Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Popups getting very annoying, HJT log inside Popups getting very annoying, HJT log inside
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 09-11-2007, 07:11 AM   #1 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: Windows XP


Popups getting very annoying, HJT log inside
Hello,

I am having a terrible time with some pop-ups. It started with an auto download of something called Win-AntiVirus. I stopped it halfway through download but I still got all the crap. I had a lot of 'brought to you by WebBuying' pop up ads, and I deleted/uninstalled WebBuying, so they have stopped. However, other ad's are still coming. And sometimes I get .dll errors that make Internet Explorer crash. Also the 'SYSTEM' process in my task manager goes to about 70 whenever a web page loads. Not the System Idle Process, the actual System process.

I deleted a few files from the HJT log that I knew were bad, but as soon as I rescanned they were back.

It's a pesky little fella, any help would be appreciated. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:08:54 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\RmF5ZQ\command.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\2020V64\Mswin\60\SCBar.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Faye\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=&
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9CDBC9B8-BD7B-4CD3-B9AA-490033DFF7F8} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqnoom.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [RemoveInstallPath] cmd.exe C:\WINDOWS\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\Words" > nul
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2213] command /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC709] cmd /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2816] command /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8461] cmd /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3448] command /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8798] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6082] command /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3897] cmd /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA268] command /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6716] cmd /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7706] command /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4768] cmd /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6814] command /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7675] cmd /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3367] command /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5394] cmd /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5193] command /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9936] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6901] command /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7519] cmd /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5284] command /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4370] cmd /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9116] command /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7541] cmd /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab
O20 - Winlogon Notify: ssqnoom - C:\WINDOWS\SYSTEM32\ssqnoom.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmF5ZQ\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 10739 bytes
JeremyPGH is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-11-2007, 09:31 AM   #2 (permalink)
TSF Enthusiast
 
eXPeri3nc3's Avatar
 
Join Date: Dec 2005
Location: Malaysia (GMT+8)
Posts: 1,073
OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta

My System

Blog Entries: 5
Re: Popups getting very annoying, HJT log inside
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

HJT v2 is out of Beta now. Please uninstall it from Add/Remove programs, delete the executable, and get the latest version here.

Please read this sticky topic, and then do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
---------------------------------------------------------------------------------------------

Thank you.
__________________
If You Feel That We've Helped You, Please Donate To The Forum

`世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器`
"It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff
eXPeri3nc3 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-12-2007, 07:25 AM   #3 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: Windows XP


Re: Popups getting very annoying, HJT log inside
Thanks for the reply.

A few things to note that I noticed when I booted up my PC today.

First I get an error message, saying 'Digital Line Detected (PBX): Please verify your phone line from computer is connected to analog modem or fax line'.

Also sometimes in Task Manager I have two of the same program running, when in reality I only have one. I'm worried someone else connected to my pc and is keyloggin me or whatever.


Anywho, here is the information you requested. Please note the filepath for the extra.txt was a little different then what you had said, it was at C:\Deckard\System Scanner\20070912091115\extra.txt, if that makes any difference. Thank you again. :)




Deckard's System Scanner v20070905.67
Run by Faye on 2007-09-12 09:11:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Faye.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:24 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\RmF5ZQ\command.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qrrnibyq.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Faye\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Faye.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=&
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4555397F-94AD-4DE9-BCA2-2E89B5C30752} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\utsffgfq.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqnoom.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\qvvtxfdb.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab
O20 - Winlogon Notify: ssqnoom - C:\WINDOWS\SYSTEM32\ssqnoom.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmF5ZQ\command.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\qrrnibyq.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 7910 bytes

-- Files created between 2007-08-12 and 2007-09-12 -----------------------------

2007-09-12 09:10:32 0 d-------- C:\Program Files\Trend Micro
2007-09-12 08:15:42 69184 --a------ C:\WINDOWS\system32\utsffgfq.dll
2007-09-12 08:01:02 125504 --a------ C:\WINDOWS\system32\qvvtxfdb.dll
2007-09-12 08:00:46 75328 --a------ C:\WINDOWS\system32\qrrnibyq.exe <Not Verified; ; DDC>
2007-09-12 07:58:05 4672 --a------ C:\WINDOWS\system32\wctjgxgc.exe
2007-09-11 07:52:57 125504 --a------ C:\WINDOWS\system32\hgugoouh.dll
2007-09-11 07:50:01 75328 --a------ C:\WINDOWS\system32\ctkyshqj.exe <Not Verified; ; DDC>
2007-09-10 08:11:00 0 d-------- C:\Program Files\Insider
2007-09-10 08:05:55 0 d-------- C:\Documents and Settings\Faye\Application Data\WinTouch
2007-09-10 07:56:17 0 d-------- C:\WINDOWS\okkq
2007-09-10 07:56:17 0 d-------- C:\Program Files\Common Files\okkq
2007-09-10 07:48:29 75328 --a------ C:\WINDOWS\system32\etrnfowj.exe <Not Verified; ; DDC>
2007-09-10 07:47:18 2025421 ---hs---- C:\WINDOWS\system32\xyadd.bak2
2007-09-07 13:39:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-09-07 13:39:34 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-09-07 12:42:01 0 d-------- C:\Documents and Settings\Faye\Application Data\WinAntiSpyware 2007
2007-09-07 12:40:58 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-09-07 12:40:46 79872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys <Not Verified; Windows (R) Codename Longhorn DDK provider; Windows (R) Codename Longhorn DDK driver>
2007-09-07 12:40:19 0 d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-09-07 12:40:14 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
2007-09-07 12:40:03 6448 ---hs---- C:\WINDOWS\system32\xyadd.bak1
2007-09-07 12:38:43 244832 --a------ C:\WINDOWS\system32\ddayx.dll
2007-09-07 12:34:39 246 --a------ C:\Program Files\Common Files\qukaf
2007-09-07 12:34:23 135168 --a------ C:\WINDOWS\tk58.exe
2007-09-07 12:34:18 0 d--hs---- C:\WINDOWS\RmF5ZQ
2007-09-07 12:33:56 192584 --a------ C:\WINDOWS\system32\nwinsldt.exe
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\drvr2
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\D2
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\cfig322
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\capcam
2007-09-07 12:33:37 0 d-------- C:\WINDOWS\system32\f02WtR
2007-09-07 12:33:35 31254 -----n--- C:\WINDOWS\system32\ssqnoom.dll
2007-08-30 14:14:36 86016 --a------ C:\WINDOWS\b147.exe
2007-08-22 13:05:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-08-16 11:33:31 0 d-------- C:\Documents and Settings\Faye\Application Data\ntr


-- Find3M Report ---------------------------------------------------------------

2007-09-11 10:10:06 0 d-------- C:\Documents and Settings\Faye\Application Data\Adobe
2007-09-11 08:12:03 0 d-------- C:\Program Files\Common Files
2007-09-07 12:34:12 0 d-------- C:\Program Files\microsoft frontpage
2007-08-27 11:56:57 0 d-------- C:\Documents and Settings\Faye\Application Data\AdobeUM
2007-07-28 0522 135 --a------ C:\Program Files\Common Files\rteses.html
2007-07-19 07:10:58 69632 --a------ C:\WINDOWS\b143.exe
2007-07-12 11:09:41 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-12 07:45:48 0 d-------- C:\Program Files\AOD
2007-07-11 08:17:28 3766 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-11 03:29:38 22016 --a------ C:\WINDOWS\b138.exe
2007-07-11 03:29:38 28160 --a------ C:\WINDOWS\b103.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4555397F-94AD-4DE9-BCA2-2E89B5C30752}]
09/07/2007 12:38 PM 244832 --a------ C:\WINDOWS\system32\ddayx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
09/12/2007 08:15 AM 69184 --a------ C:\WINDOWS\system32\utsffgfq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
09/07/2007 12:33 PM 31254 --------- C:\WINDOWS\system32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [01/23/2004 05:33 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 03:01 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 09:47 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 09:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/28/2006 08:04 AM]
"SystemOptimizer"="C:\WINDOWS\system32\qvvtxfdb.dll" [09/12/2007 08:01 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/29/2007 08:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Faye\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 11:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk - C:\2020V64\Mswin\60\SCBar.Exe [6/20/2006 3:17:25 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/17/2006 9:28:53 AM]
DESKTOP.INI [9/3/2002 11:00:00 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/19/2004 8:31:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM]
Wireless-B USB Network Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe [6/24/2004 12:15:32 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\rteses.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\WINDOWS\system32\ssqnoom.dll [09/07/2007 12:33 PM 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnoom]
ssqnoom.dll 09/07/2007 12:33 PM 31254 C:\WINDOWS\SYSTEM32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayx

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe




-- End of Deckard's System Scanner: finished at 2007-09-12 09:15:56 ------------
Attached Files
File Type: txt extra.txt (17.8 KB, 2 views)
JeremyPGH is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-12-2007, 10:18 PM   #4 (permalink)
TSF Enthusiast
 
eXPeri3nc3's Avatar
 
Join Date: Dec 2005
Location: Malaysia (GMT+8)
Posts: 1,073
OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta

My System

Blog Entries: 5
Re: Popups getting very annoying, HJT log inside
Hi JeremyPGH,

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result.

----------------------------------------

Download ComboFix from here

**Save it to your desktop** We'll use this shortly

----------------------------------------

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

----------------------------------------

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

Post the following logs in your next reply...

C:\Combofix.txt
Fresh HijackThis log
__________________
If You Feel That We've Helped You, Please Donate To The Forum

`世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器`
"It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff
eXPeri3nc3 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-13-2007, 07:46 AM   #5 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: Windows XP


Re: Popups getting very annoying, HJT log inside
eXPeri3nc3, here are the logs you asked for, starting with Combo Fix log first, then the HJT log:


"Faye" - 2007-09-13 8:35:43 - ComboFix 07-07-20.2 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\kdmoglbg.exe
C:\WINDOWS\system32\wctjgxgc.exe
C:\WINDOWS\SYSTEM32\xyadd.bak1
C:\WINDOWS\SYSTEM32\xyadd.bak2
C:\WINDOWS\SYSTEM32\xyadd.ini
C:\WINDOWS\system32\ddayx.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Faye\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Faye\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Faye\APPLIC~1\WinTouch
C:\DOCUME~1\Faye\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\Faye\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\Faye\APPLIC~1\WinTouch\WTUninstaller.exe
C:\Program Files\Common Files\rteses.html
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\WINDOWS\RmF5ZQ\asappsrv.dll
C:\WINDOWS\RmF5ZQ\command.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tk58.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))


2007-09-12 09:39 125,504 --a------ C:\WINDOWS\SYSTEM32\kxphngrg.dll
2007-09-12 09:36 75,328 --a------ C:\WINDOWS\SYSTEM32\bsqvabtf.exe
2007-09-12 09:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 08:43 <DIR> d-------- C:\Deckard
2007-09-12 08:15 69,184 --a------ C:\WINDOWS\SYSTEM32\utsffgfq.dll
2007-09-12 08:00 75,328 --a------ C:\WINDOWS\SYSTEM32\qrrnibyq.exe
2007-09-11 07:52 125,504 --a------ C:\WINDOWS\SYSTEM32\hgugoouh.dll
2007-09-11 07:50 75,328 --a------ C:\WINDOWS\SYSTEM32\ctkyshqj.exe
2007-09-10 08:11 <DIR> d-------- C:\Program Files\Insider
2007-09-10 07:56 <DIR> d-------- C:\WINDOWS\okkq
2007-09-10 07:56 <DIR> d-------- C:\Program Files\Common Files\okkq
2007-09-10 07:48 75,328 --a------ C:\WINDOWS\SYSTEM32\etrnfowj.exe
2007-09-07 13:39 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-09-07 12:34 <DIR> d--hs---- C:\WINDOWS\RmF5ZQ
2007-09-07 12:33 31,254 --a------ C:\WINDOWS\SYSTEM32\ssqnoom.dll
2007-09-07 12:33 192,584 --a------ C:\WINDOWS\SYSTEM32\nwinsldt.exe
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\f02WtR
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\drvr2
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\D2
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\cfig322
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\capcam
2007-09-07 12:33 <DIR> d-------- C:\Temp\fse
2007-09-07 12:33 <DIR> d-------- C:\Temp\1cb
2007-08-30 14:14 86,016 --a------ C:\WINDOWS\b147.exe
2007-08-22 13:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-08-16 11:33 <DIR> d-------- C:\DOCUME~1\Faye\APPLIC~1\ntr


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-13 13:34:04 6,448 --sh--w C:\WINDOWS\system32\wybeg.bak1
2007-09-13 13:33:46 244,832 ----a-w C:\WINDOWS\system32\gebyw.dll
2007-09-11 11:54:33 246 ----a-w C:\Program Files\Common Files\qukaf
2007-09-07 16:34:12 -------- d-----w C:\Program Files\microsoft frontpage
2007-08-27 15:56:57 -------- d-----w C:\DOCUME~1\Faye\APPLIC~1\AdobeUM
2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-19 11:10:58 69,632 ----a-w C:\WINDOWS\b143.exe
2007-07-12 15:09:41 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-11 12:17:28 3,766 ----a-w C:\WINDOWS\system32\tmp.reg
2007-07-11 07:29:38 28,160 ----a-w C:\WINDOWS\b103.exe
2007-07-11 07:29:38 22,016 ----a-w C:\WINDOWS\b138.exe
2007-07-09 14:28:12 5,037,072 ----a-w C:\spybotsd14.exe
2007-06-26 06:08:16 1,104,896 ----a-w C:\WINDOWS\system32\msxml3.dll
2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer.exe
2006-09-07 13:56:34 6,144 --sha-w C:\Program Files\Thumbs.db
2005-12-27 13:44:54 2,770,856 ----a-w C:\Program Files\setupex.exe
2005-12-27 13:42:38 131,683 ----a-w C:\Program Files\wwe_sd_vs_raw_06_d.max
2005-12-16 16:37:17 39,936 ----a-w C:\Program Files\Dec[1]._05.xls
2005-12-14 19:28:57 8,965,894 ----a-w C:\Program Files\Roddy TD_0001.wmv
2005-12-06 13:18:32 22,796,394 ----a-w C:\Program Files\x-men_3-pre_teaser_h-1[1].640.wmv
2005-12-02 18:58:44 419,829 ----a-w C:\Program Files\ciri_miri_cica.pdf
2005-11-28 15:42:54 429,166 ----a-w C:\Program Files\Cetir'_Konja_Debela.pdf
2005-11-18 18:08:29 1,323,791 ----a-w C:\Program Files\awesomo.zip
2005-01-13 15:34:56 2,855,552 ----a-w C:\Program Files\PPView97.exe
2004-12-22 15:21:52 1,799,680 ----a-w C:\Program Files\Builder Distributor 1-3-2005.xls
2004-09-08 15:51:49 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-09-08 15:21:57 4,342,088 ----a-w C:\Program Files\Acro-Reader_6.0.2_Update.exe
2004-05-13 21:38:44 19,584 ----a-w C:\Program Files\location.ini
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\RmF5ZQ\lAIctk.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77B73C2D-6D4C-4612-97A8-C3A17C8DB966}]
2007-09-13 09:33 244832 --a------ C:\WINDOWS\system32\gebyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
2007-09-12 08:15 69184 --a------ C:\WINDOWS\system32\utsffgfq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
2007-09-07 12:33 31254 --a------ C:\WINDOWS\system32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-01-23 17:33 C:\WINDOWS\SYSTEM32\nwiz.exe]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-28 08:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 08:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Faye\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk - C:\2020V64\Mswin\60\SCBar.Exe [2006-06-20 15:17:25]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-17 09:28:53]
DESKTOP.INI [2002-09-03 11:00:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-03-19 08:31:36]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54]
Wireless-B USB Network Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe [2004-06-24 12:15:32]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\rteses.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"="C:\WINDOWS\system32\ssqnoom.dll" [2007-09-07 12:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnoom]
ssqnoom.dll 2007-09-07 12:33 31254 C:\WINDOWS\SYSTEM32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\\WINDOWS\\system32\\ddayx

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe


Contents of the 'Scheduled Tasks' folder
2007-06-30 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-09-13 13:35:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 09:29:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-13 9:40:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 09:40
C:\ComboFix2.txt ... 2007-07-20 08:49
C:\ComboFix3.txt ... 2007-07-19 17:51

--- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:59 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\2020V64\Mswin\60\SCBar.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=&
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 6416 bytes
JeremyPGH is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-13-2007, 08:44 AM   #6 (permalink)
TSF Enthusiast
 
eXPeri3nc3's Avatar
 
Join Date: Dec 2005
Location: Malaysia (GMT+8)
Posts: 1,073
OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta

My System

Blog Entries: 5
Re: Popups getting very annoying, HJT log inside
Hi JeremyPGH,

You're using an outdated copy of Combofix. Please delete any existing combofix in your machine and download this one.

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

Post the following logs in your next reply...

C:\Combofix.txt
A Fresh HijackThis log
__________________
If You Feel That We've Helped You, Please Donate To The Forum

`世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器`
"It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff
eXPeri3nc3 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:10 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2008, Tech Support Forum

Search Engine Friendly URLs by vBSEO

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82