HJT help!

HoAfCr · 08-06-2007, 10:04 PM

hi everyone its been a while, hope everyone doing well. anyways i am having problem opening HJT "HijackThis.exe has generate3d errors and will be closed by Windows. You need to restart the program..............An error log is being created." is the error i am getting.

i have try uninstalling HJT and reinstalling but it doesnt seem to help.

also i am having alot of pop ups and troj. i cant seem to clean it with my virus scanner, adaware, spy bot search and destroy.

if anyone is available, i would like some help please. thank you.

sUBs · 08-06-2007, 10:13 PM

Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html.

You shall have a proper set of logs for us after that

HoAfCr · 08-06-2007, 10:26 PM

i am having trouble with step #2. was scanning until IE froze on me. had to restart. now im getting:

Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... Try again

sUBs · 08-06-2007, 10:29 PM

Skip everything & proceed to the final step, STEP #5

HoAfCr · 08-06-2007, 10:37 PM

Deckard's System Scanner v20070804.61
Run by Kevin on 2007-08-06 at 21:29:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Kevin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:54 PM, on 8/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINNT\system32\taskmgr.exe
D:\Program Files\$$$$$$$$$$$$$$$$\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kevin.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {857A461D-8D96-4996-A4A0-AEA0A2535B86} - C:\WINNT\system32\efcccdd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B233F9B9-8058-49FC-9386-E12FB2E207BC} - C:\WINNT\system32\gebcd.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\system32\qkydqqjm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: efcccdd - C:\WINNT\SYSTEM32\efcccdd.dll
O20 - Winlogon Notify: gebcd - C:\WINNT\system32\gebcd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8837 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\winnt\system32\drivers\staropen.sys
R3 NaiAvFilter1 - c:\winnt\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S3 XDva004 - c:\winnt\system32\xdva004.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_10DE&DEV_00E8&SUBSYS_34011019&REV_A2\3&13C0B0C5&0&12
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_10DE&DEV_00E8&SUBSYS_34011019&REV_A2\3&13C0B0C5&0&12
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_05741317&REV_11\4&3191A3E6&0&4870
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_05741317&REV_11\4&3191A3E6&0&4870
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_33830EE4&REV_04\4&3191A3E6&0&5270
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_33830EE4&REV_04\4&3191A3E6&0&5270
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-08-01 16:18:01 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-07-06 and 2007-08-06 -----------------------------

2007-08-06 21:11:43 0 d-------- C:\WINNT\system32\ActiveScan
2007-08-06 16:03:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_454.dat
2007-08-06 15:25:31 0 d-------- C:\Program Files\Trend Micro
2007-08-06 03:48:47 125504 --a------ C:\WINNT\system32\opqfyrff.dll
2007-08-06 03:45:47 4672 --a------ C:\WINNT\system32\xjhuautm.exe
2007-08-06 03:42:47 4672 --a------ C:\WINNT\system32\ckcrhbuc.exe
2007-08-06 02:48:48 4672 --a------ C:\WINNT\system32\bvenrovp.exe
2007-08-06 02:40:18 4672 --a------ C:\WINNT\system32\sluclkqk.exe
2007-08-05 16:08:54 0 d-------- C:\Documents and Settings\Kevin\Application Data\SopCast
2007-08-05 16:08:53 0 d-------- C:\Program Files\SopCast
2007-08-05 12:38:06 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_434.dat
2007-08-05 12:33:02 0 d-------- C:\Documents and Settings\Kevin\.housecall6.6
2007-08-05 11:56:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-05 02:46:08 4672 --a------ C:\WINNT\system32\ksvcgjwn.exe
2007-08-05 02:43:11 125504 --a------ C:\WINNT\system32\qrucqflq.dll
2007-08-05 02:37:08 4672 --a------ C:\WINNT\system32\sjngxyve.exe
2007-08-04 13:02:49 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_400.dat
2007-08-04 02:38:05 125504 --a------ C:\WINNT\system32\sbpetcme.dll
2007-08-04 02:38:01 4672 --a------ C:\WINNT\system32\ckeuccal.exe
2007-08-04 02:35:09 4672 --a------ C:\WINNT\system32\atfvoghd.exe
2007-08-03 13:29:28 125504 --a------ C:\WINNT\system32\rqyxceym.dll
2007-08-03 02:43:57 69184 --a------ C:\WINNT\system32\qkydqqjm.dll
2007-08-03 02:40:55 4672 --a------ C:\WINNT\system32\eyaldsjf.exe
2007-08-03 02:36:50 66112 --a------ C:\WINNT\system32\ciqpkbux.exe
2007-08-03 02:35:13 4672 --a------ C:\WINNT\system32\nwnhuqgr.exe
2007-08-03 02:33:32 1767512 ---hs---- C:\WINNT\system32\dcbeg.bak2
2007-07-29 12:08:32 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_428.dat
2007-07-26 13:38:55 0 d-------- C:\Documents and Settings\Kevin\Application Data\Stamps.com Internet Postage
2007-07-26 13:36:36 0 d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-24 14

06 4096 --a------ C:\WINNT\system32\crash
2007-07-23 14:11:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_42c.dat
2007-07-21 15:23:15 266336 --a------ C:\WINNT\system32\gebcd.dll
2007-07-21 15:18:09 31254 -----n--- C:\WINNT\system32\efcccdd.dll
2007-07-19 03:38:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-07-16 18:35:46 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_480.dat
2007-07-15 09:55:49 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_478.dat
2007-07-10 15:00:24 0 d-------- C:\Program Files\iPod
2007-07-10 13:09:13 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_470.dat

-- Find3M Report ---------------------------------------------------------------

2007-08-06 21:04:58 0 d-------- C:\Program Files\Viewpoint
2007-07-29 20:31:06 0 d-------- C:\Documents and Settings\Kevin\Application Data\LimeWire
2007-07-26 13:41:31 0 d-------- C:\Program Files\MySpace
2007-07-26 00:38:46 0 d-------- C:\Documents and Settings\Kevin\Application Data\Yahoo!
2007-07-15 03:35:55 1018392 ---h----- C:\WINNT\ShellIconCache
2007-07-10 14:57:31 0 d-------- C:\Program Files\Apple Software Update
2007-07-05 05:05:35 0 d-------- C:\Documents and Settings\Kevin\Application Data\ZoomBrowser EX
2007-07-04 21:20:35 0 d-------- C:\Documents and Settings\Kevin\Application Data\MySpace
2007-07-04 16:44:59 0 d-------- C:\Program Files\Canon
2007-07-04 16:44:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-04 16:35:16 0 d-------- C:\Program Files\Common Files\Canon
2007-07-04 16:35:06 0 d-a------ C:\Program Files\Common Files
2007-06-22 19:02:06 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_234.dat
2007-06-22 18:53:02 109753 --a------ C:\WINNT\hpoins11.dat
2007-06-22 18:52:47 0 d-------- C:\Program Files\Hewlett-Packard
2007-06-22 18:52:38 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-06-22 18:52:08 0 d-------- C:\Program Files\HP
2007-06-17 10:46:06 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_408.dat
2007-06-14 21:17:30 0 d-------- C:\Documents and Settings\Kevin\Application Data\Viewpoint
2007-06-11 23:32:11 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-10 17:57:15 0 d-------- C:\Program Files\AIM6
2007-06-07 22:32:24 0 d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer
2007-06-07 22:31:30 0 d-------- C:\Program Files\QuickTime
2007-06-07 04:16:22 0 d-------- C:\Documents and Settings\Kevin\Application Data\Adobe
2007-06-07 04:09:54 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-07 04:08:24 2914 --a------ C:\WINNT\mozver.dat
2007-06-03 17

53 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4c0.dat
2007-05-31 23:13:47 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d0.dat
2007-05-29 18:19:08 50176 --a------ C:\WINNT\system32\reg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-28 23:34:10 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_444.dat
2007-05-26 18:31:08 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_430.dat
2007-05-26 17:55:51 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4a8.dat
2007-05-26 17:45:46 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_bf4.dat
2007-05-23 09:00:01 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3cc.dat
2007-05-20 14:15:51 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_398.dat
2007-05-09 02:31:25 2528 --a------ C:\Documents and Settings\Kevin\Application Data\$_hpcst$.hpc

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}]
07/21/07 03:18p 31254 --------- C:\WINNT\system32\efcccdd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B233F9B9-8058-49FC-9386-E12FB2E207BC}]
07/21/07 03:23p 266336 --a------ C:\WINNT\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
08/03/07 02:44a 69184 --a------ C:\WINNT\system32\qkydqqjm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [11/17/06 05:42a C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/03 07:10a]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [09/10/03 03:11a]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/07 01:02a]
"CTHelper"="CTHELPER.EXE" [08/11/06 02:56p C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/06 02:56p C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/07 03:43a]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/09/07 06:53p]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [04/25/07 08:44a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
"mdioccrqwd"="c:\winnt\system32\mdioccrqwd.exe" [08/01/07 12:39p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/06 12:35p]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [03/12/07 01:49p]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/07 03:22p]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05/25/05 12:12p]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{857A461D-8D96-4996-A4A0-AEA0A2535B86}"= C:\WINNT\system32\efcccdd.dll [07/21/07 03:18p 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccdd]
efcccdd.dll 07/21/07 03:18p 31254 C:\WINNT\system32\efcccdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
C:\WINNT\system32\gebcd.dll 07/21/07 03:23p 266336 C:\WINNT\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

-- End of Deckard's System Scanner: finished at 2007-08-06 at 21:31:42 ---------

sUBs · 08-06-2007, 10:39 PM

1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

HoAfCr · 08-06-2007, 10:49 PM

log.txt

ComboFix 07-08-07.5 - "Kevin" 08/06/2007 21:39:30.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.461 [GMT -7:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Kevin\APPLIC~1.\macromedia\Flash Player\#SharedObjects\VU6TDGYT\www.broadcaster.com
C:\DOCUME~1\Kevin\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\WINNT\system32\atfvoghd.exe
C:\WINNT\system32\bvenrovp.exe
C:\WINNT\system32\ciqpkbux.exe
C:\WINNT\system32\ckcrhbuc.exe
C:\WINNT\system32\ckeuccal.exe
C:\WINNT\system32\dcbeg.bak2
C:\WINNT\system32\dcbeg.ini
C:\WINNT\system32\efcccdd.dll
C:\WINNT\system32\emctepbs.ini
C:\WINNT\system32\eyaldsjf.exe
C:\WINNT\system32\ffryfqpo.ini
C:\WINNT\system32\gebcd.dll
C:\WINNT\system32\ksvcgjwn.exe
C:\WINNT\system32\mdioccrqwd.dat
C:\WINNT\system32\mdioccrqwd.exe
C:\WINNT\system32\mdioccrqwd_nav.dat
C:\WINNT\system32\mdioccrqwd_navps.dat
C:\WINNT\system32\myecxyqr.ini
C:\WINNT\system32\nvs2.inf
C:\WINNT\system32\nwnhuqgr.exe
C:\WINNT\system32\opqfyrff.dll
C:\WINNT\system32\qkydqqjm.dll
C:\WINNT\system32\qlfqcurq.ini
C:\WINNT\system32\qrucqflq.dll
C:\WINNT\system32\rqyxceym.dll
C:\WINNT\system32\sbpetcme.dll
C:\WINNT\system32\sjngxyve.exe
C:\WINNT\system32\sluclkqk.exe
C:\WINNT\system32\xjhuautm.exe

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-06 21:43 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_52c.dat
2007-08-06 21:40 69,184 --a------ C:\WINNT\system32\morjysmf.dll
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:29 <DIR> d-------- C:\Deckard
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-08-06 21:04 --------- d-------- C:\Program Files\Viewpoint
07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07-07-26 13:41 --------- d-------- C:\Program Files\MySpace
07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update
07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-07-04 16:44 --------- d-------- C:\Program Files\Canon
07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon
07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat
07-06-22 18:52 --------- d-------- C:\Program Files\HP
07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard
07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
07-06-14 21:17 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint
07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield
07-06-10 17:57 --------- d-------- C:\Program Files\AIM6
07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime
07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat
07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe
07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini
07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 21:43:07
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_408.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-06 21:45:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-06 21:44

--- E O F ---

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:35 PM, on 8/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8271 bytes

sUBs · 08-06-2007, 10:55 PM

Please disable AdWatch, as it may hinder the removal of some entries.
You can re-enable it after you're clean. To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.
Unless they are turned off they could interfere with the fix.

---------------

Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:

ViewPoint

Please note any other programs that you dont recognize in that list in your next response

---------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Winnt\system32\morjysmf.dll
Folder::
C:\Program Files\Viewpoint
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint
Registry::

Save this as "CFScript"

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

---------------

Click here perform an online scan >> Online Scanner

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log taken just before replying

Online scan

ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

HoAfCr · 08-06-2007, 11:47 PM

1.) hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:44 PM, on 8/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8592 bytes

2.) Kaspersky Online scan...found no malware,etc...

3.) log.txt

ComboFix 07-08-07.5 - "Kevin" 08/06/2007 22:01:43.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.541 [GMT -7:00]
Command switches used :: D:\Program Files\$$$$$$$$$$$$$$$$\DSS LOG\CFScript.txt

FILE::
C:\Winnt\system32\morjysmf.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1704320493.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\250892612.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-140210881.mtz
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-299397824.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-882039367.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1054459834.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1624992797.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1991437604.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\373851225.mts
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1859761695.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-107933152.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1850579979.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\670487064.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1148673767.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-299397824.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1054459834.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1282749521.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1624992797.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1991437604.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1290601034.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1695846852.mtz
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1859761695.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\407034558.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-1850579979.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-21412136.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-744169420.mts
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1070867519.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMgr.dll
C:\WINNT\system32\morjysmf.dll

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-06 22:04 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6ec.dat
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:29 <DIR> d-------- C:\Deckard
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07-07-26 13:41 --------- d-------- C:\Program Files\MySpace
07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update
07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-07-04 16:44 --------- d-------- C:\Program Files\Canon
07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon
07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat
07-06-22 18:52 --------- d-------- C:\Program Files\HP
07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard
07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield
07-06-10 17:57 --------- d-------- C:\Program Files\AIM6
07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime
07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat
07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe
07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini
07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys

Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 22:04:31
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_420.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-06 22

54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-06 22:05
C:\ComboFix2.txt ... 07-08-06 21:45

--- E O F ---

HoAfCr · 08-06-2007, 11:51 PM

The computer performs alot faster than before. i notice popup hasnt been appearing as often.

few fix ago u ask for any questions about add/remove programs....i have a few...

- getPlus(R)_dll
- Hotfix for MDAC 2.53(kb927779)
- Remote Desktop Connection
- Viewpoint (not sure if it has been removed)

sUBs you have been awefully busy these past hrs. thx for taking time to help. and the sad thing is Barry Bonds after 11th innings still have not hit his 756 HR!

sUBs · 08-07-2007, 12:05 AM

Quote:

Kaspersky Online scan...found no malware,etc...

You must have done it wrongly & performed a standard scan.

There's no way Kaspersky would come up clean. Some of the stuff Combofix quarantined in C:\QooBox will surely be detected.

Please review the instructions for Kaspersky Scan again. The settings must be extended scan

HoAfCr · 08-07-2007, 02:10 AM

1. hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:33 AM, on 8/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8581 bytes

2. Online

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 07, 2007 12:57:38 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 376348
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 114618
Number of viruses found: 16
Number of infected objects: 54
Number of suspicious objects: 16
Duration of the scan process: 01:46:47

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\laf1.exe Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\lyqudotp.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\NeroDemo12550\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\vwcfxaum.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\yidovrlb.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_ROLLEAZY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_ROLLEAZY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\cert8.db Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\history.dat Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\key3.db Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Kevin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL OCP\AIM\Storage\data\iicanibusxthcii\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Identities\{D60BFC08-63F6-4915-94EC-FB44C27FA1DC}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Identities\{D60BFC08-63F6-4915-94EC-FB44C27FA1DC}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Identities\{D60BFC08-63F6-4915-94EC-FB44C27FA1DC}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\MSHist012007080620070807\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\~DFA48A.tmp Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kevin\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINNT\system32\atfvoghd.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\bvenrovp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\ciqpkbux.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINNT\system32\ckcrhbuc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\ckeuccal.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\eyaldsjf.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\ksvcgjwn.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\nwnhuqgr.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\qkydqqjm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped
C:\QooBox\Quarantine\C\WINNT\system32\sjngxyve.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\sluclkqk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\xjhuautm.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\catchme2007-08-06_214305.43.zip/efcccdd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\catchme2007-08-06_214305.43.zip/gebcd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\catchme2007-08-06_214305.43.zip ZIP: infected - 2 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\ROLLEAZY.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\edb.log Object is locked skipped
C:\WINNT\security\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\ACEEvent.evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_420.dat Object is locked skipped
C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped
C:\WINNT\Temp\ZLT00313.TMP Object is locked skipped
C:\WINNT\Temp\ZLT0366f.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\{00000002-00000000-00000007-00001102-00000004-10021102}.CDF Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\73899a3abc976d1d25befdc7e2840681_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19b92f83a328096f8ea3ee9a33062681_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e68df68444fac068cc6511a63797e07_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74dc1d68a57cd554b1477e01a5cd765e_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf14ae3203f2262309f5cf8a8f7ea256_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy24.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy24.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy28.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy28.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy32.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy32.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy36.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy36.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy40.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy40.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWStealerModule.zip/module32.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWStealerModule.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\xxx\Local Settings\Temp\hsperfdata_xxx\2176 Object is locked skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/alien.cab/amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/alien.cab Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/joysavsht.cab/amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/joysavsht.cab Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm CHM: infected - 5 skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe NSIS: infected - 3 skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm/SystemDoctor2006FreeInstall.cab/USDR6_0001_D08M0404NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm/SystemDoctor2006FreeInstall.cab Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm CHM: infected - 3 skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396711.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396726.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396754.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396758.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396766.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\$NtServicePackUninstall$\wmipdskq.dll Infected: not-a-virus:AdWare.Win32.Hmt skipped
D:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
D:\WINDOWS\srvnzeikrw.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srvnzeikrw.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srvnzeikrw.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srvnzeikrw.exe NSIS: infected - 3 skipped
D:\WINDOWS\system32\crunner\cupdater.exe Infected: Trojan-Downloader.MSIL.Agent.c skipped
D:\WINDOWS\system32\h82o0if3e82.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\ir0ml5d11.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\jtjs0717e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\jtl4073qe.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\ktr2l79o1.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\mv64l9jq1.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\uplmon.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\YazzleBundle-1264.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
D:\WINDOWS\YazzleBundle-1264.exe NSIS: infected - 1 skipped

Scan process completed.

3. combo

ComboFix 07-08-07.5 - "Kevin" 08/07/2007 1:03:53.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.415 [GMT -7:00]
Command switches used :: D:\Program Files\$$$$$$$$$$$$$$$$\DSS LOG\CFScript.txt

FILE::
C:\Winnt\system32\morjysmf.dll

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-06 22:10 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-08-06 22:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 22:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_420.dat
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:29 <DIR> d-------- C:\Deckard
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

12/07/99 05:00a 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07/29/07 08:31p --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07/26/07 12:38a --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07/26/07 01:41p --------- d-------- C:\Program Files\MySpace
07/10/07 02:57p --------- d-------- C:\Program Files\Apple Software Update
07/05/07 05:05a --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07/04/07 09:20p --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07/04/07 04:44p --------- d--h----- C:\Program Files\InstallShield Installation Information
07/04/07 04:44p --------- d-------- C:\Program Files\Canon
07/04/07 04:35p --------- d-------- C:\Program Files\Common Files\Canon
06/22/07 06:53p 109753 --a------ C:\WINNT\hpoins11.dat
06/22/07 06:52p --------- d-------- C:\Program Files\HP
06/22/07 06:52p --------- d-------- C:\Program Files\Hewlett-Packard
06/22/07 06:52p --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
06/11/07 11:32p --------- d-------- C:\Program Files\Common Files\InstallShield
06/10/07 05:57p --------- d-------- C:\Program Files\AIM6
06/07/07 10:32p --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
06/07/07 10:31p --------- d-------- C:\Program Files\QuickTime
06/07/07 04:08a 2914 --a------ C:\WINNT\mozver.dat
05/29/07 06:19p 50176 --a------ C:\WINNT\system32\reg.exe
04/07/07 10:47a 271 ---h----- C:\Program Files\desktop.ini
04/07/07 10:47a 21952 ---h----- C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [11/17/06 05:42a C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/03 07:10a]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [09/10/03 03:11a]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/07 01:02a]
"CTHelper"="CTHELPER.EXE" [08/11/06 02:56p C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/06 02:56p C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/07 03:43a]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/09/07 06:53p]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [04/25/07 08:44a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/13/07 04:38p]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/06 12:35p]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [03/12/07 01:49p]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/07 03:22p]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05/25/05 12:12p]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys

Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 01:04:56
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 08/07/2007 1

14
C:\ComboFix-quarantined-files.txt ... 08/07/07 01:05a
C:\ComboFix2.txt ... 08/06/07 10:06p
C:\ComboFix3.txt ... 08/06/07 09:45p

--- E O F ---

sUBs · 08-07-2007, 08:08 AM

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
D:\WINDOWS\srvnzeikrw.exe
D:\WINDOWS\system32\crunner
D:\WINDOWS\system32\h82o0if3e82.dll
D:\WINDOWS\system32\ir0ml5d11.dll
D:\WINDOWS\system32\jtjs0717e.dll
D:\WINDOWS\system32\jtl4073qe.dll
D:\WINDOWS\system32\ktr2l79o1.dll
D:\WINDOWS\system32\mv64l9jq1.dll
D:\WINDOWS\system32\uplmon.dll
D:\WINDOWS\YazzleBundle-1264.exe
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in ( 
C:\Deckard
"D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery"
"D:\Documents and Settings\xxx\Local Settings\Temp"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

HoAfCr · 08-07-2007, 03:04 PM

C:\WINNT\system32\cmd.exe opened up, but just a blank screen.

sUBs · 08-07-2007, 03:13 PM

Right click on the file & select edit.

Replace this line - @echo off
With - @prompt $

Run it again. This time, you shall see a series of lines. Tell me where it stalls

HoAfCr · 08-07-2007, 03:41 PM

this is the last bracket to bracket...

<
del /a/f D:\WINDOWS\system32\crunner 1>nul 2>$1
if exist D:\WINDOWS\syste32\crunner echo.D:\WINDOWS\system32\crunner1>>"C:\DOCUME~1\Kevin\LOCALS~\Temp\log.txt"
>

sUBs · 08-07-2007, 03:45 PM

Yes, I see the error now. Crunner is a folder. We'll need another script to do the job.

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
D:\WINDOWS\srvnzeikrw.exe
D:\WINDOWS\system32\h82o0if3e82.dll
D:\WINDOWS\system32\ir0ml5d11.dll
D:\WINDOWS\system32\jtjs0717e.dll
D:\WINDOWS\system32\jtl4073qe.dll
D:\WINDOWS\system32\ktr2l79o1.dll
D:\WINDOWS\system32\mv64l9jq1.dll
D:\WINDOWS\system32\uplmon.dll
D:\WINDOWS\YazzleBundle-1264.exe
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in ( 
D:\WINDOWS\system32\crunner
C:\Deckard
"D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery"
"D:\Documents and Settings\xxx\Local Settings\Temp"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0

HoAfCr · 08-07-2007, 03:57 PM

1. log.txt

D:\WINDOWS\system32\crunner
"D:\Documents and Settings\xxx\Local Settings\Temp"

2. Windows Script Host

Script: D\Program Files\$$$$$$$$$$$$$\DSS LOG\SR.vbs
Line: 1
Char: 1
Error: Not found

Code: 80041002
Source: SWbemServices

sUBs · 08-07-2007, 04:01 PM

Since it doesn't want to go away peacefully, we'll have to use a bigger gun.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
D:\WINDOWS\system32\crunner
D:\Documents and Settings\xxx\Local Settings\Temp

Save this as "CFScript"

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

HoAfCr · 08-07-2007, 04:10 PM

ComboFix 07-08-07.5 - "Kevin" 08/07/2007 15:02:10.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.519 [GMT -7:00]
Command switches used :: D:\Program Files\$$$$$$$$$$$$$$$$\DSS LOG\CFScript.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

D:\Documents and Settings\xxx\Local Settings\Temp
D:\WINDOWS\system32\crunner

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-07 15:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_69c.dat
2007-08-06 22:10 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-08-06 22:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07-07-26 13:41 --------- d-------- C:\Program Files\MySpace
07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update
07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-07-04 16:44 --------- d-------- C:\Program Files\Canon
07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon
07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat
07-06-22 18:52 --------- d-------- C:\Program Files\HP
07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard
07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield
07-06-10 17:57 --------- d-------- C:\Program Files\AIM6
07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime
07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat
07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe
07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini
07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys

Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 15:05:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_3dc.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-07 15:07:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-07 01:05
C:\ComboFix2.txt ... 07-08-07 01:06
C:\ComboFix3.txt ... 07-08-06 22:06

--- E O F ---

08-06-2007, 10:04 PM	#1 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	HJT help! hi everyone its been a while, hope everyone doing well. anyways i am having problem opening HJT "HijackThis.exe has generate3d errors and will be closed by Windows. You need to restart the program..............An error log is being created." is the error i am getting. i have try uninstalling HJT and reinstalling but it doesnt seem to help. also i am having alot of pop ups and troj. i cant seem to clean it with my virus scanner, adaware, spy bot search and destroy. if anyone is available, i would like some help please. thank you.

08-06-2007, 10:13 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,348 OS: N/A	Re: HJT help! Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html. You shall have a proper set of logs for us after that __________________ Question - what have you done for the community today?

08-06-2007, 10:26 PM	#3 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	Re: HJT help! i am having trouble with step #2. was scanning until IE froze on me. had to restart. now im getting: Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: Not allowing the application's ActiveX control to be downloaded. Problems with the Internet connection. The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... Try again

08-06-2007, 10:29 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,348 OS: N/A	Re: HJT help! Skip everything & proceed to the final step, STEP #5 __________________ Question - what have you done for the community today?

08-06-2007, 10:39 PM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,348 OS: N/A	Re: HJT help! 1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Question - what have you done for the community today?

08-06-2007, 10:49 PM	#7 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	Re: HJT help! log.txt ComboFix 07-08-07.5 - "Kevin" 08/06/2007 21:39:30.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.461 [GMT -7:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Kevin\APPLIC~1.\macromedia\Flash Player\#SharedObjects\VU6TDGYT\www.broadcaster.com C:\DOCUME~1\Kevin\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\WINNT\system32\atfvoghd.exe C:\WINNT\system32\bvenrovp.exe C:\WINNT\system32\ciqpkbux.exe C:\WINNT\system32\ckcrhbuc.exe C:\WINNT\system32\ckeuccal.exe C:\WINNT\system32\dcbeg.bak2 C:\WINNT\system32\dcbeg.ini C:\WINNT\system32\efcccdd.dll C:\WINNT\system32\emctepbs.ini C:\WINNT\system32\eyaldsjf.exe C:\WINNT\system32\ffryfqpo.ini C:\WINNT\system32\gebcd.dll C:\WINNT\system32\ksvcgjwn.exe C:\WINNT\system32\mdioccrqwd.dat C:\WINNT\system32\mdioccrqwd.exe C:\WINNT\system32\mdioccrqwd_nav.dat C:\WINNT\system32\mdioccrqwd_navps.dat C:\WINNT\system32\myecxyqr.ini C:\WINNT\system32\nvs2.inf C:\WINNT\system32\nwnhuqgr.exe C:\WINNT\system32\opqfyrff.dll C:\WINNT\system32\qkydqqjm.dll C:\WINNT\system32\qlfqcurq.ini C:\WINNT\system32\qrucqflq.dll C:\WINNT\system32\rqyxceym.dll C:\WINNT\system32\sbpetcme.dll C:\WINNT\system32\sjngxyve.exe C:\WINNT\system32\sluclkqk.exe C:\WINNT\system32\xjhuautm.exe ((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 ))))))))))))))))))))))))))))))) 2007-08-06 21:43 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_52c.dat 2007-08-06 21:40 69,184 --a------ C:\WINNT\system32\morjysmf.dll 2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe 2007-08-06 21:29 <DIR> d-------- C:\Deckard 2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan 2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast 2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast 2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6 2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage 2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage 2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys 07-08-06 21:04 --------- d-------- C:\Program Files\Viewpoint 07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire 07-07-26 13:41 --------- d-------- C:\Program Files\MySpace 07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo! 07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update 07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX 07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace 07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information 07-07-04 16:44 --------- d-------- C:\Program Files\Canon 07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon 07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat 07-06-22 18:52 --------- d-------- C:\Program Files\HP 07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard 07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard 07-06-14 21:17 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint 07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield 07-06-10 17:57 --------- d-------- C:\Program Files\AIM6 07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer 07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime 07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat 07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe 07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini 07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] "SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ] "CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ] "WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ] "Aim6"="" [] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ] "AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys Newly Created Service - IPNAT Newly Created Service - RASAUTO Newly Created Service - SHAREDACCESS Contents of the 'Scheduled Tasks' folder 2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-06 21:43:07 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... C:\WINNT\system32\Perflib_Perfdata_408.dat scan completed successfully hidden files: 1 ************************************************************************ Completion time: 2007-08-06 21:45:23 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-08-06 21:44 --- E O F --- hijackthis.log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:46:35 PM, on 8/6/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\HPZipm12.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINNT\CTHELPER.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe D:\Program Files\Winamp\winampa.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINNT\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en -- End of file - 8271 bytes

08-06-2007, 10:55 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,348 OS: N/A	Re: HJT help! Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable AdWatch: Open AdAware SE. Go to AdWatch User Interface. Go to Tools and Preferences. At the bottom of the screen you will see 2 options Active and Automatic. Active: This will turn Ad-Watch On\Off without closing it Automatic: Suspicious activity will be blocked automatically Uncheck both options. You can enable these after resolving your problem. Unless they are turned off they could interfere with the fix. --------------- Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs: ViewPoint Please note any other programs that you dont recognize in that list in your next response --------------- Open notepad and copy/paste the text in the quotebox below into it: Code: File:: C:\Winnt\system32\morjysmf.dll Folder:: C:\Program Files\Viewpoint C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint Registry:: Save this as "CFScript" Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. --------------- Click here perform an online scan >> Online Scanner --------------- In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?

08-06-2007, 11:51 PM	#10 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	Re: HJT help! The computer performs alot faster than before. i notice popup hasnt been appearing as often. few fix ago u ask for any questions about add/remove programs....i have a few... - getPlus(R)_dll - Hotfix for MDAC 2.53(kb927779) - Remote Desktop Connection - Viewpoint (not sure if it has been removed) sUBs you have been awefully busy these past hrs. thx for taking time to help. and the sad thing is Barry Bonds after 11th innings still have not hit his 756 HR!

08-07-2007, 03:04 PM	#14 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	Re: HJT help! C:\WINNT\system32\cmd.exe opened up, but just a blank screen.

08-07-2007, 03:13 PM	#15 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,348 OS: N/A	Re: HJT help! Right click on the file & select edit. Replace this line - @echo off With - @prompt $ Run it again. This time, you shall see a series of lines. Tell me where it stalls __________________ Question - what have you done for the community today?

08-07-2007, 03:41 PM	#16 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	Re: HJT help! this is the last bracket to bracket... < del /a/f D:\WINDOWS\system32\crunner 1>nul 2>$1 if exist D:\WINDOWS\syste32\crunner echo.D:\WINDOWS\system32\crunner1>>"C:\DOCUME~1\Kevin\LOCALS~\Temp\log.txt" >

08-07-2007, 03:57 PM	#18 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	Re: HJT help! 1. log.txt D:\WINDOWS\system32\crunner "D:\Documents and Settings\xxx\Local Settings\Temp" 2. Windows Script Host Script: D\Program Files\$$$$$$$$$$$$$\DSS LOG\SR.vbs Line: 1 Char: 1 Error: Not found Code: 80041002 Source: SWbemServices

08-07-2007, 04:01 PM	#19 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,348 OS: N/A	Re: HJT help! Since it doesn't want to go away peacefully, we'll have to use a bigger gun. Open notepad and copy/paste the text in the quotebox below into it: Code: Folder:: D:\WINDOWS\system32\crunner D:\Documents and Settings\xxx\Local Settings\Temp Save this as "CFScript" Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. __________________ Question - what have you done for the community today?

08-07-2007, 04:10 PM	#20 (permalink)
HoAfCr Registered User Join Date: Jun 2006 Posts: 30 OS: XP	Re: HJT help! ComboFix 07-08-07.5 - "Kevin" 08/07/2007 15:02:10.4 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.519 [GMT -7:00] Command switches used :: D:\Program Files\$$$$$$$$$$$$$$$$\DSS LOG\CFScript.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) D:\Documents and Settings\xxx\Local Settings\Temp D:\WINDOWS\system32\crunner ((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 ))))))))))))))))))))))))))))))) 2007-08-07 15:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_69c.dat 2007-08-06 22:10 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab 2007-08-06 22:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe 2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan 2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast 2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast 2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6 2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage 2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage 2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys 07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire 07-07-26 13:41 --------- d-------- C:\Program Files\MySpace 07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo! 07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update 07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX 07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace 07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information 07-07-04 16:44 --------- d-------- C:\Program Files\Canon 07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon 07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat 07-06-22 18:52 --------- d-------- C:\Program Files\HP 07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard 07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard 07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield 07-06-10 17:57 --------- d-------- C:\Program Files\AIM6 07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer 07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime 07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat 07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe 07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini 07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] "SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ] "CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ] "WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ] "Aim6"="" [] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ] "AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys Contents of the 'Scheduled Tasks' folder 2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-07 15:05:17 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... C:\WINNT\system32\Perflib_Perfdata_3dc.dat scan completed successfully hidden files: 1 ************************************************************************ Completion time: 2007-08-07 15:07:38 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-08-07 01:05 C:\ComboFix2.txt ... 07-08-07 01:06 C:\ComboFix3.txt ... 07-08-06 22:06 --- E O F ---