|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-02-2007, 11:40 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Hi. Thanks for looking at my situation. I inadvertantly opened an attachment and have since been inundated with pop-ups and adware. The other morning I opened my email inbox to see over 500 "mailer daimon" returned emails that I never sent. my computer has been taken over. I've cleared viruses myself in the past by reading through this forum. I need help this time.
[Windows XP SP2 Dell Inspiron 9300 1.25G RAM] LOGS: Panda - Incident Status Location Virus:Generic Malware Disinfected Operating system Adware:Adware/TTC Not disinfected C:\Program Files\Movie Maker\hokevof4444.dll Adware:Adware/TTC Not disinfected C:\Program Files\Movie Maker\hokevof83122.dll Adware:adware/ipbill Not disinfected C:\WINDOWS\system32\dload.exe Adware:adware/startpage.aao Not disinfected c:\windows\system32\dload.exe Adware:adware/easysearch Not disinfected c:\windows\dialup.exe Adware:adware/superspider Not disinfected c:\windows\runwin32.exe Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs Adware:adware/conspy Not disinfected c:\windows\waol.exe Adware:adware program Not disinfected c:\windows\x.exe Adware:adware/spyblast Not disinfected Windows Registry Adware:adware/winres Not disinfected Windows Registry Dialer:dialer.avv Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E246FAE-8420-11D9-870D-000C2917DE7F} Adware:adware/cws.nfo Not disinfected Windows Registry Spyware:spyware/surfsidekick Not disinfected Windows Registry Adware:adware/mssearch Not disinfected Windows Registry Spyware:spyware/clientman Not disinfected Windows Registry Adware:adware/noname Not disinfected Windows Registry Spyware:spyware/cws.olehelp Not disinfected Windows Registry Adware:adware/cws Not disinfected Windows Registry Spyware:spyware/adclicker Not disinfected Windows Registry Adware:Adware/TTC Not disinfected C:\!KillBox\Dc127.exe Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@2o7[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@adrevolver[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@ads.pointroll[2].txt Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@adultfriendfinder[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@advertising[1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@advertising[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@atwola[1].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@bluestreak[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@bs.serving-sys[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@casalemedia[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@com[1].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@counter10.sextracker[1].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@counter4.sextracker[1].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@counter9.sextracker[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@doubleclick[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@drivecleaner[2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@ehg-dig.hitbox[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@fastclick[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@fastclick[3].txt Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@findwhat[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@go[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@media.adrevolver[3].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@mediaplex[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@questionmarket[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@realmedia[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@server.iad.liveperson[3].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@serving-sys[1].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@sextracker[1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@statcounter[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@stats.drivecleaner[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@stats1.reliablestats[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@statse.webtrendslive[1].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@systemdoctor[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@tribalfusion[1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@winantispyware[2].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@winantivirus[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@www.drivecleaner[1].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@www.systemdoctor[1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@www.winantiviruspro[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Linus Lux\Cookies\linus_lux@zedo[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Linus Lux\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Linus Lux\Desktop\SmitfraudFix\restart.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Linus Lux\Desktop\VundoFix\VundoFix\process.exe Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\Linus Lux\Local Settings\Temporary Internet Files\Content.IE5\6JN1S2PF\installdrivecleanerstart[1].cab Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Linus Lux\Local Settings\Temporary Internet Files\Content.IE5\7D8EZNA9\bobik[1] Virus:Generic Malware Disinfected C:\Program Files\Windows NT\lavupagob.dll Adware:Adware/TTC Not disinfected C:\RECYCLER\S-1-5-21-3424091001-152558605-1149079077-1005\Dc128.exe Adware:Adware/CommAd Not disinfected C:\RECYCLER\S-1-5-21-3424091001-152558605-1149079077-1005\Dc134\n35Rxrg0nJpb.vbs Adware:Adware/Adband Not disinfected C:\RECYCLER\S-1-5-21-3424091001-152558605-1149079077-1005\Dc62\BndDrive4.dll Virus:Trj/Downloader.QLZ Disinfected C:\RECYCLER\S-1-5-21-3424091001-152558605-1149079077-1005\Dc64\winable.exe Adware:Adware/Yazzle Not disinfected C:\RECYCLER\S-1-5-21-3424091001-152558605-1149079077-1005\Dc73.exe Adware:Adware/Yazzle