Having a TON of problems with popup ads here the last week or so.
Seems to be OuterInfo and SetTheTrend or something majorly.
Sometimes I'll get a Visual C++ buffer overrun error which shuts down my desktop (goes blank) and forces a reboot.
Getting this error on startup also, if it matters:
c:\windows\system32\ddayv.exe (errors with path/registry/etc)
Running WindowsXP (w/ all updates) and AVG (paid edition).
Here are the logs:
[Panda Active SCAN]:
Incident Status Location
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advancedcleaner[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Adware:Adware/Adband Not disinfected C:\Documents and Settings\Owner\Desktop\vvqq.exe[ism.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
Adware:Adware/Adband Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HSFQAHH\vvqq[1].exe[ism.exe]
Hacktool:Hacktool/AngryScan Not disinfected C:\Documents and Settings\Owner\My Documents\Control4\Misc\C4 Toolbox.zip[C4 Toolbox/ipscan.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\My Documents\My Received Files\ComboFix.exe[ComboFixT\nircmd.exe]
Adware:Adware/Startpage.ACY Not disinfected C:\Program Files\Support.com\adelphia\scripts\IEconfig.vbs
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\L9A21.tmp
[DSS SCAN]:
Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-29 01:43:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable...success.
-- Last 1 Restore Point(s) --
1: 2008-01-29 06:43:30 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Owner.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:58 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe
C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.195.246.83:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayv.exe
O2 - BHO: 0 - {0487D578-CA72-48B0-BBAD-60019A899D82} - C:\Program Files\MSN\laduxaruj.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E4F930-6ED4-1B03-F248-19E34F96F29B} - C:\WINDOWS\system32\idluvd.dll (file missing)
O2 - BHO: (no name) - {4360C8B7-5905-71AA-5710-5300CCCD88ED} - C:\WINDOWS\system32\tekwovsz.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\rqrolkl.dll
O2 - BHO: (no name) - {A6D7CA41-BB21-4DF8-9357-527CA9553F89} - C:\WINDOWS\system32\ddayv.dll
O2 - BHO: (no name) - {B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C} - C:\Program Files\Messenger\horefoq.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qjpluhws] C:\WINDOWS\?ecurity\?poolsv.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aqg] "C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://camserver.cookcams.net/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://74.94.178.163/activex/AMC.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://control4.webex.com/client/T25L/training/ieatgpc.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: rqrolkl - C:\WINDOWS\SYSTEM32\rqrolkl.dll
O20 - Winlogon Notify: urqqnmn - urqqnmn.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6710 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 VVBackd5 - c:\windows\system32\drivers\vvbackd5.sys
R1 papycpu2 - c:\windows\system32\drivers\papycpu2.sys
R1 papyjoy - c:\windows\system32\drivers\papyjoy.sys
R2 SIODRV - c:\windows\system32\drivers\siodrv.sys <Not Verified; Intel Corporation; Intel(R) Active Monitor>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>
R3 smbusp (Intel(R) SMBus 2.0 Driver) - c:\windows\system32\drivers\smb.sys <Not Verified; Intel Corporation; Intel(R) SMBus Controller>
R3 tap0801 (TAP-Win32 Adapter V8) - c:\windows\system32\drivers\tap0801.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>
S3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Diskeeper - c:\program files\executive software\diskeeperlite\dkservice.exe <Not Verified; Executive Software International, Inc.; Diskeeper (TM) Disk Defragmenter>
R2 imonNT (Intel(R) Active Monitor) - c:\program files\intel\intel(r) active monitor\imonnt.exe <Not Verified; Intel Corp.; Intel(R) Active Monitor>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\868686012B300
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\868686012B300
Service: NIC1394
-- Files created between 2007-12-29 and 2008-01-29 -----------------------------
2008-01-29 01:44:48 0 d-------- C:\Program Files\Trend Micro
2008-01-29 00:14:03 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-29 00:10:02 0 d-------- C:\Program Files\SpywareBlaster
