Tech Support Forum - View Single Post

Kicks · 05-11-2007, 12:03 AM

Thanks for the help! I really appreciate this!! I couldn't delete
O4 - Startup: .protected
or
O4 - Global Startup: .protected
for both, HJT asked me to shut them down via task manager, then redo HJT, but I couldn't really get that to work. There was also a bunch of stuff that didn't show up when I ran HJT, but here're my logs...

COMBOFIX

"Ocha" - 2007-05-10 23:03:04 Service Pack 2
ComboFix 07-05.11.3V - Running from: "C:\Documents and Settings\Ocha\Desktop\"
Command switches used :: "/v winrvc32"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}]
@=""

[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Granting SeDebugPrivilege to Administrators ... successful

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\winrvc32.dll
C:\WINDOWS\system32\wvuroml.dll
C:\WINDOWS\system32\winrvc32.dll
C:\WINDOWS\system32\pmnoomm.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\{44409~1\system.dll
C:\DOCUME~1\Ocha\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{44409~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\FNTS~1
C:\qoobox\purity\C\WINDOWS\SYSTEM32\FNTS~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\cmdService
-------\kprof
-------\poof

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 ))))))))))))))))))))))))))))))))))

2007-05-09 22:56 <DIR> d-------- C:\DOCUME~1\Ocha\APPLIC~1\Symantec
2007-05-09 21:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-05-09 18:49 <DIR> d-------- C:\Program Files\Norton 360
2007-05-09 18:44 <DIR> d-------- C:\Program Files\Symantec
2007-05-09 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-09 18:41 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-09 03:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-08 21:33 1,493,869 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.bak2
2007-05-08 21:32 1,493,984 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.ini2
2007-05-08 20:52 <DIR> d-------- C:\Deckard
2007-05-04 02:07 1,397,965 --ahs---- C:\WINDOWS\SYSTEM32\ihkmp.bak1
2007-05-04 00:19 1,404,852 --ahs---- C:\WINDOWS\SYSTEM32\accdd.ini2
2007-05-01 15:13 86,528 --a------ C:\WINDOWS\SYSTEM32\rifakdn.dll
2007-05-01 15:13 64,000 --a------ C:\WINDOWS\SYSTEM32\tz***ke.dll
2007-04-25 13:18 53,248 --a------ C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll
2007-04-25 13:17 86,528 --a------ C:\WINDOWS\SYSTEM32\zpcxcyc.dll
2007-04-25 13:17 63,488 --a------ C:\WINDOWS\SYSTEM32\cpiicbc.dll
2007-04-14 03:58 <DIR> d-------- C:\Program Files\GUILTY GEAR XX #RELOAD

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-10 02:07:13 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8781.sys
2007-05-10 02:05:00 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\WeatherBug
2007-05-04 05:59:38 1,407,118 --sha-w C:\WINDOWS\system32\accdd.bak2
2007-05-04 05:24:29 1,406,912 --sha-w C:\WINDOWS\system32\accdd.bak1
2007-05-03 17:41:30 13,358 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-03 17:37:35 -------- d-----w C:\Program Files\WAV to MP3 Encoder
2007-04-27 01:44:01 -------- d-----w C:\Program Files\mIRC
2007-04-25 19:12:37 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\uTorrent
2007-03-29 03:53:36 86,016 ----a-w C:\WINDOWS\system32\ywdlat.dll
2007-03-29 03:53:36 63,488 ----a-w C:\WINDOWS\system32\xgokgxl.dll
2007-03-23 17:48:49 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-21 07:41:55 81,408 ----a-w C:\WINDOWS\system32\qvcjvfj.dll
2007-03-19 15:43:19 81,920 ----a-w C:\WINDOWS\system32\clhrzsb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 20:38:19 81,408 ----a-w C:\WINDOWS\system32\dntopsd.dll
2007-03-14 02:11:43 80,896 ----a-w C:\WINDOWS\system32\phyeppn.dll
2007-03-12 20:39:02 81,408 ----a-w C:\WINDOWS\system32\nwqajmf.dll
2007-03-12 09:11:47 81,408 ----a-w C:\WINDOWS\system32\qeeddch.dll
2007-03-12 07:20:30 -------- d-----w C:\Program Files\Enigma Software Group
2007-03-12 04:54:29 -------- d-----w C:\Program Files\Ultimate Cleaner
2007-03-12 04:24:46 57,344 ----a-w C:\WINDOWS\system32\jgnxjbj.dll
2007-03-12 04:24:44 81,408 ----a-w C:\WINDOWS\system32\trdqsad.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 22:30:36 -------- d-----w C:\Program Files\SpywareBlaster
2007-03-05 04:22:57 707 ----a-w C:\WINDOWS\_DEFAULT.PIF
2007-03-05 04:22:53 0 ----a-w C:\WINDOWS\winuk.dll
2007-03-05 04:22:48 256,192 ----a-w C:\WINDOWS\WINHELP.EXE
2007-03-05 04:22:44 18,944 ----a-w C:\WINDOWS\VMMREG32.DLL
2007-03-05 04:22:37 149,504 ----a-w C:\WINDOWS\UNWISE.EXE
2007-03-05 04:22:33 90,112 ----a-w C:\WINDOWS\unvise32.exe
2007-03-05 04:22:27 25,600 ----a-w C:\WINDOWS\TWUNK_32.EXE
2007-03-05 04:22:25 25,600 ----a-w C:\WINDOWS\TWUNK_32(2).EXE
2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16.EXE
2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16(9).EXE
2007-03-05 04:22:23 49,680 ----a-w C:\WINDOWS\TWUNK_16(8).EXE
2007-03-05 04:22:21 49,680 ----a-w C:\WINDOWS\TWUNK_16(8)(2).EXE
2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(7).EXE
2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(6).EXE
2007-03-05 04:22:18 49,680 ----a-w C:\WINDOWS\TWUNK_16(5).EXE
2007-03-05 04:22:17 49,680 ----a-w C:\WINDOWS\TWUNK_16(4).EXE
2007-03-05 04:22:15 49,680 ----a-w C:\WINDOWS\TWUNK_16(4)(2).EXE
2007-03-05 04:22:14 49,680 ----a-w C:\WINDOWS\TWUNK_16(3).EXE
2007-03-05 04:22:13 49,680 ----a-w C:\WINDOWS\TWUNK_16(3)(2).EXE
2007-03-05 04:22:12 49,680 ----a-w C:\WINDOWS\TWUNK_16(2).EXE
2007-03-05 04:22:11 49,680 ----a-w C:\WINDOWS\TWUNK_16(12).EXE
2007-03-05 04:22:10 49,680 ----a-w C:\WINDOWS\TWUNK_16(11).EXE
2007-03-05 04:22:08 49,680 ----a-w C:\WINDOWS\TWUNK_16(10).EXE
2007-03-05 04:22:04 0 ----a-w C:\WINDOWS\sysxr32.dll
2007-03-05 04:21:48 33,792 ----a-w C:\WINDOWS\Q330994.exe
2007-03-05 04:21:41 7,473 ----a-w C:\WINDOWS\plqca.dat
2007-03-05 04:21:38 3,547 ----a-w C:\WINDOWS\oncsc.dat
2007-03-05 04:21:38 0 -c--a-w C:\WINDOWS\ofqd.exe
2007-03-05 04:21:37 33,792 ----a-w C:\WINDOWS\oeuninst.exe
2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aqcvyu.dat
2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aakuom.dat
2007-03-05 04:21:34 0 -c--a-w C:\WINDOWS\n_xdrfqf.dat
2007-03-05 04:21:33 0 -c--a-w C:\WINDOWS\ntiy.dll
2007-03-05 04:21:32 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2007-03-05 04:21:32 335 ----a-w C:\WINDOWS\nsreg.dat
2007-03-05 04:21:31 33,280 ----a-w C:\WINDOWS\muninst.exe
2007-03-05 04:21:31 0 -c--a-w C:\WINDOWS\mstasks4.exe
2007-03-05 04:21:25 0 -c--a-w C:\WINDOWS\mfqwx.dll
2007-03-05 04:21:24 0 -c--a-w C:\WINDOWS\mfcca.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javamf.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javago32.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\ieli.dll
2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\hsyua.dll
2007-03-05 04:21:01 98,352 ----a-w C:\WINDOWS\dla.exe
2007-03-05 04:20:55 8,192 ----a-w C:\WINDOWS\d3dx.dat
2007-03-05 04:20:55 0 -c--a-w C:\WINDOWS\crsk32.dll
2007-03-05 04:20:54 0 -c--a-w C:\WINDOWS\crge32.dll
2007-03-05 04:18:59 0 -c--a-w C:\WINDOWS\apidx.dll
2007-03-05 00:15:18 -------- d-----w C:\Program Files\Common Files\qrwf
2007-03-03 23:13:25 81,408 ----a-w C:\WINDOWS\system32\ungpwhe.dll
2007-03-03 23:13:25 57,344 ----a-w C:\WINDOWS\system32\rqaatzc.dll
2007-02-19 21:45:33 155,648 ----a-w C:\WINDOWS\system32\PoporuAgent.exe
2007-02-19 21:45:33 106,496 ----a-w C:\WINDOWS\system32\PoporuAgent.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}=C:\WINDOWS\system32\hggghhi.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-30 08:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-03-17 15:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-04 16:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-09-09 17:35]
"AIM"="C:\Program Files\AIM95\aim.exe" [2002-05-22 11:57]
"Sonic RecordNow!"="" [])

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"="C:\WINDOWS\system32\hggghhi.dll" [x]
"{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"="C:\WINDOWS\system32\pmnoomm.dll" [x]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqrsp

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvde.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages \0scecli\0scecli\0scecli\0scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rundll
rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
Usnsvc usnsvc\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (D6FYH341-Ocha).job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-10 23:18:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-10 23:22:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-10 23:22

SMITFRAUD RAPPORT

SmitFraudFix v2.179

Scan done at 23:38:12.09, Thu 05/10/2007
Run from C:\Documents and Settings\Ocha\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !
C:\WINDOWS\d3??.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Ocha\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ocha\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csvde.exe"

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.10.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:59:58 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Ocha\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing)
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: .protected
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163648224296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing)
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)
O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)
O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

05-11-2007, 12:03 AM	#4 (permalink)
Kicks Registered User Join Date: Mar 2007 Posts: 17 OS: XP	Re: Crazy Popups and Spyware now no Desktop Thanks for the help! I really appreciate this!! I couldn't delete O4 - Startup: .protected or O4 - Global Startup: .protected for both, HJT asked me to shut them down via task manager, then redo HJT, but I couldn't really get that to work. There was also a bunch of stuff that didn't show up when I ran HJT, but here're my logs... COMBOFIX "Ocha" - 2007-05-10 23:03:04 Service Pack 2 ComboFix 07-05.11.3V - Running from: "C:\Documents and Settings\Ocha\Desktop\" Command switches used :: "/v winrvc32" ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}] @="" "IDEx"="ADDR" [HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\clsid\{9DE91082-BBA1-440F-BDD5-EA00E9714865}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}] @="" [HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\clsid\{057047F1-5FE2-457F-8E88-67FFC1E2058C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Granting SeDebugPrivilege to Administrators ... successful (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\winrvc32.dll C:\WINDOWS\system32\wvuroml.dll C:\WINDOWS\system32\winrvc32.dll C:\WINDOWS\system32\pmnoomm.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe C:\Program Files\Common Files\{44409~1\system.dll C:\DOCUME~1\Ocha\Desktop.\internet explorer.lnk C:\WINDOWS\system32\unsvchosts.lzma C:\Program Files\Common Files\{44409~1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\Program Files\Common Files\FNTS~1 C:\qoobox\purity\C\WINDOWS\SYSTEM32\FNTS~1 ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_COM+_MESSAGES -------\LEGACY_NETWORK_MONITOR -------\LEGACY_POOF -------\cmdService -------\kprof -------\poof ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 )))))))))))))))))))))))))))))))))) 2007-05-09 22:56 <DIR> d-------- C:\DOCUME~1\Ocha\APPLIC~1\Symantec 2007-05-09 21:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback 2007-05-09 18:49 <DIR> d-------- C:\Program Files\Norton 360 2007-05-09 18:44 <DIR> d-------- C:\Program Files\Symantec 2007-05-09 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-05-09 18:41 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared 2007-05-09 03:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-05-08 21:33 1,493,869 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.bak2 2007-05-08 21:32 1,493,984 ---hs---- C:\WINDOWS\SYSTEM32\ihkmp.ini2 2007-05-08 20:52 <DIR> d-------- C:\Deckard 2007-05-04 02:07 1,397,965 --ahs---- C:\WINDOWS\SYSTEM32\ihkmp.bak1 2007-05-04 00:19 1,404,852 --ahs---- C:\WINDOWS\SYSTEM32\accdd.ini2 2007-05-01 15:13 86,528 --a------ C:\WINDOWS\SYSTEM32\rifakdn.dll 2007-05-01 15:13 64,000 --a------ C:\WINDOWS\SYSTEM32\tz**ke.dll 2007-04-25 13:18 53,248 --a------ C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll 2007-04-25 13:17 86,528 --a------ C:\WINDOWS\SYSTEM32\zpcxcyc.dll 2007-04-25 13:17 63,488 --a------ C:\WINDOWS\SYSTEM32\cpiicbc.dll 2007-04-14 03:58 <DIR> d-------- C:\Program Files\GUILTY GEAR XX #RELOAD (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-10 02:07:13 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8781.sys 2007-05-10 02:05:00 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\WeatherBug 2007-05-04 05:59:38 1,407,118 --sha-w C:\WINDOWS\system32\accdd.bak2 2007-05-04 05:24:29 1,406,912 --sha-w C:\WINDOWS\system32\accdd.bak1 2007-05-03 17:41:30 13,358 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2007-05-03 17:37:35 -------- d-----w C:\Program Files\WAV to MP3 Encoder 2007-04-27 01:44:01 -------- d-----w C:\Program Files\mIRC 2007-04-25 19:12:37 -------- d-----w C:\DOCUME~1\Ocha\APPLIC~1\uTorrent 2007-03-29 03:53:36 86,016 ----a-w C:\WINDOWS\system32\ywdlat.dll 2007-03-29 03:53:36 63,488 ----a-w C:\WINDOWS\system32\xgokgxl.dll 2007-03-23 17:48:49 -------- d-----w C:\Program Files\Windows Media Connect 2 2007-03-21 07:41:55 81,408 ----a-w C:\WINDOWS\system32\qvcjvfj.dll 2007-03-19 15:43:19 81,920 ----a-w C:\WINDOWS\system32\clhrzsb.dll 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-14 20:38:19 81,408 ----a-w C:\WINDOWS\system32\dntopsd.dll 2007-03-14 02:11:43 80,896 ----a-w C:\WINDOWS\system32\phyeppn.dll 2007-03-12 20:39:02 81,408 ----a-w C:\WINDOWS\system32\nwqajmf.dll 2007-03-12 09:11:47 81,408 ----a-w C:\WINDOWS\system32\qeeddch.dll 2007-03-12 07:20:30 -------- d-----w C:\Program Files\Enigma Software Group 2007-03-12 04:54:29 -------- d-----w C:\Program Files\Ultimate Cleaner 2007-03-12 04:24:46 57,344 ----a-w C:\WINDOWS\system32\jgnxjbj.dll 2007-03-12 04:24:44 81,408 ----a-w C:\WINDOWS\system32\trdqsad.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys 2007-03-07 22:30:36 -------- d-----w C:\Program Files\SpywareBlaster 2007-03-05 04:22:57 707 ----a-w C:\WINDOWS\_DEFAULT.PIF 2007-03-05 04:22:53 0 ----a-w C:\WINDOWS\winuk.dll 2007-03-05 04:22:48 256,192 ----a-w C:\WINDOWS\WINHELP.EXE 2007-03-05 04:22:44 18,944 ----a-w C:\WINDOWS\VMMREG32.DLL 2007-03-05 04:22:37 149,504 ----a-w C:\WINDOWS\UNWISE.EXE 2007-03-05 04:22:33 90,112 ----a-w C:\WINDOWS\unvise32.exe 2007-03-05 04:22:27 25,600 ----a-w C:\WINDOWS\TWUNK_32.EXE 2007-03-05 04:22:25 25,600 ----a-w C:\WINDOWS\TWUNK_32(2).EXE 2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16.EXE 2007-03-05 04:22:24 49,680 ----a-w C:\WINDOWS\TWUNK_16(9).EXE 2007-03-05 04:22:23 49,680 ----a-w C:\WINDOWS\TWUNK_16(8).EXE 2007-03-05 04:22:21 49,680 ----a-w C:\WINDOWS\TWUNK_16(8)(2).EXE 2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(7).EXE 2007-03-05 04:22:19 49,680 ----a-w C:\WINDOWS\TWUNK_16(6).EXE 2007-03-05 04:22:18 49,680 ----a-w C:\WINDOWS\TWUNK_16(5).EXE 2007-03-05 04:22:17 49,680 ----a-w C:\WINDOWS\TWUNK_16(4).EXE 2007-03-05 04:22:15 49,680 ----a-w C:\WINDOWS\TWUNK_16(4)(2).EXE 2007-03-05 04:22:14 49,680 ----a-w C:\WINDOWS\TWUNK_16(3).EXE 2007-03-05 04:22:13 49,680 ----a-w C:\WINDOWS\TWUNK_16(3)(2).EXE 2007-03-05 04:22:12 49,680 ----a-w C:\WINDOWS\TWUNK_16(2).EXE 2007-03-05 04:22:11 49,680 ----a-w C:\WINDOWS\TWUNK_16(12).EXE 2007-03-05 04:22:10 49,680 ----a-w C:\WINDOWS\TWUNK_16(11).EXE 2007-03-05 04:22:08 49,680 ----a-w C:\WINDOWS\TWUNK_16(10).EXE 2007-03-05 04:22:04 0 ----a-w C:\WINDOWS\sysxr32.dll 2007-03-05 04:21:48 33,792 ----a-w C:\WINDOWS\Q330994.exe 2007-03-05 04:21:41 7,473 ----a-w C:\WINDOWS\plqca.dat 2007-03-05 04:21:38 3,547 ----a-w C:\WINDOWS\oncsc.dat 2007-03-05 04:21:38 0 -c--a-w C:\WINDOWS\ofqd.exe 2007-03-05 04:21:37 33,792 ----a-w C:\WINDOWS\oeuninst.exe 2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aqcvyu.dat 2007-03-05 04:21:34 29,256 ----a-w C:\WINDOWS\n_aakuom.dat 2007-03-05 04:21:34 0 -c--a-w C:\WINDOWS\n_xdrfqf.dat 2007-03-05 04:21:33 0 -c--a-w C:\WINDOWS\ntiy.dll 2007-03-05 04:21:32 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE 2007-03-05 04:21:32 335 ----a-w C:\WINDOWS\nsreg.dat 2007-03-05 04:21:31 33,280 ----a-w C:\WINDOWS\muninst.exe 2007-03-05 04:21:31 0 -c--a-w C:\WINDOWS\mstasks4.exe 2007-03-05 04:21:25 0 -c--a-w C:\WINDOWS\mfqwx.dll 2007-03-05 04:21:24 0 -c--a-w C:\WINDOWS\mfcca.dll 2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javamf.dll 2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\javago32.dll 2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\ieli.dll 2007-03-05 04:21:06 0 -c--a-w C:\WINDOWS\hsyua.dll 2007-03-05 04:21:01 98,352 ----a-w C:\WINDOWS\dla.exe 2007-03-05 04:20:55 8,192 ----a-w C:\WINDOWS\d3dx.dat 2007-03-05 04:20:55 0 -c--a-w C:\WINDOWS\crsk32.dll 2007-03-05 04:20:54 0 -c--a-w C:\WINDOWS\crge32.dll 2007-03-05 04:18:59 0 -c--a-w C:\WINDOWS\apidx.dll 2007-03-05 00:15:18 -------- d-----w C:\Program Files\Common Files\qrwf 2007-03-03 23:13:25 81,408 ----a-w C:\WINDOWS\system32\ungpwhe.dll 2007-03-03 23:13:25 57,344 ----a-w C:\WINDOWS\system32\rqaatzc.dll 2007-02-19 21:45:33 155,648 ----a-w C:\WINDOWS\system32\PoporuAgent.exe 2007-02-19 21:45:33 106,496 ----a-w C:\WINDOWS\system32\PoporuAgent.dll 2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {E44527F6-1296-4A84-B67D-A6CEA6ED4B69}=C:\WINDOWS\system32\hggghhi.dll [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\"" "WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-30 08:06] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11] "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-03-17 15:00] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-04 16:34] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-09-09 17:35] "AIM"="C:\Program Files\AIM95\aim.exe" [2002-05-22 11:57] "Sonic RecordNow!"="" []) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1" "AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl" "Sonic RecordNow!"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoCDBurning"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"="C:\WINDOWS\system32\hggghhi.dll" [x] "{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"="C:\WINDOWS\system32\pmnoomm.dll" [x] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghhi HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnkh HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqrsp [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "system"="csvde.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages \0scecli\0scecli\0scecli\0scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rundll rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HTTPFilter HTTPFilter\0\0 Usnsvc usnsvc\0\0 DcomLaunch DcomLaunch\0TermService\0\0 WudfServiceGroup WUDFSvc\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\McAfee.com Update Check (D6FYH341-Ocha).job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-10 23:18:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-10 23:22:11 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-05-10 23:22 SMITFRAUD RAPPORT SmitFraudFix v2.179 Scan done at 23:38:12.09, Thu 05/10/2007 Run from C:\Documents and Settings\Ocha\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\AIM95\aim.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\.protected FOUND ! C:\WINDOWS\d3??.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ocha\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\Ocha\STARTM~1\Programs\Startup\.protected FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ocha\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="csvde.exe" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport DNS Server Search Order: 192.168.10.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5 HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End HJT Logfile of HijackThis v1.99.1 Scan saved at 11:59:58 PM, on 5/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\AIM95\aim.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\notepad.exe C:\Documents and Settings\Ocha\Desktop\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing) O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file) O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - Startup: .protected O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: .protected O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163648224296 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing) O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing) O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing) O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe