Popups getting very annoying, HJT log inside

JeremyPGH · 09-11-2007, 07:11 AM

Hello,

I am having a terrible time with some pop-ups. It started with an auto download of something called Win-AntiVirus. I stopped it halfway through download but I still got all the crap. I had a lot of 'brought to you by WebBuying' pop up ads, and I deleted/uninstalled WebBuying, so they have stopped. However, other ad's are still coming. And sometimes I get .dll errors that make Internet Explorer crash. Also the 'SYSTEM' process in my task manager goes to about 70 whenever a web page loads. Not the System Idle Process, the actual System process.

I deleted a few files from the HJT log that I knew were bad, but as soon as I rescanned they were back.

It's a pesky little fella, any help would be appreciated. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:08:54 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\RmF5ZQ\command.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\2020V64\Mswin\60\SCBar.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Faye\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=&
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9CDBC9B8-BD7B-4CD3-B9AA-490033DFF7F8} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqnoom.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [RemoveInstallPath] cmd.exe C:\WINDOWS\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\Words" > nul
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2213] command /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC709] cmd /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2816] command /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8461] cmd /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3448] command /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8798] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6082] command /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3897] cmd /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA268] command /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6716] cmd /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7706] command /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4768] cmd /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6814] command /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7675] cmd /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3367] command /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5394] cmd /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5193] command /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9936] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6901] command /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7519] cmd /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5284] command /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4370] cmd /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9116] command /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7541] cmd /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab
O20 - Winlogon Notify: ssqnoom - C:\WINDOWS\SYSTEM32\ssqnoom.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmF5ZQ\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 10739 bytes

**eXPeri3nc3** · 09-11-2007, 09:31 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

HJT v2 is out of Beta now. Please uninstall it from Add/Remove programs, delete the executable, and get the latest version here.

Please read this sticky topic, and then do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Thank you.

JeremyPGH · 09-12-2007, 07:25 AM

Thanks for the reply.

A few things to note that I noticed when I booted up my PC today.

First I get an error message, saying 'Digital Line Detected (PBX): Please verify your phone line from computer is connected to analog modem or fax line'.

Also sometimes in Task Manager I have two of the same program running, when in reality I only have one. I'm worried someone else connected to my pc and is keyloggin me or whatever.

Anywho, here is the information you requested. Please note the filepath for the extra.txt was a little different then what you had said, it was at C:\Deckard\System Scanner\20070912091115\extra.txt, if that makes any difference. Thank you again. :)

Deckard's System Scanner v20070905.67
Run by Faye on 2007-09-12 09:11:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Faye.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:24 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\RmF5ZQ\command.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qrrnibyq.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Faye\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Faye.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=&
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4555397F-94AD-4DE9-BCA2-2E89B5C30752} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\utsffgfq.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqnoom.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\qvvtxfdb.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab
O20 - Winlogon Notify: ssqnoom - C:\WINDOWS\SYSTEM32\ssqnoom.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmF5ZQ\command.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\qrrnibyq.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 7910 bytes

