex:04,00,00,40 'OriginalStateInfo'=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\   ff,ff,04,00,00,00 'RestoredStateInfo'=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\   00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] '{AEB6717E-7E19-11d0-97EE-00C04FD91972}'='' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'dontdisplaylastusername'=dword:00000000 'legalnoticecaption'='' 'legalnoticetext'='' 'shutdownwithoutlogon'=dword:00000001 'undockwithoutlogon'=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] 'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 'PostBootReminder'='{7849596a-48ea-486e-8937-a2a3009f31a9}' 'CDBurn'='{fbeb8a05-beee-4442-804e-409d6c4515e9}' 'WebCheck'='{E6FB5E20-DE35-11CF-9C87-00AA005127ED}' 'SysTray'='{35CEC8A3-2BE6-11D2-8773-92E220524153}' HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll   Completion time: Sun 09/24/2006 13:47:54.70 ComboFix.txt ComboFix2.txt

thejuego714 · Answer

Hijack This list: Logfile of HijackThis v1.99.1 Scan saved at 1:55:32 PM, on 9/24/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32
vsvc32.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\pctspk.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.184.45.123:3128 O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\oscar\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - 'C:\PROGRA~1\MSNMES~1\msgrapp.dll' (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

thejuego714 · Answer

Uninstall list:

µTorrent
Ad-Aware SE Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9
Adobe Photoshop 7.0
Adobe Reader 7.0
Adobe Shockwave Player
Advanced Networking Pack for Windows XP
AOL Instant Messenger
Crazy Arcade
DarkRO
Google Toolbar for Internet Explorer
Google Updater
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HSP56 MR Drivers
IC Card Reader Driver v1.9e2
Internet Explorer Q831167
J2SE Runtime Environment 5.0 Update 6
LimeWire 4.10.9
LiveUpdate 2.0 (Symantec Corporation)
Logitech MouseWare 9.79.1
MAIET Gunz
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
MSN Messenger 7.5
Nero Media Player
Nero OEM
NeroVision Express 2
Nintendo Wi-Fi USB Connector Registration Tool
NVIDIA Drivers
Opera
Outlook Express Q823353
QuickTime
Ragnarok Online
Ragnarok Online
Ragnarok Sakray
RealPlayer
Realtek AC'97 Audio
SiS VGA Utilities
Skype 2.0
Symantec AntiVirus
Ventrilo Client
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VisualKore 1.6.8
WinAce Archiver
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Overlay Components
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833998
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q819696
WinZip
Yahoo! Messenger

Shaba_FIN · Answer

Hi Uninstall via add/remove programs (control panel): Windows Overlay Components Please run Killbox. Select ' Delete on Reboot' and ' All Files'. Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\WINDOWS\Duce6.exe C:\WINDOWS\iconu.exe C:\WINDOWS\icont.exe C:	opaff.exe C:\deskbar_e12.exe C:\WINDOWS\srvtbfoymi.exe C:\WINDOWS\srvtyfvhsx.exe C:\919_133.exe C:\WINDOWS\win32089920891949.exe C:\WINDOWS\system32\ypk.dll C:\WINDOWS\bwgnoyo.exe C:\WINDOWS\bwgnoyoA.exe C:\WINDOWS\frqkt.dll C:\WINDOWS\srvihemskz.exe C:\WINDOWS\optimize.exe C:\WINDOWS\unstall.exe C:\WINDOWS\DXCecho.exe C:\WINDOWS\system32\dmonwv.dll C:\WINDOWS\popupwithcast.exe C:\WINDOWS\srvrfuknmc.exe C:\WINDOWS\ms039194999208.exe C:\WINDOWS\sys010891949992.exe C:\Documents and Settings\oscar\Application Data\Dxcuknwrd.dll C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Program Files\Common Files\Yazzle1281OinAdmin.exe C:\WINDOWS\system32
si50.dll C:\WINDOWS\vSg21-d.exe C:\WINDOWS\IFinst27.exe C:\Program Files\Common Files
ico.html Return to Killbox, go to the File menu, and choose ' Paste from Clipboard'. Click the red-and-white ' Delete File' button. Click ' Yes' at the Delete on Reboot prompt. Click ' No' at the Pending Operations prompt. If you receive a message such as: 'Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.' when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.. If your computer does not restart automatically, please restart it manually. Empty this folder -> c:\!KillBox Empty Recycle Bin Please run this online scan: Panda ActiveScan Once you are on the Panda site, click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on Local Disks to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda scan report, along with a new HijackThis Log Re-run combofix Send: - a fresh HijackThis log - panda report - combofix report - uninstall list

thejuego714 · Answer

Uninstall list:

µTorrent
Ad-Aware SE Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9
Adobe Photoshop 7.0
Adobe Reader 7.0
Adobe Shockwave Player
Advanced Networking Pack for Windows XP
AOL Instant Messenger
Crazy Arcade
DarkRO
Google Toolbar for Internet Explorer
Google Updater
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HSP56 MR Drivers
IC Card Reader Driver v1.9e2
Internet Explorer Q831167
J2SE Runtime Environment 5.0 Update 6
LimeWire 4.10.9
LiveUpdate 2.0 (Symantec Corporation)
Logitech MouseWare 9.79.1
MAIET Gunz
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
MSN Messenger 7.5
Nero Media Player
Nero OEM
NeroVision Express 2
Nintendo Wi-Fi USB Connector Registration Tool
NVIDIA Drivers
Opera
Outlook Express Q823353
Panda ActiveScan
QuickTime
Ragnarok Online
Ragnarok Online
Ragnarok Sakray
RealPlayer
Realtek AC'97 Audio
SiS VGA Utilities
Skype 2.0
Symantec AntiVirus
Ventrilo Client
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VisualKore 1.6.8
WinAce Archiver
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833998
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q819696
WinZip
Yahoo! Messenger

thejuego714 · Answer

Panda 2:

Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@adrevolver[1].txt
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@adrevolver[3].txt
Spyware:Cookie/AdDynamix                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@ads.addynamix[2].txt
Spyware:Cookie/PointRoll                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@ads.pointroll[2].txt
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@advertising[2].txt
Spyware:Cookie/Apmebf                                                           Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@apmebf[1].txt
Spyware:Cookie/Falkag                                                           Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@as-eu.falkag[1].txt
Spyware:Cookie/Falkag                                                           Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@atdmt[2].txt
Spyware:Cookie/Atwola                                                           Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@atwola[1].txt
Spyware:Cookie/nCase                                                            Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@banners.searchingbooth[1].txt

thejuego714 · Answer

combofix report: oscar - 06-09-25 13:25:20.93    Service Pack 1ComboFix 06.09.23.2 - Running from: 'C:\Documents and Settings\oscar\Desktop' (((((((((((((((((((((((((((((((((((((((((((   E-Give / Ssk's Log   ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\DeluxeCommunications\bak * * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\Program Files\DeluxeCommunications\bak((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))   ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1\u?erinit_exe.virC:\QooBox\Purity\Program Files\MCROSO~1.NETC:\QooBox\Purity\Program Files\MCROSO~1.NET\bakC:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NETC:\QooBox\Purity\Program Files\MCROSO~1.NET\bak	askmgr.exeC:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0000C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0001C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0002C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0003C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0004C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0005C:\QooBox\Purity\Program Files\MCROSO~1.NET\M?crosoft.NET\ctxad-476.0006  (((((((((((((((((((((((((((((((   Files Created from 2006-08-25 to 2006-09-25  ))))))))))))))))))))))))))))))))))  2006-09-24 17:18 17,787 --a------ C:\WINDOWS\system32\kbdrvc.dll  ((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-25 13:09 -------- d-------- C:\Program Files\WinZip2006-09-25 13:09 -------- d-------- C:\Program Files\Symantec AntiVirus2006-09-25 13:04 -------- d-------- C:\Program Files\Internet Explorer2006-09-25 13:01 -------- d-------- C:\Program Files\Common Files\Symantec Shared2006-09-25 12:44 -------- d-------- C:\Program Files\Common Files2006-09-25 12:22 -------- d-------- C:\Program Files\QuickTime2006-09-24 13:55 -------- d-------- C:\Program Files\HijackThis2006-09-23 17:43 -------- d-------- C:\Program Files\DeluxeCommunications2006-09-23 12:18 -------- d-------- C:\Documents and Settings\oscar\Application Data\Google2006-09-23 12:16 -------- d-------- C:\Program Files\Google2006-09-23 11:52 -------- d-------- C:\Program Files\Windows Media Player2006-09-23 01:23 -------- d-------- C:\Program Files\Windows NT2006-09-23 00:23 -------- d---s---- C:\Documents and Settings\oscar\Application Data\Microsoft2006-09-22 22:07 -------- d--h----- C:\Program Files\Common Files\cloader2006-09-22 21:50 -------- d--h----- C:\Program Files\BHO Plugin2006-09-21 18:25 -------- d-------- C:\Documents and Settings\oscar\Application Data\uTorrent2006-09-21 17:35 -------- d-------- C:\Documents and Settings\oscar\Application Data\Skype2006-09-03 16:05 -------- d-------- C:\Documents and Settings\oscar\Application Data\U32006-08-28 18:16 -------- d-------- C:\Program Files\Yahoo!2006-08-17 23:46 -------- d-------- C:\Documents and Settings\oscar\Application Data\Yahoo! Messenger2006-08-09 20:27 -------- d-------- C:\Program Files\Gravity2006-08-08 21:53 -------- d-------- C:\Program Files\HTTP-Tunnel2006-07-25 13:12 -------- d-------- C:\Documents and Settings\oscar\Application Data\ProxyCap  ((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'ctfmon.exe'='C:\WINDOWS\System32\ctfmon.exe''ProxyCap'='C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'PCTVOICE'='pctspk.exe''NvMediaCenter'='RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit''Logitech Utility'='Logi_MwX.Exe''NvCplDaemon'='RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]'Installed'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]'Installed'='1''NoChange'='1' [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]'Installed'='1' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]'DeskHtmlVersion'=dword:00000110'DeskHtmlMinorVersion'=dword:00000005'Settings'=dword:00000001'GeneralFlags'=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]'Source'='http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg''SubscribedURL'='http://www.zeldaeternal.net/zeldagcn/wallpaper/zgcwp02.jpg''FriendlyName'='''Flags'=dword:00000001'Position'=hex:2c,00,00,00,de,01,00,00,15,01,00,00,32,05,00,00,00,03,00,00,e8,\  03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00'CurrentState'=dword:00000001'OriginalStateInfo'=hex:18,00,00,00,10,03,00,00,15,01,00,00,00,04,00,00,00,03,\  00,00,01,00,00,40'RestoredStateInfo'=hex:dc,ff,ec,03,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\  e7,77,00,0e,1b,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]'Source'='About:Home''SubscribedURL'='About:Home''FriendlyName'='My Current Home Page''Flags'=dword:00000002'Position'=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,ea,\  03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00'CurrentState'=dword:40000004'OriginalStateInfo'=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\  ff,ff,04,00,00,00'RestoredStateInfo'=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\  00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]'{AEB6717E-7E19-11d0-97EE-00C04FD91972}'='' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]'NoDriveTypeAutoRun'=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]'dontdisplaylastusername'=dword:00000000'legalnoticecaption'='''legalnoticetext'='''shutdownwithoutlogon'=dword:00000001'undockwithoutlogon'=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]'NoDriveTypeAutoRun'=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]'PostBootReminder'='{7849596a-48ea-486e-8937-a2a3009f31a9}''CDBurn'='{fbeb8a05-beee-4442-804e-409d6c4515e9}''WebCheck'='{E6FB5E20-DE35-11CF-9C87-00AA005127ED}''SysTray'='{35CEC8A3-2BE6-11D2-8773-92E220524153}' HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\kbdrvc HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviderssecurityproviders REG_SZ  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll  Completion time: Mon 09/25/2006 13:29:15.26 ComboFix.txtComboFix2.txtComboFix3.txt

thejuego714 · Answer

Panda 6

Adware:Adware/Qoologic                                                          Not disinfected               C:\QooBox\hbhmnbk.exe.qoo
Adware:Adware/Qoologic                                                          Not disinfected               C:\QooBox\ltxho.dat.qoo
Adware:Adware/Qoologic                                                          Not disinfected               C:\QooBox\mdjeteu.dll.qoo
Possible Virus.                                                                 Renamed                       C:\QooBox\Purity\Documents and Settings\oscar\My Documents\YSTEM~1\u?erinit_exe.vir
Adware:Adware/PurityScan                                                        Not disinfected               C:\QooBox\Purity\Program Files\MCROSO~1.NET\bak\taskmgr.exe
Adware:Adware/Qoologic                                                          Not disinfected               C:\QooBox\xevfj.exe.qoo
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\WINDOWS\amm06.ocx
Adware:Adware/DigInk                                                            Not disinfected               C:\WINDOWS\bak\Duce6.exe
Adware:Adware/DigInk                                                            Not disinfected               C:\WINDOWS\bak\sys010891949992.exe

thejuego714 · Answer

Panda 3

Spyware:Cookie/Bfast                                                            Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@bfast[2].txt
Spyware:Cookie/Bluestreak                                                       Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@bluestreak[1].txt
Spyware:Cookie/bravenetA                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@bravenet[1].txt
Spyware:Cookie/Enhance                                                          Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@c.enhance[1].txt
Spyware:Cookie/Casalemedia                                                      Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@casalemedia[2].txt
Spyware:Cookie/Cassava                                                          Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@cassava[1].txt
Spyware:Cookie/Clickbank                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@clickbank[2].txt
Spyware:Cookie/Com.com                                                          Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@com[1].txt
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@doubleclick[1].txt
Spyware:Cookie/DriveCleaner                                                     Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@drivecleaner[1].txt
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@ehg-dig.hitbox[1].txt
Spyware:Cookie/Entrepreneur                                                     Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@entrepreneur[1].txt

thejuego714 · Answer

Panda 4

Spyware:Cookie/FastClick                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@fastclick[1].txt
Spyware:Cookie/Findwhat                                                         Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@findwhat[1].txt
Spyware:Cookie/FortuneCity                                                      Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@fortunecity[2].txt
Spyware:Cookie/Go                                                               Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@go[1].txt
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@hitbox[2].txt
Spyware:Cookie/FastClick                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@media.fastclick[2].txt
Spyware:Cookie/Mediaplex                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@mediaplex[1].txt
Spyware:Cookie/Overture                                                         Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@overture[2].txt
Spyware:Cookie/AspinallsOnlineCasino                                            Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@pacificpoker[2].txt
Spyware:Cookie/Overture                                                         Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@perf.overture[1].txt
Spyware:Cookie/QkSrv                                                            Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@qksrv[2].txt
Spyware:Cookie/QuestionMarket                                                   Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@questionmarket[2].txt
Spyware:Cookie/RealMedia                                                        Not disinfected               C:\Documents and Settings\oscar\Cookies\oscar@realmedia[2].txt

Virus & Spyware

Was this post helpful?