2008-01-29 00:03:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 00:03:09 0 d-------- C:\WINDOWS\LastGood
2008-01-28 17:25:10 3584 --a------ C:\WINDOWS\system32\ddayv.exe
2008-01-28 16:41:05 60928 --a------ C:\WINDOWS\system32\tekwovsz.dll
2008-01-27 17:24:15 472774 --ahs---- C:\WINDOWS\system32\vyadd.ini2
2008-01-27 17:24:11 327168 --a------ C:\WINDOWS\system32\ddayv.dll
2008-01-27 16:18:04 41984 --a------ C:\WINDOWS\system32\rqrolkl.dll
2008-01-27 16:17:27 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-01-23 15:46:32 0 d-------- C:\Program Files\ZOC5
2008-01-20 16:53:06 0 d-------- C:\Program Files\MioNet
2008-01-20 16:49:36 21504 --a------ C:\WINDOWS\jestertb.dll
2008-01-17 03:51:59 0 d-------- C:\Program Files\MediaMonkey
2008-01-17 03:44:36 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 00:59:07 0 d-------- C:\Program Files\Smartwizard Discovery
2008-01-17 00:51:20 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
-- Find3M Report ---------------------------------------------------------------
2008-01-28 23:05:48 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-01-28 14:20:52 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-28 08:51:50 0 d-------- C:\Program Files\Steam
2008-01-28 08:51:50 0 d-------- C:\Program Files\PowerStrip
2008-01-27 17:24:16 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-01-27 16:50:50 0 d-------- C:\Program Files\Common Files
2008-01-17 00:51:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-16 23:46:24 0 d-------- C:\Program Files\mIRC
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0487D578-CA72-48B0-BBAD-60019A899D82}]
C:\Program Files\MSN\laduxaruj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E4F930-6ED4-1B03-F248-19E34F96F29B}]
C:\WINDOWS\system32\idluvd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4360C8B7-5905-71AA-5710-5300CCCD88ED}]
01/28/2008 11:29 AM 60928 --a------ C:\WINDOWS\system32\tekwovsz.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
01/27/2008 04:18 PM 41984 --a------ C:\WINDOWS\system32\rqrolkl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6D7CA41-BB21-4DF8-9357-527CA9553F89}]
01/27/2008 05:24 PM 327168 --a------ C:\WINDOWS\system32\ddayv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C}]
C:\Program Files\Messenger\horefoq.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Aim6"="" []
"Qjpluhws"="C:\WINDOWS\?ecurity\?poolsv.exe" []
"Steam"="c:\program files\steam\steam.exe" []
"Aqg"="C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe" [01/28/2008 11:29 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\rqrolkl.dll [01/27/2008 04:18 PM 41984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 05/18/2007 10:56 PM 9216 C:\WINDOWS\system32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrolkl]
rqrolkl.dll 01/27/2008 04:18 PM 41984 C:\WINDOWS\system32\rqrolkl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnmn]
urqqnmn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3405494-412d-11dc-931f-0011111faa1e}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - WVAWIUHCVHHW
-- End of Deckard's System Scanner: finished at 2008-01-29 01:45:50 ------------
Seems to be OuterInfo and SetTheTrend or something majorly.
Sometimes I'll get a Visual C++ buffer overrun error which shuts down my desktop (goes blank) and forces a reboot.
Getting this error on startup also, if it matters:
c:\windows\system32\ddayv.exe (errors with path/registry/etc)
Running WindowsXP (w/ all updates) and AVG (paid edition).
Here are the logs:
[Panda Active SCAN]:
Incident Status Location
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advancedcleaner[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Adware:Adware/Adband Not disinfected C:\Documents and Settings\Owner\Desktop\vvqq.exe[ism.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
Adware:Adware/Adband Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HSFQAHH\vvqq[1].exe[ism.exe]
Hacktool:Hacktool/AngryScan Not disinfected C:\Documents and Settings\Owner\My Documents\Control4\Misc\C4 Toolbox.zip[C4 Toolbox/ipscan.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\My Documents\My Received Files\ComboFix.exe[ComboFixT\nircmd.exe]
Adware:Adware/Startpage.ACY Not disinfected C:\Program Files\Support.com\adelphia\scripts\IEconfig.vbs
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\L9A21.tmp
[DSS SCAN]:
Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-29 01:43:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable...success.
-- Last 1 Restore Point(s) --
1: 2008-01-29 06:43:30 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Owner.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:58 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe
C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.195.246.83:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayv.exe
O2 - BHO: 0 - {0487D578-CA72-48B0-BBAD-60019A899D82} - C:\Program Files\MSN\laduxaruj.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E4F930-6ED4-1B03-F248-19E34F96F29B} - C:\WINDOWS\system32\idluvd.dll (file missing)
O2 - BHO: (no name) - {4360C8B7-5905-71AA-5710-5300CCCD88ED} - C:\WINDOWS\system32\tekwovsz.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\rqrolkl.dll
O2 - BHO: (no name) - {A6D7CA41-BB21-4DF8-9357-527CA9553F89} - C:\WINDOWS\system32\ddayv.dll
O2 - BHO: (no name) - {B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C} - C:\Program Files\Messenger\horefoq.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qjpluhws] C:\WINDOWS\?ecurity\?poolsv.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aqg] "C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://camserver.cookcams.net/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://74.94.178.163/activex/AMC.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://control4.webex.com/client/T25L/training/ieatgpc.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: rqrolkl - C:\WINDOWS\SYSTEM32\rqrolkl.dll
O20 - Winlogon Notify: urqqnmn - urqqnmn.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6710 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 VVBackd5 - c:\windows\system32\drivers\vvbackd5.sys
R1 papycpu2 - c:\windows\system32\drivers\papycpu2.sys
R1 papyjoy - c:\windows\system32\drivers\papyjoy.sys
R2 SIODRV - c:\windows\system32\drivers\siodrv.sys <Not Verified; Intel Corporation; Intel(R) Active Monitor>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>
R3 smbusp (Intel(R) SMBus 2.0 Driver) - c:\windows\system32\drivers\smb.sys <Not Verified; Intel Corporation; Intel(R) SMBus Controller>
R3 tap0801 (TAP-Win32 Adapter V8) - c:\windows\system32\drivers\tap0801.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>
S3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Diskeeper - c:\program files\executive software\diskeeperlite\dkservice.exe <Not Verified; Executive Software International, Inc.; Diskeeper (TM) Disk Defragmenter>
R2 imonNT (Intel(R) Active Monitor) - c:\program files\intel\intel(r) active monitor\imonnt.exe <Not Verified; Intel Corp.; Intel(R) Active Monitor>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\868686012B300
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\868686012B300
Service: NIC1394
-- Files created between 2007-12-29 and 2008-01-29 -----------------------------
2008-01-29 01:44:48 0 d-------- C:\Program Files\Trend Micro
2008-01-29 00:14:03 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-29 00:10:02 0 d-------- C:\Program Files\SpywareBlaster
2008-01-29 00:03:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 00:03:09 0 d-------- C:\WINDOWS\LastGood
2008-01-28 17:25:10 3584 --a------ C:\WINDOWS\system32\ddayv.exe
2008-01-28 16:41:05 60928 --a------ C:\WINDOWS\system32\tekwovsz.dll
2008-01-27 17:24:15 472774 --ahs---- C:\WINDOWS\system32\vyadd.ini2
2008-01-27 17:24:11 327168 --a------ C:\WINDOWS\system32\ddayv.dll
2008-01-27 16:18:04 41984 --a------ C:\WINDOWS\system32\rqrolkl.dll
2008-01-27 16:17:27 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-01-23 15:46:32 0 d-------- C:\Program Files\ZOC5
2008-01-20 16:53:06 0 d-------- C:\Program Files\MioNet
2008-01-20 16:49:36 21504 --a------ C:\WINDOWS\jestertb.dll
2008-01-17 03:51:59 0 d-------- C:\Program Files\MediaMonkey
2008-01-17 03:44:36 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 00:59:07 0 d-------- C:\Program Files\Smartwizard Discovery
2008-01-17 00:51:20 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
-- Find3M Report ---------------------------------------------------------------
2008-01-28 23:05:48 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-01-28 14:20:52 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-28 08:51:50 0 d-------- C:\Program Files\Steam
2008-01-28 08:51:50 0 d-------- C:\Program Files\PowerStrip
2008-01-27 17:24:16 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-01-27 16:50:50 0 d-------- C:\Program Files\Common Files
2008-01-17 00:51:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-16 23:46:24 0 d-------- C:\Program Files\mIRC
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0487D578-CA72-48B0-BBAD-60019A899D82}]
C:\Program Files\MSN\laduxaruj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E4F930-6ED4-1B03-F248-19E34F96F29B}]
C:\WINDOWS\system32\idluvd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4360C8B7-5905-71AA-5710-5300CCCD88ED}]
01/28/2008 11:29 AM 60928 --a------ C:\WINDOWS\system32\tekwovsz.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
01/27/2008 04:18 PM 41984 --a------ C:\WINDOWS\system32\rqrolkl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6D7CA41-BB21-4DF8-9357-527CA9553F89}]
01/27/2008 05:24 PM 327168 --a------ C:\WINDOWS\system32\ddayv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C}]
C:\Program Files\Messenger\horefoq.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Aim6"="" []
"Qjpluhws"="C:\WINDOWS\?ecurity\?poolsv.exe" []
"Steam"="c:\program files\steam\steam.exe" []
"Aqg"="C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe" [01/28/2008 11:29 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\rqrolkl.dll [01/27/2008 04:18 PM 41984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 05/18/2007 10:56 PM 9216 C:\WINDOWS\system32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrolkl]
rqrolkl.dll 01/27/2008 04:18 PM 41984 C:\WINDOWS\system32\rqrolkl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnmn]
urqqnmn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3405494-412d-11dc-931f-0011111faa1e}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - WVAWIUHCVHHW
-- End of Deckard's System Scanner: finished at 2008-01-29 01:45:50 ------------