-- Files created between 2007-08-12 and 2007-09-12 -----------------------------

2007-09-12 09:10:32 0 d-------- C:\Program Files\Trend Micro
2007-09-12 08:15:42 69184 --a------ C:\WINDOWS\system32\utsffgfq.dll
2007-09-12 08:01:02 125504 --a------ C:\WINDOWS\system32\qvvtxfdb.dll
2007-09-12 08:00:46 75328 --a------ C:\WINDOWS\system32\qrrnibyq.exe <Not Verified; ; DDC>
2007-09-12 07:58:05 4672 --a------ C:\WINDOWS\system32\wctjgxgc.exe
2007-09-11 07:52:57 125504 --a------ C:\WINDOWS\system32\hgugoouh.dll
2007-09-11 07:50:01 75328 --a------ C:\WINDOWS\system32\ctkyshqj.exe <Not Verified; ; DDC>
2007-09-10 08:11:00 0 d-------- C:\Program Files\Insider
2007-09-10 08:05:55 0 d-------- C:\Documents and Settings\Faye\Application Data\WinTouch
2007-09-10 07:56:17 0 d-------- C:\WINDOWS\okkq
2007-09-10 07:56:17 0 d-------- C:\Program Files\Common Files\okkq
2007-09-10 07:48:29 75328 --a------ C:\WINDOWS\system32\etrnfowj.exe <Not Verified; ; DDC>
2007-09-10 07:47:18 2025421 ---hs---- C:\WINDOWS\system32\xyadd.bak2
2007-09-07 13:39:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-09-07 13:39:34 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-09-07 12:42:01 0 d-------- C:\Documents and Settings\Faye\Application Data\WinAntiSpyware 2007
2007-09-07 12:40:58 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-09-07 12:40:46 79872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys <Not Verified; Windows (R) Codename Longhorn DDK provider; Windows (R) Codename Longhorn DDK driver>
2007-09-07 12:40:19 0 d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-09-07 12:40:14 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
2007-09-07 12:40:03 6448 ---hs---- C:\WINDOWS\system32\xyadd.bak1
2007-09-07 12:38:43 244832 --a------ C:\WINDOWS\system32\ddayx.dll
2007-09-07 12:34:39 246 --a------ C:\Program Files\Common Files\qukaf
2007-09-07 12:34:23 135168 --a------ C:\WINDOWS\tk58.exe
2007-09-07 12:34:18 0 d--hs---- C:\WINDOWS\RmF5ZQ
2007-09-07 12:33:56 192584 --a------ C:\WINDOWS\system32\nwinsldt.exe
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\drvr2
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\D2
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\cfig322
2007-09-07 12:33:52 0 d-------- C:\WINDOWS\system32\capcam
2007-09-07 12:33:37 0 d-------- C:\WINDOWS\system32\f02WtR
2007-09-07 12:33:35 31254 -----n--- C:\WINDOWS\system32\ssqnoom.dll
2007-08-30 14:14:36 86016 --a------ C:\WINDOWS\b147.exe
2007-08-22 13:05:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-08-16 11:33:31 0 d-------- C:\Documents and Settings\Faye\Application Data\ntr

-- Find3M Report ---------------------------------------------------------------

2007-09-11 10:10:06 0 d-------- C:\Documents and Settings\Faye\Application Data\Adobe
2007-09-11 08:12:03 0 d-------- C:\Program Files\Common Files
2007-09-07 12:34:12 0 d-------- C:\Program Files\microsoft frontpage
2007-08-27 11:56:57 0 d-------- C:\Documents and Settings\Faye\Application Data\AdobeUM
2007-07-28 05

22 135 --a------ C:\Program Files\Common Files\rteses.html
2007-07-19 07:10:58 69632 --a------ C:\WINDOWS\b143.exe
2007-07-12 11:09:41 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-12 07:45:48 0 d-------- C:\Program Files\AOD
2007-07-11 08:17:28 3766 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-11 03:29:38 22016 --a------ C:\WINDOWS\b138.exe
2007-07-11 03:29:38 28160 --a------ C:\WINDOWS\b103.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4555397F-94AD-4DE9-BCA2-2E89B5C30752}]
09/07/2007 12:38 PM 244832 --a------ C:\WINDOWS\system32\ddayx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
09/12/2007 08:15 AM 69184 --a------ C:\WINDOWS\system32\utsffgfq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
09/07/2007 12:33 PM 31254 --------- C:\WINDOWS\system32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [01/23/2004 05:33 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 03:01 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 09:47 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 09:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/28/2006 08:04 AM]
"SystemOptimizer"="C:\WINDOWS\system32\qvvtxfdb.dll" [09/12/2007 08:01 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/29/2007 08:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Faye\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 11:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk - C:\2020V64\Mswin\60\SCBar.Exe [6/20/2006 3:17:25 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/17/2006 9:28:53 AM]
DESKTOP.INI [9/3/2002 11:00:00 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/19/2004 8:31:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM]
Wireless-B USB Network Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe [6/24/2004 12:15:32 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\rteses.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\WINDOWS\system32\ssqnoom.dll [09/07/2007 12:33 PM 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnoom]
ssqnoom.dll 09/07/2007 12:33 PM 31254 C:\WINDOWS\SYSTEM32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayx

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

-- End of Deckard's System Scanner: finished at 2007-09-12 09:15:56 ------------

**eXPeri3nc3** · 09-12-2007, 10:18 PM

Hi JeremyPGH,

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result.

----------------------------------------

Download ComboFix from here

**Save it to your desktop** We'll use this shortly

----------------------------------------

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

----------------------------------------

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

Post the following logs in your next reply...

C:\Combofix.txt
Fresh HijackThis log

JeremyPGH · 09-13-2007, 07:46 AM

eXPeri3nc3, here are the logs you asked for, starting with Combo Fix log first, then the HJT log:

"Faye" - 2007-09-13 8:35:43 - ComboFix 07-07-20.2 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\kdmoglbg.exe
C:\WINDOWS\system32\wctjgxgc.exe
C:\WINDOWS\SYSTEM32\xyadd.bak1
C:\WINDOWS\SYSTEM32\xyadd.bak2
C:\WINDOWS\SYSTEM32\xyadd.ini
C:\WINDOWS\system32\ddayx.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Faye\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Faye\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Faye\APPLIC~1\WinTouch
C:\DOCUME~1\Faye\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\Faye\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\Faye\APPLIC~1\WinTouch\WTUninstaller.exe
C:\Program Files\Common Files\rteses.html
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\WINDOWS\RmF5ZQ\asappsrv.dll
C:\WINDOWS\RmF5ZQ\command.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tk58.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))

2007-09-12 09:39 125,504 --a------ C:\WINDOWS\SYSTEM32\kxphngrg.dll
2007-09-12 09:36 75,328 --a------ C:\WINDOWS\SYSTEM32\bsqvabtf.exe
2007-09-12 09:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 08:43 <DIR> d-------- C:\Deckard
2007-09-12 08:15 69,184 --a------ C:\WINDOWS\SYSTEM32\utsffgfq.dll
2007-09-12 08:00 75,328 --a------ C:\WINDOWS\SYSTEM32\qrrnibyq.exe
2007-09-11 07:52 125,504 --a------ C:\WINDOWS\SYSTEM32\hgugoouh.dll
2007-09-11 07:50 75,328 --a------ C:\WINDOWS\SYSTEM32\ctkyshqj.exe
2007-09-10 08:11 <DIR> d-------- C:\Program Files\Insider
2007-09-10 07:56 <DIR> d-------- C:\WINDOWS\okkq
2007-09-10 07:56 <DIR> d-------- C:\Program Files\Common Files\okkq
2007-09-10 07:48 75,328 --a------ C:\WINDOWS\SYSTEM32\etrnfowj.exe
2007-09-07 13:39 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-09-07 12:34 <DIR> d--hs---- C:\WINDOWS\RmF5ZQ
2007-09-07 12:33 31,254 --a------ C:\WINDOWS\SYSTEM32\ssqnoom.dll
2007-09-07 12:33 192,584 --a------ C:\WINDOWS\SYSTEM32\nwinsldt.exe
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\f02WtR
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\drvr2
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\D2
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\cfig322
2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\capcam
2007-09-07 12:33 <DIR> d-------- C:\Temp\fse
2007-09-07 12:33 <DIR> d-------- C:\Temp\1cb
2007-08-30 14:14 86,016 --a------ C:\WINDOWS\b147.exe
2007-08-22 13:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-08-16 11:33 <DIR> d-------- C:\DOCUME~1\Faye\APPLIC~1\ntr

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-13 13:34:04 6,448 --sh--w C:\WINDOWS\system32\wybeg.bak1
2007-09-13 13:33:46 244,832 ----a-w C:\WINDOWS\system32\gebyw.dll
2007-09-11 11:54:33 246 ----a-w C:\Program Files\Common Files\qukaf
2007-09-07 16:34:12 -------- d-----w C:\Program Files\microsoft frontpage
2007-08-27 15:56:57 -------- d-----w C:\DOCUME~1\Faye\APPLIC~1\AdobeUM
2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-19 11:10:58 69,632 ----a-w C:\WINDOWS\b143.exe
2007-07-12 15:09:41 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-11 12:17:28 3,766 ----a-w C:\WINDOWS\system32\tmp.reg
2007-07-11 07:29:38 28,160 ----a-w C:\WINDOWS\b103.exe
2007-07-11 07:29:38 22,016 ----a-w C:\WINDOWS\b138.exe
2007-07-09 14:28:12 5,037,072 ----a-w C:\spybotsd14.exe
2007-06-26 06:08:16 1,104,896 ----a-w C:\WINDOWS\system32\msxml3.dll
2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer.exe
2006-09-07 13:56:34 6,144 --sha-w C:\Program Files\Thumbs.db
2005-12-27 13:44:54 2,770,856 ----a-w C:\Program Files\setupex.exe
2005-12-27 13:42:38 131,683 ----a-w C:\Program Files\wwe_sd_vs_raw_06_d.max
2005-12-16 16:37:17 39,936 ----a-w C:\Program Files\Dec[1]._05.xls
2005-12-14 19:28:57 8,965,894 ----a-w C:\Program Files\Roddy TD_0001.wmv
2005-12-06 13:18:32 22,796,394 ----a-w C:\Program Files\x-men_3-pre_teaser_h-1[1].640.wmv
2005-12-02 18:58:44 419,829 ----a-w C:\Program Files\ciri_miri_cica.pdf
2005-11-28 15:42:54 429,166 ----a-w C:\Program Files\Cetir'_Konja_Debela.pdf
2005-11-18 18:08:29 1,323,791 ----a-w C:\Program Files\awesomo.zip
2005-01-13 15:34:56 2,855,552 ----a-w C:\Program Files\PPView97.exe
2004-12-22 15:21:52 1,799,680 ----a-w C:\Program Files\Builder Distributor 1-3-2005.xls
2004-09-08 15:51:49 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-09-08 15:21:57 4,342,088 ----a-w C:\Program Files\Acro-Reader_6.0.2_Update.exe
2004-05-13 21:38:44 19,584 ----a-w C:\Program Files\location.ini
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\RmF5ZQ\lAIctk.vbs

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77B73C2D-6D4C-4612-97A8-C3A17C8DB966}]
2007-09-13 09:33 244832 --a------ C:\WINDOWS\system32\gebyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
2007-09-12 08:15 69184 --a------ C:\WINDOWS\system32\utsffgfq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
2007-09-07 12:33 31254 --a------ C:\WINDOWS\system32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-01-23 17:33 C:\WINDOWS\SYSTEM32\nwiz.exe]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-28 08:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 08:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Faye\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk - C:\2020V64\Mswin\60\SCBar.Exe [2006-06-20 15:17:25]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-17 09:28:53]
DESKTOP.INI [2002-09-03 11:00:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-03-19 08:31:36]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54]
Wireless-B USB Network Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe [2004-06-24 12:15:32]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\rteses.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"="C:\WINDOWS\system32\ssqnoom.dll" [2007-09-07 12:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnoom]
ssqnoom.dll 2007-09-07 12:33 31254 C:\WINDOWS\SYSTEM32\ssqnoom.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\\WINDOWS\\system32\\ddayx

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

Contents of the 'Scheduled Tasks' folder
2007-06-30 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-09-13 13:35:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 09:29:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-13 9:40:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 09:40
C:\ComboFix2.txt ... 2007-07-20 08:49
C:\ComboFix3.txt ... 2007-07-19 17:51

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:59 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\2020V64\Mswin\60\SCBar.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=&
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 6416 bytes

**eXPeri3nc3** · 09-13-2007, 08:44 AM

Hi JeremyPGH,

You're using an outdated copy of Combofix. Please delete any existing combofix in your machine and download this one.

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

Post the following logs in your next reply...

C:\Combofix.txt
A Fresh HijackThis log

09-11-2007, 07:11 AM	#1 (permalink)
JeremyPGH Registered User Join Date: Jul 2007 Posts: 10 OS: Windows XP	Popups getting very annoying, HJT log inside Hello, I am having a terrible time with some pop-ups. It started with an auto download of something called Win-AntiVirus. I stopped it halfway through download but I still got all the crap. I had a lot of 'brought to you by WebBuying' pop up ads, and I deleted/uninstalled WebBuying, so they have stopped. However, other ad's are still coming. And sometimes I get .dll errors that make Internet Explorer crash. Also the 'SYSTEM' process in my task manager goes to about 70 whenever a web page loads. Not the System Idle Process, the actual System process. I deleted a few files from the HJT log that I knew were bad, but as soon as I rescanned they were back. It's a pesky little fella, any help would be appreciated. Thanks in advance. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 9:08:54 AM, on 9/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\RmF5ZQ\command.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\2020V64\Mswin\60\SCBar.Exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Faye\Desktop\HiJackThis_v2.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=& R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {9CDBC9B8-BD7B-4CD3-B9AA-490033DFF7F8} - C:\WINDOWS\system32\ddayx.dll O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqnoom.dll O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\RunOnce: [RemoveInstallPath] cmd.exe C:\WINDOWS\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\Words" > nul O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingA2213] command /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC709] cmd /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingA2816] command /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC8461] cmd /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingA3448] command /c del "C:\WINDOWS\b122.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC8798] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingA6082] command /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC3897] cmd /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingA268] command /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC6716] cmd /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingA7706] command /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC4768] cmd /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6814] command /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD7675] cmd /c del "C:\WINDOWS\SYSTEM32\uadtlxns.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB3367] command /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD5394] cmd /c del "C:\WINDOWS\SYSTEM32\omnyaknv.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB5193] command /c del "C:\WINDOWS\b122.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD9936] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB6901] command /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD7519] cmd /c del "C:\WINDOWS\SYSTEM32\ssqnoom.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB5284] command /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD4370] cmd /c del "C:\WINDOWS\SYSTEM32\krdsrngr.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB9116] command /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD7541] cmd /c del "C:\WINDOWS\SYSTEM32\dwdsrngt.exe_tobedeleted" O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab O20 - Winlogon Notify: ssqnoom - C:\WINDOWS\SYSTEM32\ssqnoom.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmF5ZQ\command.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html -- End of file - 10739 bytes

09-11-2007, 09:31 AM	#2 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: Popups getting very annoying, HJT log inside Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time. HJT v2 is out of Beta now. Please uninstall it from Add/Remove programs, delete the executable, and get the latest version here. Please read this sticky topic, and then do this: Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. --------------------------------------------------------------------------------------------- Thank you. __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff

09-12-2007, 10:18 PM	#4 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: Popups getting very annoying, HJT log inside Hi JeremyPGH, Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end! Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. ---------------------------------------- Download ComboFix from here Save it to your desktop We'll use this shortly ---------------------------------------- While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. ---------------------------------------- Double click on ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------- Post the following logs in your next reply... C:\Combofix.txt Fresh HijackThis log __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff

09-13-2007, 07:46 AM	#5 (permalink)
JeremyPGH Registered User Join Date: Jul 2007 Posts: 10 OS: Windows XP	Re: Popups getting very annoying, HJT log inside eXPeri3nc3, here are the logs you asked for, starting with Combo Fix log first, then the HJT log: "Faye" - 2007-09-13 8:35:43 - ComboFix 07-07-20.2 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\kdmoglbg.exe C:\WINDOWS\system32\wctjgxgc.exe C:\WINDOWS\SYSTEM32\xyadd.bak1 C:\WINDOWS\SYSTEM32\xyadd.bak2 C:\WINDOWS\SYSTEM32\xyadd.ini C:\WINDOWS\system32\ddayx.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007 C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode C:\DOCUME~1\Faye\APPLIC~1.\winantispyware 2007 C:\DOCUME~1\Faye\APPLIC~1.\winantispyware 2007\Logs\update.log C:\DOCUME~1\Faye\APPLIC~1\WinTouch C:\DOCUME~1\Faye\APPLIC~1\WinTouch\wintouch.cfg C:\DOCUME~1\Faye\APPLIC~1\WinTouch\WinTouch.exe C:\DOCUME~1\Faye\APPLIC~1\WinTouch\WTUninstaller.exe C:\Program Files\Common Files\rteses.html C:\Program Files\Common Files\winantispyware 2007 C:\Program Files\Common Files\winantispyware 2007\err.log C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe C:\WINDOWS\RmF5ZQ\asappsrv.dll C:\WINDOWS\RmF5ZQ\command.exe C:\WINDOWS\system32\atmtd.dll.tmp C:\WINDOWS\system32\drivers\fopn.sys C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\tk58.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_DOMAINSERVICE -------\LEGACY_FOPN -------\LEGACY_NETWORK_MONITOR -------\cmdService -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 ))))))))))))))))))))))))))))))) 2007-09-12 09:39 125,504 --a------ C:\WINDOWS\SYSTEM32\kxphngrg.dll 2007-09-12 09:36 75,328 --a------ C:\WINDOWS\SYSTEM32\bsqvabtf.exe 2007-09-12 09:10 <DIR> d-------- C:\Program Files\Trend Micro 2007-09-12 08:43 <DIR> d-------- C:\Deckard 2007-09-12 08:15 69,184 --a------ C:\WINDOWS\SYSTEM32\utsffgfq.dll 2007-09-12 08:00 75,328 --a------ C:\WINDOWS\SYSTEM32\qrrnibyq.exe 2007-09-11 07:52 125,504 --a------ C:\WINDOWS\SYSTEM32\hgugoouh.dll 2007-09-11 07:50 75,328 --a------ C:\WINDOWS\SYSTEM32\ctkyshqj.exe 2007-09-10 08:11 <DIR> d-------- C:\Program Files\Insider 2007-09-10 07:56 <DIR> d-------- C:\WINDOWS\okkq 2007-09-10 07:56 <DIR> d-------- C:\Program Files\Common Files\okkq 2007-09-10 07:48 75,328 --a------ C:\WINDOWS\SYSTEM32\etrnfowj.exe 2007-09-07 13:39 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google 2007-09-07 12:34 <DIR> d--hs---- C:\WINDOWS\RmF5ZQ 2007-09-07 12:33 31,254 --a------ C:\WINDOWS\SYSTEM32\ssqnoom.dll 2007-09-07 12:33 192,584 --a------ C:\WINDOWS\SYSTEM32\nwinsldt.exe 2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\f02WtR 2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\drvr2 2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\D2 2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\cfig322 2007-09-07 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\capcam 2007-09-07 12:33 <DIR> d-------- C:\Temp\fse 2007-09-07 12:33 <DIR> d-------- C:\Temp\1cb 2007-08-30 14:14 86,016 --a------ C:\WINDOWS\b147.exe 2007-08-22 13:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan 2007-08-16 11:33 <DIR> d-------- C:\DOCUME~1\Faye\APPLIC~1\ntr (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-13 13:34:04 6,448 --sh--w C:\WINDOWS\system32\wybeg.bak1 2007-09-13 13:33:46 244,832 ----a-w C:\WINDOWS\system32\gebyw.dll 2007-09-11 11:54:33 246 ----a-w C:\Program Files\Common Files\qukaf 2007-09-07 16:34:12 -------- d-----w C:\Program Files\microsoft frontpage 2007-08-27 15:56:57 -------- d-----w C:\DOCUME~1\Faye\APPLIC~1\AdobeUM 2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-07-19 11:10:58 69,632 ----a-w C:\WINDOWS\b143.exe 2007-07-12 15:09:41 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat 2007-07-11 12:17:28 3,766 ----a-w C:\WINDOWS\system32\tmp.reg 2007-07-11 07:29:38 28,160 ----a-w C:\WINDOWS\b103.exe 2007-07-11 07:29:38 22,016 ----a-w C:\WINDOWS\b138.exe 2007-07-09 14:28:12 5,037,072 ----a-w C:\spybotsd14.exe 2007-06-26 06:08:16 1,104,896 ----a-w C:\WINDOWS\system32\msxml3.dll 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe 2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer.exe 2006-09-07 13:56:34 6,144 --sha-w C:\Program Files\Thumbs.db 2005-12-27 13:44:54 2,770,856 ----a-w C:\Program Files\setupex.exe 2005-12-27 13:42:38 131,683 ----a-w C:\Program Files\wwe_sd_vs_raw_06_d.max 2005-12-16 16:37:17 39,936 ----a-w C:\Program Files\Dec[1]._05.xls 2005-12-14 19:28:57 8,965,894 ----a-w C:\Program Files\Roddy TD_0001.wmv 2005-12-06 13:18:32 22,796,394 ----a-w C:\Program Files\x-men_3-pre_teaser_h-1[1].640.wmv 2005-12-02 18:58:44 419,829 ----a-w C:\Program Files\ciri_miri_cica.pdf 2005-11-28 15:42:54 429,166 ----a-w C:\Program Files\Cetir'_Konja_Debela.pdf 2005-11-18 18:08:29 1,323,791 ----a-w C:\Program Files\awesomo.zip 2005-01-13 15:34:56 2,855,552 ----a-w C:\Program Files\PPView97.exe 2004-12-22 15:21:52 1,799,680 ----a-w C:\Program Files\Builder Distributor 1-3-2005.xls 2004-09-08 15:51:49 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe 2004-09-08 15:21:57 4,342,088 ----a-w C:\Program Files\Acro-Reader_6.0.2_Update.exe 2004-05-13 21:38:44 19,584 ----a-w C:\Program Files\location.ini 2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\RmF5ZQ\lAIctk.vbs ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77B73C2D-6D4C-4612-97A8-C3A17C8DB966}] 2007-09-13 09:33 244832 --a------ C:\WINDOWS\system32\gebyw.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}] 2007-09-12 08:15 69184 --a------ C:\WINDOWS\system32\utsffgfq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}] 2007-09-07 12:33 31254 --a------ C:\WINDOWS\system32\ssqnoom.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2004-01-23 17:33 C:\WINDOWS\SYSTEM32\nwiz.exe] "StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47] "DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-28 08:04] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 08:43] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Faye\Start Menu\Programs\Startup\ DESKTOP.INI [2002-09-03 11:00:00] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ 20-20 Shortcut Bar.lnk - C:\2020V64\Mswin\60\SCBar.Exe [2006-06-20 15:17:25] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-17 09:28:53] DESKTOP.INI [2002-09-03 11:00:00] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-03-19 08:31:36] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54] Wireless-B USB Network Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe [2004-06-24 12:15:32] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\Common Files\rteses.html FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29] "{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"="C:\WINDOWS\system32\ssqnoom.dll" [2007-09-07 12:33] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnoom] ssqnoom.dll 2007-09-07 12:33 31254 C:\WINDOWS\SYSTEM32\ssqnoom.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 C:\\WINDOWS\\system32\\ddayx [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe Contents of the 'Scheduled Tasks' folder 2007-06-30 00:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job 2007-09-13 13:35:00 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-13 09:29:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-09-13 9:40:37 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-13 09:40 C:\ComboFix2.txt ... 2007-07-20 08:49 C:\ComboFix3.txt ... 2007-07-19 17:51 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:43:59 AM, on 9/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\2020V64\Mswin\60\SCBar.Exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet...layer?stream=& R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Global Startup: 20-20 Shortcut Bar.lnk = C:\2020V64\Mswin\60\SCBar.Exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/s...ivex118_24.cab O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html -- End of file - 6416 bytes

09-13-2007, 08:44 AM	#6 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: Popups getting very annoying, HJT log inside Hi JeremyPGH, You're using an outdated copy of Combofix. Please delete any existing combofix in your machine and download this one. Save it to your desktop Double click on ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------- Post the following logs in your next reply... C:\Combofix.txt A Fresh HijackThis log __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff