MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: help please :)
September 20, 2019, 09:47:46 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 20, 2019, 09:47:46 PM

Login with username, password and session length
 
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: help please :)  (Read 2899 times)
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« on: September 02, 2006, 04:10:10 AM »

Here is the HJT log you wanted to see:
Something keeps telling internet explorer to start by itself and generate all these pop-ups and ads

Logfile of HijackThis v1.99.1
Scan saved at 11:05:59 PM, on 9/1/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\NSS\NSS.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozilla.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth
« Last Edit: September 02, 2006, 04:34:04 AM by cether01 » Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: September 03, 2006, 12:46:58 AM »

Hi
You have a few infection here..........


Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Do not proceed with the rest of the fix if you fail to run combofix
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Reboot........................

Step 1: Download and install Ewido Anti-Spyware v4.0
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\ewido anti-spyware 4.0, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on ewdio in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here. Exit Ewido when done - DO NOT perform a scan yet.

Step 2: Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Step 3: Scan with Ewido as follows:
1. Launch Ewido, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\ewido anti-spyware 4.0\Reports\
6. Exit Ewido when done and submit the log report in your next response as well as the ComboFix.txt. .

Note: Close all open windows, programs, and DO NOT USE the computer while Ewido is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper Ewido's ability to clean properly and may result in reinfection.

Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

« Last Edit: September 03, 2006, 12:49:24 AM by Pancake » Logged

An Australian Member of

EDDY
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #2 on: September 03, 2006, 04:50:29 AM »

Here is the new hijackthis log, combofix log, and ewido log. I had to split it up into 3 different posts.   I sure hope you know what it means, just confusing to me.  THANKS SO MUCH FOR YOUR RESPONSE by the way!  Smiley

Logfile of HijackThis v1.99.1
Scan saved at 11:44:12 PM, on 9/2/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\thfilk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\kqvml.exe
C:\WINDOWS\System32\kqvml.exe
C:\WINDOWS\System32\kqvml.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth
Logged

 
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #3 on: September 03, 2006, 04:52:27 AM »

COMBOFIX  Part 1 of 2
*******************************

Paula K - 06-09-02 22:54:53.38
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Desktop

(((((((((((((((((((((((((((((((((((((((((((((   Look2Me's Log   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{CDE55425-D21B-4903-BD3C-E7C09E89BA3D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDE55425-D21B-4903-BD3C-E7C09E89BA3D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDE55425-D21B-4903-BD3C-E7C09E89BA3D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDE55425-D21B-4903-BD3C-E7C09E89BA3D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CC14AA47-2314-4863-9A2F-FC465E3B0977}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CC14AA47-2314-4863-9A2F-FC465E3B0977}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CC14AA47-2314-4863-9A2F-FC465E3B0977}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CC14AA47-2314-4863-9A2F-FC465E3B0977}\InprocServer32]
@="C:\\WINDOWS\\system32\\kfdpo.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{3E61779A-AA30-48D1-BCFF-DDEE129A58ED}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E61779A-AA30-48D1-BCFF-DDEE129A58ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E61779A-AA30-48D1-BCFF-DDEE129A58ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E61779A-AA30-48D1-BCFF-DDEE129A58ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\aqfsipc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{71FCF1FA-376B-4BE3-9B43-6DC38C71EFA6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71FCF1FA-376B-4BE3-9B43-6DC38C71EFA6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71FCF1FA-376B-4BE3-9B43-6DC38C71EFA6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71FCF1FA-376B-4BE3-9B43-6DC38C71EFA6}\InprocServer32]
@="C:\\WINDOWS\\system32\\KldakOneTouch.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{10EC5D0D-43A9-4BCE-8FFE-2A17B9E568D7}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{10EC5D0D-43A9-4BCE-8FFE-2A17B9E568D7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{10EC5D0D-43A9-4BCE-8FFE-2A17B9E568D7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{10EC5D0D-43A9-4BCE-8FFE-2A17B9E568D7}\InprocServer32]
@="C:\\WINDOWS\\system32\\ltrhelp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{B4ACCF35-BC65-48D5-8410-72A53D3E6A23}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4ACCF35-BC65-48D5-8410-72A53D3E6A23}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4ACCF35-BC65-48D5-8410-72A53D3E6A23}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4ACCF35-BC65-48D5-8410-72A53D3E6A23}\InprocServer32]
@="C:\\WINDOWS\\system32\\tYpiperf.dll"
"ThreadingModel"="Apartment"
 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 
 
FILES REMOVED:

C:\WINDOWS\system32\aqfsipc.dll
C:\WINDOWS\system32\bwackbox.dll
C:\WINDOWS\system32\cqcfg32.dll
C:\WINDOWS\system32\cxmmdlg.dll
C:\WINDOWS\system32\dbser.dll
C:\WINDOWS\system32\dn0001dme.dll
C:\WINDOWS\system32\dnlo0133e.dll
C:\WINDOWS\system32\e8jmli1118.dll
C:\WINDOWS\system32\en68l1ju1.dll
C:\WINDOWS\system32\enjql1151.dll
C:\WINDOWS\system32\enl6l13s1.dll
C:\WINDOWS\system32\etb500.dll
C:\WINDOWS\system32\f2l02c3mgf.dll
C:\WINDOWS\system32\fnl0213mg.dll
C:\WINDOWS\system32\fpjo0313e.dll
C:\WINDOWS\system32\fpl2033oe.dll
C:\WINDOWS\system32\fpl4033qe.dll
C:\WINDOWS\system32\g4400ehmeh4a0.dll
C:\WINDOWS\system32\gp48l3hu1.dll
C:\WINDOWS\system32\gpjol3131.dll
C:\WINDOWS\system32\h44m0eh1eh4.dll
C:\WINDOWS\system32\i006lads1d06.dll
C:\WINDOWS\system32\i4240efqeh2e0.dll
C:\WINDOWS\system32\icrtprio.dll
C:\WINDOWS\system32\ihwdial.dll
C:\WINDOWS\system32\irj2l51o1.dll
C:\WINDOWS\system32\irl4l53q1.dll
C:\WINDOWS\system32\irn8l55u1.dll
C:\WINDOWS\system32\ivfgnt5.dll
C:\WINDOWS\system32\jtnu0759e.dll
C:\WINDOWS\system32\k408ledu1h08.dll
C:\WINDOWS\system32\k480lelm1hqa.dll
C:\WINDOWS\system32\kfdpo.dll
C:\WINDOWS\system32\KldakOneTouch.dll
C:\WINDOWS\system32\kmdro.dll
C:\WINDOWS\system32\kodur.dll
C:\WINDOWS\system32\l00u0ad9ed0.dll
C:\WINDOWS\system32\l4r00e9meh.dll
C:\WINDOWS\system32\l6l60g3se6.dll
C:\WINDOWS\system32\l82slif7182.dll
C:\WINDOWS\system32\lv4409hqe.dll
C:\WINDOWS\system32\lvj0091me.dll
C:\WINDOWS\system32\m0280afued280.dll
C:\WINDOWS\system32\m0ls0a37ed.dll
C:\WINDOWS\system32\m4po0e73eh.dll
C:\WINDOWS\system32\mexml3.dll
C:\WINDOWS\system32\mjrclr40.dll
C:\WINDOWS\system32\mrltus40.dll
C:\WINDOWS\system32\mvnql9551.dll
C:\WINDOWS\system32\mywmdmsp.dll
C:\WINDOWS\system32\n0n60a5sed.dll
C:\WINDOWS\system32\n8r2li9o18.dll
C:\WINDOWS\system32\nfmsmgr.dll
C:\WINDOWS\system32\nhth.dll
C:\WINDOWS\system32\oDkley.dll
C:\WINDOWS\system32\oqecli32.dll
C:\WINDOWS\system32\p66slgj716o.dll
C:\WINDOWS\system32\qzartz.dll
C:\WINDOWS\system32\r0r6la9s1d.dll
C:\WINDOWS\system32\rvcrt4.dll
C:\WINDOWS\system32\s0880aluedq80.dll
C:\WINDOWS\system32\sxi_ci.dll
C:\WINDOWS\system32\tiaffic.dll
C:\WINDOWS\system32\tYpiperf.dll
C:\WINDOWS\system32\uabui.dll
C:\WINDOWS\system32\wknrnr.dll
C:\WINDOWS\system32\wybcheck.dll

 
 Granting sedebugprivilege to Administrators   ... successful
 
 
(((((((((((((((((((((((((((((((((((((((((((((   Qoologic's Log   )))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
* * *  PRE-RUN - Filepaths extracted from the Registry  * * * * * * * * * * * * * * * * * * * * * *
 
 
O4 - HKEY_CURRENT_USER\...\Run   C:\WINDOWS\system32\thfilk.exe
O4 - HKEY_LOCAL_MACHINE\...\Run   C:\WINDOWS\System32\thfilk.exe
F2 -REG:system.ini: Shell   C:\WINDOWS\System32\kqvml.exe
F2 -REG:system.ini: UserInit   C:\WINDOWS\system32\vldqvqf.exe
 
   
* * *  PRE-RUN - Filepaths from Locate  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 
 
2006-09-02 19:56   286   --a------   C:\WINDOWS\scloc.dll
2006-09-02 19:45   233846   -r--s----   C:\WINDOWS\system32\kmdro.dll
2006-09-02 10:03   48640   --a------   C:\WINDOWS\system32\browser.dll
2006-09-02 10:03   251392   --a------   C:\WINDOWS\system32\mstask.dll
2006-09-02 09:45   237094   -r--s----   C:\WINDOWS\system32\etb500.dll
2006-09-02 00:06   51712   --a------   C:\WINDOWS\system32\aoeicsq.dll
2006-09-02 00:06   127488   --a------   C:\WINDOWS\system32\aetlw.dat
2006-09-01 23:14   236121   -r--s----   C:\WINDOWS\system32\oDkley.dll
2006-09-01 22:41   234141   -r--s----   C:\WINDOWS\system32\azctres.dll
2006-09-01 08:56   237003   -r--s----   C:\WINDOWS\system32\nfmsmgr.dll
2006-08-20 11:38   235017   -r--s----   C:\WINDOWS\system32\sxi_ci.dll
2006-08-19 19:00   235017   -r--s----   C:\WINDOWS\system32\rvcrt4.dll
2006-08-19 11:02   235017   -r--s----   C:\WINDOWS\system32\tiaffic.dll
2006-08-19 10:00   235017   -r--s----   C:\WINDOWS\system32\ihwdial.dll
2006-08-19 09:13   235902   -ra-s----   C:\WINDOWS\system32\aqfsipc.dll
2006-08-17 05:57   53   --a------   C:\WINDOWS\vpvoqq.dat
2006-07-27 00:21   159744   --a------   C:\WINDOWS\system32\redist.dll
2006-07-27 00:01   236827   -ra-s----   C:\WINDOWS\system32\ivfgnt5.dll
2006-07-26 05:30   236827   -ra-s----   C:\WINDOWS\system32\mexml3.dll
2006-07-19 23:31   235050   -ra-s----   C:\WINDOWS\system32\dbser.dll
2006-07-16 21:45   235906   -ra-s----   C:\WINDOWS\system32\cqcfg32.dll
2006-07-13 23:09   235906   -ra-s----   C:\WINDOWS\system32\kfdpo.dll
2006-07-04 06:32   235036   -ra-s----   C:\WINDOWS\system32\qzartz.dll
2006-07-04 06:17   235036   -ra-s----   C:\WINDOWS\system32\wknrnr.dll
 

* * *  PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *
 
 
2006-04-22 12:15   127488   C:\WINDOWS\system32\thfilk.exe
2006-09-02 00:06   51712   C:\WINDOWS\system32\aoeicsq.dll
2006-09-02 00:06   23552   C:\WINDOWS\system32\vldqvqf.exe
2006-04-22 12:15   127488   C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\moqjr.exe
2006-09-02 19:56   286   C:\WINDOWS\scloc.dll
2006-09-02 00:06   127488   C:\WINDOWS\system32\aetlw.dat
2006-04-22 12:15   28672   C:\WINDOWS\system32\kqvml.exe
 
   
* * *  POST-RUN - Files in the Quarantine folder  * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-02  00:06            127488 aetlw.dat.qoo
06-09-02  00:06             51712 aoeicsq.dll.qoo
06-09-02  19:56               286 scloc.dll.qoo
06-08-17  05:57                53 vpvoqq.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
 

(((((((((((((((((((((((((((((((((((((((((((   E-Give / Ssk's Log   )))))))))))))))))))))))))))))))))))))))))))))))))
 
 
C:\Documents and Settings\Scott.PAULA-3IZC3234W\Application Data\Sskknwrd.dll
 

* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 
 
C:\WINDOWS\Duce6.exe
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\keyboard111.dat
C:\WINDOWS\keyboard131.dat
C:\WINDOWS\keyboard81.dat
C:\WINDOWS\newname.dat
C:\dfndrff_11.exe
C:\dfndrff_11a.exe
C:\dfndrff_15.exe
C:\drsmartload.exe
C:\drsmartload45a2002.exe
C:\drsmartload45a45k.exe
C:\drsmartload45a999.exe
C:\drsmartload45a9999.exe
C:\drsmartload45a9999a.exe
C:\drsmartload46a2002.exe
C:\drsmartload46a46k.exe
C:\drsmartload46a999.exe
C:\drsmartload46a9999.exe
C:\drsmartload46a9999a.exe
C:\drsmartload849a2002.exe
C:\drsmartload849a849k.exe
C:\drsmartload849a999.exe
C:\drsmartload849a9999.exe
C:\drsmartload849a9999a.exe
C:\kybrdff_11.exe
C:\kybrdff_11a.exe
C:\kybrdff_15.exe
C:\nwnmff_11.exe
C:\nwnmff_15.exe
C:\Program Files\Common Files\inetget
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\gbe90qs.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\deskbar.exe
C:\WINDOWS\uninst104.exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Program Files\Common Files\inetget
C:\Program Files\Deskbar
C:\Program Files\Inetget2

 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\SSTEM~1
 
 
(((((((((((((((((((((((((((((((   Files Created from 2006-08-02 to 2006-09-02  ))))))))))))))))))))))))))))))))))
 

2006-09-02   22:58   51,712   --a------   C:\WINDOWS\system32\aoeicsq.dll
2006-09-02   22:58   24   --a------   C:\WINDOWS\scloc.dll
2006-09-02   10:24   50,176   --a------   C:\WINDOWS\system32\dpwsockx.dll
2006-09-02   10:24   214,528   --a------   C:\WINDOWS\system32\dplayx.dll
2006-09-02   10:23   32,256   --a------   C:\WINDOWS\system32\msgsvc.dll
2006-09-02   10:19   831,519   --a------   C:\WINDOWS\system32\mswdat10.dll
2006-09-02   10:19   646,656   --a------   C:\WINDOWS\system32\sxs.dll
2006-09-02   10:19   614,431   --a------   C:\WINDOWS\system32\mswstr10.dll
2006-09-02   10:19   552,989   --a------   C:\WINDOWS\system32\msrepl40.dll
2006-09-02   10:19   53,279   --a------   C:\WINDOWS\system32\msjter40.dll
2006-09-02   10:19   512,029   --a------   C:\WINDOWS\system32\ms*xch40.dll
2006-09-02   10:19   421,919   --a------   C:\WINDOWS\system32\msrd2x40.dll
2006-09-02   10:19   358,976   --a------   C:\WINDOWS\system32\msjetoledb40.dll
2006-09-02   10:19   348,189   --a------   C:\WINDOWS\system32\msxbde40.dll
2006-09-02   10:19   348,189   --a------   C:\WINDOWS\system32\mspbde40.dll
2006-09-02   10:19   319,517   --a------   C:\WINDOWS\system32\ms*xcl40.dll
2006-09-02   10:19   315,423   --a------   C:\WINDOWS\system32\msrd3x40.dll
2006-09-02   10:19   30,749   --a------   C:\WINDOWS\system32\vbajet32.dll
2006-09-02   10:19   258,077   --a------   C:\WINDOWS\system32\mstext40.dll
2006-09-02   10:19   241,693   --a------   C:\WINDOWS\system32\msjtes40.dll
2006-09-02   10:19   213,023   --a------   C:\WINDOWS\system32\msltus40.dll
2006-09-02   10:19   151,583   --a------   C:\WINDOWS\system32\msjint40.dll
2006-09-02   10:19   1,507,356   --a------   C:\WINDOWS\system32\msjet40.dll
2006-09-02   10:15   498,960   --a------   C:\WINDOWS\system32\dxmasf.dll
2006-09-02   10:07   123,392   --a------   C:\WINDOWS\system32\itss.dll
2006-09-02   10:03   9,728   --a------   C:\WINDOWS\system32\mstinit.exe
2006-09-02   10:03   48,640   --a------   C:\WINDOWS\system32\browser.dll
2006-09-02   10:03   251,392   --a------   C:\WINDOWS\system32\mstask.dll
2006-09-02   10:03   159,232   --a------   C:\WINDOWS\system32\schedsvc.dll
2006-09-02   00:06   23,552   --a------   C:\WINDOWS\system32\vldqvqf.exe
2006-09-01   22:41   234,141   -r--s----   C:\WINDOWS\system32\azctres.dll
2006-09-01   22:26   977,920   --a------   C:\WINDOWS\system32\msdtctm.dll
2006-09-01   22:26   97,280   --a------   C:\WINDOWS\system32\txflog.dll
2006-09-01   22:26   82,432   --a------   C:\WINDOWS\system32\mtxoci.dll
2006-09-01   22:26   64,512   --a------   C:\WINDOWS\system32\mtxclu.dll
2006-09-01   22:26   64,512   --a------   C:\WINDOWS\system32\colbact.dll
2006-09-01   22:26   499,200   --a------   C:\WINDOWS\system32\comuid.dll
2006-09-01   22:26   442,880   --a------   C:\WINDOWS\system32\rpcrt4.dll
2006-09-01   22:26   365,568   --a------   C:\WINDOWS\system32\msdtcprx.dll
2006-09-01   22:26   226,816   --a------   C:\WINDOWS\system32\es.dll
2006-09-01   22:26   225,280   --a------   C:\WINDOWS\system32\catsrv.dll
2006-09-01   22:26   214,528   --a------   C:\WINDOWS\system32\rpcss.dll
2006-09-01   22:26   150,528   --a------   C:\WINDOWS\system32\msdtcuiu.dll
2006-09-01   22:26   110,080   --a------   C:\WINDOWS\system32\clbcatex.dll
2006-09-01   22:26   1,177,088   --a------   C:\WINDOWS\system32\comsvcs.dll
2006-09-01   22:26   1,105,408   --a------   C:\WINDOWS\system32\ole32.dll
2006-09-01   22:25   596,480   --a------   C:\WINDOWS\system32\catsrvut.dll
2006-09-01   22:20   593,408   --a------   C:\WINDOWS\system32\h323msp.dll
2006-09-01   22:20   550,400   --a------   C:\WINDOWS\system32\rtcdll.dll
2006-09-01   22:20   454,656   --a------   C:\WINDOWS\system32\ipnathlp.dll
2006-09-01   22:20   36,864   --a------   C:\WINDOWS\system32\mf3216.dll
2006-09-01   22:06   218,624   --a------   C:\WINDOWS\system32\srrstr.dll
2006-09-01   08:53   99,352   --a------   C:\WINDOWS\system32\ccPasswd.dll
2006-09-01   08:53   95,480   --a------   C:\WINDOWS\system32\ccTrust.dll
2006-09-01   08:52   53,248   --a------   C:\WINDOWS\UpdtNv28.exe
2006-09-01   08:49   7,680   ---------   C:\WINDOWS\system32\bitsprx2.dll
2006-09-01   08:49   7,168   ---------   C:\WINDOWS\system32\bitsprx3.dll
2006-09-01   08:49   331,776   --a------   C:\WINDOWS\system32\winhttp.dll
2006-09-01   08:49   17,408   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2006-09-01   08:49   158,720   ---------   C:\WINDOWS\system32\xpob2res.dll
2006-09-01   08:42   465,176   --a------   C:\WINDOWS\system32\wuapi.dll
2006-09-01   08:42   41,240   --a------   C:\WINDOWS\system32\wups.dll
2006-09-01   08:42   194,328   --a------   C:\WINDOWS\system32\wuaueng1.dll
2006-09-01   08:42   173,536   --a------   C:\WINDOWS\system32\wuweb.dll
2006-09-01   08:42   172,312   --a------   C:\WINDOWS\system32\wuauclt1.exe
2006-09-01   08:42   127,256   --a------   C:\WINDOWS\system32\wucltui.dll
2006-08-20   13:37   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2006-08-20   13:37   146,944   --a------   C:\WINDOWS\system32\ptpusd.dll
2006-08-19   18:56   251,904   --a------   C:\WINDOWS\system32\strmdll.dll
2006-08-19   09:37   24,661   --a------   C:\WINDOWS\system32\spxcoins.dll
2006-08-19   09:37   13,312   --a------   C:\WINDOWS\system32\irclass.dll
2006-08-17   17:39   214,752   --a------   C:\Setup100.exe
2006-08-17   05:29   20,480   --a------   C:\WINDOWS\drs.exe
2006-08-17   05:28   4,940   --a------   C:\dwin.exe
2006-08-17   05:25   2,749   --a------   C:\test.exe
2006-08-17   05:24   20,480   --a------   C:\winde.exe
2006-08-16   18:31   123   --a------   C:\.pif
2006-08-08   16:43   929   --a------   C:\WINDOWS\system32\winpfg32.sys
2006-08-08   16:42   168,072   --a------   C:\WINDOWS\system32\twintqex.exe
 

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-02 22:55   --------   d-a------   C:\Program Files\Common Files
2006-09-02 22:47   --------   d--------   C:\Program Files\Common Files\Symantec Shared
2006-09-02 10:24   --------   d--h-----   C:\Program Files\Uninstall Information
2006-09-02 10:24   --------   d--------   C:\Program Files\Outlook Express
2006-09-02 10:24   --------   d--------   C:\Program Files\Internet Explorer
2006-09-02 10:24   --------   d--------   C:\Program Files\Common Files\System
2006-09-02 10:15   --------   d--------   C:\Program Files\Windows Media Player
2006-09-01 22:49   --------   d--------   C:\Program Files\Yahoo!
2006-09-01 22:23   --------   d--------   C:\Program Files\NetMeeting
2006-09-01 22:11   --------   d--------   C:\Program Files\Lavasoft
2006-09-01 22:11   --------   d--------   C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Application Data\Lavasoft
2006-09-01 22:03   --------   d---s----   C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Application Data\Microsoft
2006-09-01 22:03   --------   d--------   C:\Program Files\MSXML 4.0
2006-09-01 22:03   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-09-01 09:07   --------   d--------   C:\Program Files\Symantec
2006-09-01 08:55   --------   d--------   C:\Program Files\Norton AntiVirus
2006-09-01 08:53   123   --a------   C:\.pif
2006-09-01 08:51   --------   d--------   C:\Program Files\SymNetDrv
2006-09-01 08:46   --------   d--------   C:\Program Files\Norton Internet Security
2006-09-01 08:42   --------   d--h-----   C:\Program Files\WindowsUpdate
2006-08-20 12:33   --------   d--------   C:\Program Files\Kodak
2006-08-19 20:38   --------   d--------   C:\Program Files\Mozilla Firefox
2006-08-19 20:37   --------   d--------   C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Application Data\Mozilla
2006-08-19 18:56   --------   d--------   C:\Program Files\Common Files\Services
2006-08-19 18:53   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-08-19 18:52   --------   d--h-----   C:\Program Files\Zero G Registry
2006-08-19 18:51   --------   d--------   C:\Program Files\BellSouth
2006-08-19 09:45   --------   d--------   C:\Program Files\Movie Maker
2006-08-19 09:43   --------   d--------   C:\Program Files\Messenger
2006-08-12 08:03   --------   d--------   C:\Program Files\
Logged

 
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #4 on: September 03, 2006, 04:53:11 AM »

COMBOFIX Part 2 of 2
**********************************

((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"txjali"="C:\\WINDOWS\\System32\\thfilk.exe reg_run"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"puqbm"="C:\\WINDOWS\\System32\\thfilk.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""
"Title"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoFileMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"EnforceShellExtensionSecurity"=dword:00000000
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoDrives"=dword:00000000
"NoNetConnectDisconnect"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\pojox.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\megevur.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\WINDOWS\\System32\\ad.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"chat"="scvost.exe"
"Windows Update Manager"="C:\\WINDOWS\\lansas.exe"
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"chat"="scvost.exe"
"Windows Update Manager"="C:\\WINDOWS\\lansas.exe"
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="Kodak software updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^moqjr.exe]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\moqjr.exe"
"backup"="C:\\WINDOWS\\pss\\moqjr.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\moqjr.exe"
"item"="moqjr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Paula K.PAULA-3IZC3234W^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Paula K.PAULA-3IZC3234W\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\twintqex.exe GID003"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\bppoxa]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxlwxc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\bxlwxc.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\chat]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="scvost"
"hkey"="HKLM"
"command"="scvost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_15"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_15.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DllCacher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dllc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dllc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="twintqex"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\twintqex.exe GID003"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Hhl7RfpJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssn6tuu"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\ssn6tuu.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IPInSightLAN 01]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPClient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BellSouth\\Connection Tool\\IPClient.exe\" -l"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IPInSightMonitor 01]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPMon32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BellSouth\\Connection Tool\\IPMon32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_15"
"hkey"="HKLM"
"command"="C:\\\\kybrdff_15.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MS DLL Library Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dllsys64"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dllsys64.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms057007714167]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms057007714167"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms057007714167.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms060077141677]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms060077141677"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms060077141677.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msconfig38]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mssvcc"
"hkey"="HKLM"
"command"="mssvcc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_15"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_15.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\puqbm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thfilk"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\thfilk.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\System Mechanic Popup Stopper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PopupStopper"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\iolo\\SYSTEM~1\\PopupStopper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\txjali]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thfilk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\thfilk.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\w0330439.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w0330439.dll,I2 0006e85200330439"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Core Kernel Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32bootcfg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\win32bootcfg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Update Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lansas"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\lansas.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Winjava xml]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dirx9"
"hkey"="HKLM"
"command"="dirx9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\wmwpy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxlwxc"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\bxlwxc.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Windows PE Debugger"=dword:00000002
"Windows System Tray"=dword:00000002
"Win32Kernel"=dword:00000002
"TskHlp"=dword:00000002
"Pml Driver HPZ12"=dword:00000002
"Network Monitor"=dword:00000002
"mspathfinder"=dword:00000002
"dllmgr64"=dword:00000002
"cmdService"=dword:00000002
 
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job
 
Completion time: Sat 09/02/2006 22:59:37.89
ComboFix.txt
Logged

 
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #5 on: September 03, 2006, 04:53:32 AM »

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   11:43:05 PM 9/2/2006

 + Scan result:   



C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\7X989XLR\dfndrff_15[1].exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Start Menu\Play Poker Online!.lnk -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\azctres.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\psdsregl.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\twintqex.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\twintqez.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winhlpp32.exe -> Backdoor.Agobot : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\OGJFO85L\a14[1].exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lviss.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINDOWS\tok\smart.exe -> Downloader.Adload.ai : Cleaned with backup (quarantined).
C:\WINDOWS\mdrive\drsmartload195a.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\7X989XLR\drsmartload195a[1].exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\7X989XLR\drsmartload45a[1].exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\7X989XLR\drsmartload849a[1].exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\PTQLPO9H\drsmartload46a[1].exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\WINDOWS\drs.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\winde.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\windowl.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\OGJFO85L\loader[1].exe -> Downloader.Adload.ef : Cleaned with backup (quarantined).
C:\QooBox\aetlw.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\aoeicsq.dll.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\pss\moqjr.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aetlw.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1468] C:\WINDOWS\System32\aoeicsq.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[224] C:\WINDOWS\System32\aoeicsq.dll -> Downloader.Qoologic.bj : Error during cleaning.
[320] C:\WINDOWS\System32\aoeicsq.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\Program Files\Messenger\mebolic.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\OGJFO85L\kybrdff_15[1].exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\Program Files\ComPlus Applications\megevur.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Common Files\pojox.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\ORZIV2AO\dfndrff_11a[1].exe -> Hijacker.VB.ov : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup (quarantined).
C:\Documents and Settings\Scott.PAULA-3IZC3234W\Cookies\scott@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Scott.PAULA-3IZC3234W\Cookies\scott@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Scott\Cookies\scott@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\Scott.PAULA-3IZC3234W\Cookies\scott@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Cookies\paula k@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\redist.dll -> Trojan.Agent.sx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\redistributor.exe -> Trojan.Agent.sx : Cleaned with backup (quarantined).
C:\WINDOWS\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: September 03, 2006, 06:44:18 AM »

Hi
There are just a few more things to fix.You should be finding your computer running better now....Dont worry if these files I have listed dont show up as they maybe already deleted.

Please download The Avenger to your Desktop and unzip it.

Copy all the text contained in the code box below ( including the words "files to delete" ) by highlighting it and right clicking and selecting "Copy"


Quote
Files to delete:
C:\WINDOWS\System32\kqvml.exe
 C:\WINDOWS\System32\vldqvqf.exe
C:\Windows\All Users\Start Menu\Programs\StartUp\moqjr.exe

Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.

Once your computer has rebooted, please post back the contents of C:\avenger.txt, a new Hijack This log.




Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kqvml.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,vldqvqf.exe
O4 - HKLM\..\Run: [txjali] C:\WINDOWS\System32\thfilk.exe reg_run
O4 - HKCU\..\Run: [puqbm] C:\WINDOWS\System32\thfilk.exe reg_run
O4 - Global Startup: moqjr.exe

Reboot and please post back the contents of C:\avenger.txt, a new Hijack This log.
Logged

An Australian Member of

EDDY
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #7 on: September 03, 2006, 03:41:04 PM »

Here is the avenger file log, I will post the HikackThis log in a seperate reply/post:
********************************************

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bbneefhb

*******************

Script file located at: \??\C:\Documents and Settings\omydshkt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\kqvml.exe deleted successfully.
File C:\WINDOWS\System32\vldqvqf.exe deleted successfully.


Could not open file C:\Windows\All Users\Start Menu\Programs\StartUp\moqjr.exe for deletion
Deletion of file C:\Windows\All Users\Start Menu\Programs\StartUp\moqjr.exe failed!

Could not process line:
C:\Windows\All Users\Start Menu\Programs\StartUp\moqjr.exe
Status: 0xc000003a


Completed script processing.

*******************

Finished!  Terminate.
Logged

 
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #8 on: September 03, 2006, 03:41:30 PM »

Logfile of HijackThis v1.99.1
Scan saved at 10:38:55 AM, on 9/3/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: September 03, 2006, 11:50:38 PM »

Will you run HJT and remove these two items and post a new log please.

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kqvml.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,vldqvqf.exe
Logged

An Australian Member of

EDDY
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #10 on: September 04, 2006, 02:02:50 AM »

I fixed them with hijack this but they keep coming back.  Here is the logfile
***************************

Logfile of HijackThis v1.99.1
Scan saved at 9:01:15 PM, on 9/3/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: September 04, 2006, 02:29:46 AM »

Ok,this should fix it....

Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk" C:/ or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  • Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.
Logged

An Australian Member of

EDDY
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #12 on: September 04, 2006, 03:34:22 PM »

When I try to download qoofix.bat, it says the server can not be found.
Logged

 
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #13 on: September 04, 2006, 04:49:41 PM »

I did a little searching and found this program:

Qoofix 1.03 from http://www.malwarebytes.org/qoofix.php and i ran it and it cleaned 2 infections. 

Here is my new hijackThis logfile
*************************************



Logfile of HijackThis v1.99.1
Scan saved at 11:44:05 AM, on 9/4/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\Userinit.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Documents and Settings\Paula K.PAULA-3IZC3234W\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #14 on: September 04, 2006, 11:46:02 PM »

Yes thats all fine now.You should be good to go.
Logged

An Australian Member of

EDDY
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 28, 2018, 09:56:24 AM