Not disinfected C:\RECYCLER\S-1-5-21-3424091001-152558605-1149079077-1005\Dc74.exe Adware:Adware/TTC Not disinfected C:\RECYCLER\S-1-5-21-3424091001-152558605-1149079077-1005\Dc75.exe Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\dbtghyoc.exe Adware:Adware/TTC Not disinfected C:\WINDOWS\SYSTEM32\DL1\MMEMDT83122.exe Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\SYSTEM32\GB9\wrdrvrdl23.exe Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\hrgdccgk.exe Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\intr32.dll Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\iomysvlo.exe Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\msmapi32.exe Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe Virus:Generic Malware Disinfected C:\WINDOWS\SYSTEM32\qgtfogsq.exe Adware:Adware/AntispywareSoldier Not disinfected C:\WINDOWS\SYSTEM32\sklmnf.exe Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\SYSTEM32\todksvbt.exe Virus:Generic Trojan Disinfected C:\WINDOWS\SYSTEM32\upd_123.exe Virus:Trj/Gagar.DY Disinfected C:\WINDOWS\SYSTEM32\wyitzoel.exe Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\xeuwawtw.exe Adware:Adware/Adband Not disinfected C:\WINDOWS\SYSTEM32\Z2\mon33dll.exe[BndDrive4.dll] Adware:Adware/TTC Not disinfected C:\WINDOWS\tk58.exe Adware:Adware/TTC Not disinfected C:\WINDOWS\TTC-4444.exe Deckard's System Scanner v20070905.67 Run by Linus Lux on 2007-10-03 01:24:23 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Unable to create WMI object; The operation completed successfully. Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Linus Lux.exe) ------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-10-03 01:25:24 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16512) Running processes: C:\WINDOWS\SYSTEM32\SMSS.EXE C:\WINDOWS\SYSTEM32\WINLOGON.EXE C:\WINDOWS\SYSTEM32\SERVICES.EXE C:\WINDOWS\SYSTEM32\LSASS.EXE C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\WINDOWS\SYSTEM32\nvsvc32.exe C:\Program Files\M-Audio\Ozone\Install\ozinst.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\WINDOWS\SYSTEM32\M-AudioTaskBarIcon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\M-Audio Ozone\OZTask.exe C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft ActiveSync\rapimgr.exe C:\WINDOWS\SYSTEM32\mrtmngr.exe C:\WINDOWS\SYSTEM32\spoolsv.exe C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\TASKMGR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Linus Lux\Desktop\Deckard's System Scanner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch O2 - BHO: (no name) - {668E3EDD-0BE4-46EB-98B7-2E50F11D8716} - C:\Program Files\Movie Maker\hokevof83122.dll O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll (file missing) O2 - BHO: (no name) - {9317a54d-01eb-44d4-9359-6864ce934c8a} - C:\WINDOWS\system32\hgbeifm.dll (file missing) O2 - BHO: (no name) - {A34684F5-E6D3-4183-9B78-9A1D7EA24207} - C:\Program Files\Movie Maker\hokevof4444.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll O2 - BHO: (no name) - {AEA92DF4-09FD-4189-B30F-72982EA64C30} - C:\WINDOWS\SYSTEM32\ssqrq.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\SYSTEM32\yjijamwp.dll O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\SYSTEM32\owamctni.dll O2 - BHO: 0 - {F7E22B43-DB34-4695-A1B2-CB22DE4FA9ED} - C:\Program Files\Windows NT\lavupagob.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll O4 - HKEY_LOCAL_MACHINE\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKEY_LOCAL_MACHINE\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKEY_LOCAL_MACHINE\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKEY_LOCAL_MACHINE\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKEY_LOCAL_MACHINE\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKEY_LOCAL_MACHINE\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\cilirefq.dll",sitypnow O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: opnlkkk - C:\WINDOWS\system32\opnlkkk.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\ O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe service O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe O23 - Service: M-Audio Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio\Ozone\Install\ozinst.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - "C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe" O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe -- HijackThis Fixed Entries (C:\PROGRA~1\backups\) ----------------------------- backup-20051212-115053-226 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) backup-20051212-115053-483 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway backup-20051212-115053-587 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway backup-20051212-115053-619 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway backup-20051212-115053-766 O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkhhh.dll backup-20051212-115053-900 O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll backup-20051212-115053-951 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway backup-20051212-115054-486 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe backup-20051212-115054-505 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe backup-20051212-115054-666 O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll backup-20051212-120448-432 O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll backup-20051214-182110-237 O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll backup-20051214-182110-258 O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkhhh.dll backup-20051214-182136-813 O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll backup-20051214-182136-824 O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkhhh.dll backup-20051214-183246-193 O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkhhh.dll (file missing) backup-20051214-183246-704 O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll (file missing) backup-20051214-184405-501 O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkhhh.dll (file missing) backup-20051214-184405-605 O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll (file missing) backup-20051214-185101-243 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup backup-20060511-143431-161 O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe backup-20060511-143431-219 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab backup-20060511-143431-242 O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe backup-20060511-143431-372 O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) backup-20060511-143431-458 O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) backup-20060511-143431-490 O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) backup-20060511-143431-496 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab backup-20060511-143431-517 O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe backup-20060511-143431-571 O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe backup-20060511-143431-618 O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) backup-20060511-143431-625 O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) backup-20060511-143431-667 O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll backup-20060511-143431-678 O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) backup-20060511-143431-757 O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) backup-20060511-143431-761 O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) backup-20060511-143431-853 O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) backup-20060511-143431-956 O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) backup-20060511-144111-209 O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe backup-20060511-144111-286 O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) backup-20060511-144111-326 O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) backup-20060511-144111-357 O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) backup-20060511-144111-454 O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe backup-20060511-144111-461 O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) backup-20060511-144111-504 O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) backup-20060511-144111-577 O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) backup-20060511-144111-593 O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) backup-20060511-144111-689 O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) backup-20060511-144111-792 O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) backup-20060810-120223-352 O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe backup-20060810-120223-375 O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) backup-20060810-120223-469 O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) backup-20060810-120223-595 O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) backup-20060810-120223-597 O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) backup-20060810-120223-604 O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) backup-20060810-120223-612 O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe backup-20060810-120223-647 O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) backup-20060810-120223-736 O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) backup-20060810-120223-832 O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) backup-20060810-120223-865 O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) backup-20060810-120223-935 O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll backup-20060810-120613-242 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL backup-20060810-120613-517 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL backup-20061009-170030-208 O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) backup-20061009-170030-240 O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) backup-20061009-170030-375 O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe backup-20061009-170030-418 O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) backup-20061009-170030-429 O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) backup-20061009-170030-507 O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) backup-20061009-170030-512 O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) backup-20061009-170030-604 O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) backup-20061009-170030-706 O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) backup-20061009-202423-184 O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) backup-20061009-202423-187 O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll backup-20061009-202423-195 O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) backup-20061009-202423-278 O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) backup-20061009-202423-325 O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll backup-20061009-202423-370 O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) backup-20061009-202423-443 O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) backup-20061009-202423-514 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3EA2855-9F13-4A7C-9A1B-E290BA3A5B9E}: NameServer = 66.102.163.231 66.209.10.201 backup-20061009-202423-571 O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe backup-20061009-202423-578 O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) backup-20061009-202423-710 O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) backup-20061009-202423-909 O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) backup-20061009-202423-975 O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) backup-20061011-114645-386 O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) backup-20061011-114645-388 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll backup-20061011-114645-535 O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) backup-20061011-114645-567 O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) backup-20061011-114645-633 O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe backup-20061011-114645-640 O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) backup-20061011-114645-745 O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) backup-20061011-114645-756 O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) backup-20061011-114645-834 O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) backup-20061011-114645-930 O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) backup-20061011-114645-971 O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) backup-20061018-112643-116 O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file) backup-20061018-112643-135 O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file) backup-20061018-112643-167 O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) backup-20061018-112643-181 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file) backup-20061018-112643-205 O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file) backup-20061018-112643-250 O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file) backup-20061018-112643-273 O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file) backup-20061018-112643-278 O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file) backup-20061018-112643-280 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file) backup-20061018-112643-295 O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file) backup-20061018-112643-359 O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file) backup-20061018-112643-376 O2 - BHO: (no name) - {2e246fae-8420-11d9-870d-000c2917de7f} - (no file) backup-20061018-112643-417 O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file) backup-20061018-112643-438 O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file) backup-20061018-112643-444 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file) backup-20061018-112643-460 O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file) backup-20061018-112643-467 O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file) backup-20061018-112643-492 O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file) backup-20061018-112643-500 O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file) backup-20061018-112643-540 O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file) backup-20061018-112643-549 O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file) backup-20061018-112643-553 O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file) backup-20061018-112643-630 O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file) backup-20061018-112643-650 O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file) backup-20061018-112643-651 O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file) backup-20061018-112643-658 O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file) backup-20061018-112643-677 O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file) backup-20061018-112643-688 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll backup-20061018-112643-690 O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file) backup-20061018-112643-694 O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file) backup-20061018-112643-697 O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file) backup-20061018-112643-705 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - (no file) backup-20061018-112643-707 O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file) backup-20061018-112643-771 O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file) backup-20061018-112643-829 O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file) backup-20061018-112643-836 O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file) backup-20061018-112643-838 O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file) backup-20061018-112643-863 O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file) backup-20061018-112643-893 O2 - BHO: (no name) - {9c5875b8-93f3-429d-ff34-660b206d897a} - (no file) backup-20061018-112643-936 O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file) backup-20061024-012950-105 O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file) backup-20061024-012950-161 O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file) backup-20061024-012950-193 O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file) backup-20061024-012950-233 O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file) backup-20061024-012950-257 O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file) backup-20061024-012950-291 O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file) backup-20061024-012950-308 O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file) backup-20061024-012950-321 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file) backup-20061024-012950-328 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file) backup-20061024-012950-329 O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file) backup-20061024-012950-334 O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file) backup-20061024-012950-336 O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file) backup-20061024-012950-346 O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) backup-20061024-012950-357 O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file) backup-20061024-012950-370 O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file) backup-20061024-012950-375 O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file) backup-20061024-012950-389 O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file) backup-20061024-012950-421 O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file) backup-20061024-012950-460 O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file) backup-20061024-012950-539 O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file) backup-20061024-012950-556 O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file) backup-20061024-012950-571 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file) backup-20061024-012950-618 O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file) backup-20061024-012950-632 O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file) backup-20061024-012950-641 O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file) backup-20061024-012950-659 O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file) backup-20061024-012950-671 O2 - BHO: (no name) - {9c5875b8-93f3-429d-ff34-660b206d897a} - (no file) backup-20061024-012950-693 O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file) backup-20061024-012950-724 O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file) backup-20061024-012950-728 O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file) backup-20061024-012950-757 O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file) backup-20061024-012950-765 O2 - BHO: (no name) - {2e246fae-8420-11d9-870d-000c2917de7f} - (no file) backup-20061024-012950-774 O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file) backup-20061024-012950-812 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - (no file) backup-20061024-012950-835 O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file) backup-20061024-012950-836 O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file) backup-20061024-012950-917 O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file) backup-20061024-012950-938 O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file) backup-20061024-012950-956 O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file) backup-20061027-111611-130 O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file) backup-20061027-111611-143 O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file) backup-20061027-111611-150 O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file) backup-20061027-111611-153 O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file) backup-20061027-111611-188 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file) backup-20061027-111611-195 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file) backup-20061027-111611-203 O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file) backup-20061027-111611-211 O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file) backup-20061027-111611-271 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file) backup-20061027-111611-300 O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file) backup-20061027-111611-327 O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file) backup-20061027-111611-329 O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) backup-20061027-111611-372 O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file) backup-20061027-111611-526 O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file) backup-20061027-111611-548 O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file) backup-20061027-111611-562 O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file) backup-20061027-111611-563 O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file) backup-20061027-111611-603 O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file) backup-20061027-111611-633 O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file) backup-20061027-111611-641 O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file) backup-20061027-111611-680 O2 - BHO: (no name) - {2e246fae-8420-11d9-870d-000c2917de7f} - (no file) backup-20061027-111611-709 O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file) backup-20061027-111611-716 O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file) backup-20061027-111611-793 O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file) backup-20061027-111611-795 O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file) backup-20061027-111611-866 O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file) backup-20061027-111611-874 O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file) backup-20061027-111611-927 O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file) backup-20061027-111611-943 O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file) backup-20061027-111611-957 O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file) backup-20061027-111611-976 O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file) backup-20070620-010353-424 O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll backup-20070620-010353-845 O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized backup-20070925-135140-730 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGludXMgTHV4\command.exe backup-20070925-135349-778 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20070925-135505-675 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGludXMgTHV4\command.exe backup-20070925-172630-441 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGludXMgTHV4\command.exe backup-20070925-172630-673 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20070925-185806-550 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20070925-185807-728 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGludXMgTHV4\command.exe (file missing) backup-20070926-010954-919 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20070926-010955-459 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGludXMgTHV4\command.exe (file missing) backup-20070926-012636-575 O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab backup-20070926-012637-395 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab backup-20070927-014948-729 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3EA2855-9F13-4A7C-9A1B-E290BA3A5B9E}: NameServer = 66.209.10.201 66.102.163.231 backup-20070927-015806-294 O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\aeuhoicr.dll",sitypnow backup-20070927-021629-650 O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" backup-20070927-021629-869 O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB003" /M "Stylus C42" backup-20070927-145150-371 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3EA2855-9F13-4A7C-9A1B-E290BA3A5B9E}: NameServer = 66.102.163.231 66.102.163.232 backup-20070928-140117-782 O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\wnmwvghp.dll",sitypnow -- File Associations ----------------------------------------------------------- .js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2 .js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1> 1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver> 2 ezgfsfilt (EZ GIG II FS Filter) - c:\windows\system32\drivers\ezgfsfilt.sys <Not Verified; Apricorn; > 0 ezgmntr (EZ GIG II Backup Archive Explorer) - c:\windows\system32\drivers\ezgmntr.sys <Not Verified; Apricorn; > 3 ma763008 (M-Audio Ozone) - c:\windows\system32\drivers\ma763008.sys <Not Verified; M-Audio, Inc.; M-Audio Ozone> 3 MADFU008 - c:\windows\system32\drivers\madfu008.sys <Not Verified; M-Audio; Ozone Firmware Loader> 1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver> 3 RD1009 (EDIROL UM-1 USB Driver) - c:\windows\system32\drivers\rdwm1009.sys <Not Verified; Roland Corporation; > 2 RKCMGQRF - c:\windows\system32\rkcmgqrf.wfp (file missing) 2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver> 3 SEWModem (Sony Ericsson GPRS Modem) - c:\windows\system32\drivers\gc75.sys <Not Verified; Sony Ericsson; Sony Ericsson GPRS Modem Driver> 3 SEWWNIC (Sony Ericsson Wireless WAN Adapter) - c:\windows\system32\drivers\gc75net.sys <Not Verified; Sony Ericsson; Sony Ericsson Wireless WAN Adapter Driver> 0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API> 3 USBNZ1X1 (M-Audio Ozone Midi) - c:\windows\system32\drivers\usbnz1x1.sys <Not Verified; Doug Fetter Software Wizardry; Midiman Ozone Midi Interface> 3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- 2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe 3 MHN - c:\windows\system32\svchost.exe 4 Network Monitor - c:\program files\network monitor\netmon.exe service (file missing) 2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc> 2 OzoneInstallerService (M-Audio Ozone Installer) - c:\program files\m-audio\ozone\install\ozinst.exe <Not Verified; Nemesis; Ozone Installer Service> 3 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module> 3 ServiceLayer - c:\program files\common files\pcsuite\services\servicelayer.exe 3 usnsvc (Messenger Sharing USN Journal Reader service) - c:\windows\system32\svchost.exe 2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service> 3 WmiApSrv (WMI Performance Adapter) - c:\windows\system32\wbem\wmiapsrv.exe (file missing) -- Device Manager: Disabled ---------------------------------------------------- Unable to create WMI object. -- Files created between 2007-09-03 and 2007-10-03 ----------------------------- 2007-10-03 01:25:21 218112 --a------ C:\Program Files\Linus Lux.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis> 2007-10-02 23:28:11 182 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys 2007-10-02 23:28:11 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware> 2007-10-02 23:10:25 0 d-------- C:\WINDOWS\LastGood 2007-10-02 18:14:27 11840 --a------ C:\WINDOWS\system32\yjijamwp.dll 2007-10-02 18:13:51 90176 --a------ C:\WINDOWS\system32\cilirefq.dll 2007-10-02 17:14:49 70208 --a------ C:\WINDOWS\system32\owamctni.dll 2007-10-02 17:13:10 11840 --a------ C:\WINDOWS\system32\bioepset.dll 2007-09-30 19:22:34 90176 -----n--- C:\WINDOWS\system32\dxfvuujx.dll 2007-09-30 19:19:44 11840 --a------ C:\WINDOWS\system32\akeeusxk.dll 2007-09-30 19:19:29 70208 --a------ C:\WINDOWS\system32\kmabipqe.dll 2007-09-30 19:19:18 2329080 ---hs---- C:\WINDOWS\system32\qrqss.bak1 2007-09-29 16:21:15 135168 --a------ C:\WINDOWS\tk58.exe 2007-09-29 16:20:56 169147 --a------ C:\WINDOWS\TTC-4444.exe 2007-09-28 18:25:14 1764266 ---hs---- C:\WINDOWS\system32\qrqss.bak2 2007-09-28 17:57:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-09-28 01:29:50 90176 -----n--- C:\WINDOWS\system32\wnmwvghp.dll 2007-09-28 01:29:39 11840 --a------ C:\WINDOWS\system32\qqlnqdsx.dll 2007-09-25 18:23:10 0 d-------- C:\!KillBox 2007-09-25 12:27:27 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google 2007-09-25 12:27:26 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-09-25 12:24:01 311872 -----n--- C:\WINDOWS\system32\ssqrq.dll 2007-09-25 12:20:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon 2007-09-25 12:19:57 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs 2007-09-25 12:19:39 0 d-------- C:\WINDOWS\system32\Z2 2007-09-25 12:19:39 0 d-------- C:\WINDOWS\system32\GB9 2007-09-25 12:19:38 0 d-------- C:\WINDOWS\system32\Z1 2007-09-25 12:19:38 0 d-------- C:\WINDOWS\system32\DL1 2007-09-25 12:19:38 0 d-------- C:\WINDOWS\system32\C2 2007-09-25 12:19:12 0 d-------- C:\WINDOWS\system32\vMW04a 2007-09-19 15:56:10 53248 --a------ C:\WINDOWS\b122.exe 2007-09-11 15:25:42 66048 --a------ C:\WINDOWS\system32\mrtrate.dll <Not Verified; Marimba, Inc.; Rate Sensing Manager> 2007-09-11 15:25:42 65024 --a------ C:\WINDOWS\system32\mrtmngr.exe <Not Verified; Marimba Inc.; Rate Sensing Manager> 2007-09-11 15:25:41 1694992 --a------ C:\WINDOWS\system32\vba6.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications> 2007-09-11 15:25:40 6838 --a------ C:\WINDOWS\Icoadb32.dat 2007-09-11 15:25:40 57344 --a------ C:\WINDOWS\Icg32.dll <Not Verified; Intuit; Internet Client 2.2> 2007-09-11 15:25:25 0 d-------- C:\WINDOWS\Intuit 2007-09-11 15:25:22 0 d-------- C:\Program Files\Intuit 2007-09-11 15:24:31 0 d-------- C:\Documents and Settings\Linus Lux\WINDOWS 2007-09-07 14:39:15 0 d-------- C:\Program Files\EPSON 2007-09-07 14:39:06 0 d-------- C:\epson -- Find3M Report --------------------------------------------------------------- 2007-10-03 00:56:47 0 d-------- C:\Program Files\Windows NT 2007-10-03 00:44:56 0 d-------- C:\Program Files\Movie Maker 2007-10-03 00:44:03 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-03 00:41:45 0 d-------- C:\Program Files\M-Audio Ozone 2007-10-03 00:41:07 0 d-------- C:\Program Files\iTunes 2007-10-03 00:39:47 0 d-------- C:\Program Files\Google 2007-09-28 14:01:17 0 d-------- C:\Program Files\backups 2007-09-25 12:27:45 0 d-------- C:\Documents and Settings\Linus Lux\Application Data\LimeWire 2007-09-24 03:40:13 2695699 --a------ C:\Documents and Settings\Linus Lux\Application Data\NMM-MetaData.db 2007-09-18 23:48:50 0 d-------- C:\Documents and Settings\Linus Lux\Application Data\AdobeUM 2007-09-17 10:15:22 0 d-------- C:\Program Files\Dl_cats 2007-08-14 20:41:22 0 d-------- C:\Documents and Settings\Linus Lux\Application Data\Datalayer 2007-08-03 12:24:31 0 d-------- C:\Documents and Settings\Linus Lux\Application Data\U3 -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{668E3EDD-0BE4-46EB-98B7-2E50F11D8716}] 08/02/2007 09:43 AM 282624 --a------ C:\Program Files\Movie Maker\hokevof83122.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}] C:\Program Files\ISM\BndDrive4.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9317a54d-01eb-44d4-9359-6864ce934c8a}] C:\WINDOWS\system32\hgbeifm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A34684F5-E6D3-4183-9B78-9A1D7EA24207}] 08/02/2007 09:43 AM 282624 --a------ C:\Program Files\Movie Maker\hokevof4444.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEA92DF4-09FD-4189-B30F-72982EA64C30}] 09/25/2007 12:24 PM 311872 --------- C:\WINDOWS\system32\ssqrq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}] 10/02/2007 06:14 PM 11840 --a------ C:\WINDOWS\system32\yjijamwp.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}] 10/02/2007 05:14 PM 70208 --a------ C:\WINDOWS\system32\owamctni.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7E22B43-DB34-4695-A1B2-CB22DE4FA9ED}] 09/29/2007 04:21 PM 70144 --------- C:\Program Files\Windows NT\lavupagob.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/30/2004 03:59 PM] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [05/06/2004 03:58 PM] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 09:38 AM] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [05/06/2004 03:58 PM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/30/2004 06:05 PM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/02/2006 12:59 AM] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [04/26/2006 08:29 AM] "BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 06:00 AM C:\WINDOWS\SYSTEM32\BTHPROPS.CPL] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/18/2006 06:54 PM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 03:48 AM] "M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [10/18/2005 10:00 AM] "FolderView"="C:\WINDOWS\system32\cilirefq.dll" [10/02/2007 06:13 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [06/16/2006 02:38 PM] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/26/2006 04:13 PM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/26/2007 01:32 PM] "@"="" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM] C:\Documents and Settings\Linus Lux\Start Menu\Programs\Startup\ DESKTOP.INI [8/19/2004 5:07:20 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ DESKTOP.INI [8/19/2004 5:07:20 PM] M-Audio Ozone Control Panel Launcher.lnk - C:\Program Files\M-Audio Ozone\OZTask.exe [1/31/2003 1:34:50 PM] PayPal Plug-In for Outlook Express.lnk - C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe [11/30/2005 12:56:56 AM] QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [9/11/2007 3:25:40 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\Windows NT\profsydyzaz.html FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{2DF26EA8-AAF5-45BD-A107-778EB1D5C0C9}"= C:\WINDOWS\system32\opnlkkk.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 05:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkkk] opnlkkk.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqrq.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] AutoRun\command- G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28597a92-3a9e-11dc-8710-0016419f5869}] AutoRun\command- G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ebfe8ec-3e09-11dc-8711-0016419f5869}] AutoRun\command- G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9543717-024b-11dc-86fa-001143762027}] AutoRun\command- G:\wd_windows_tools\setup.exe -- End of Deckard's System Scanner: finished at 2007-10-03 01:26:18 ------------ |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-03-2007, 02:20 PM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Before anyone will even consider working this log, please tell us if you have a working antivirus program installed on this machine?
If the answer is yes, tell me it's name & the last time you did a full system scan. If the answer is no, then tell me if you have considered wiping the machine.
__________________
Question - what have you done for the community today? |
|
|
|
|
10-03-2007, 02:35 PM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Hi. Thanks for getting back to me. I've done scans over the past week with Ad-Aware SE, AVG 7.5.1.43, and Spybot 1.4. Numerous scans with each actually. Also I scanned once with SmitFraudFix.
I've also attempted a fix by using Killbox on the infected files that have shown up on the scan logs. The last full system scan I did was about 1 day ago. The last scan I did was the Panda scan as recommended by Tech Support Forums, and I've been on pause since then... The scans have shown up clean a few times after my various attempts, but the viruses keep regenerating. In particular I worked hard on the TTC- file I kept finding. I'm at a loss. I appreciate any coaching I can get on here. Best. Last edited by LinusLuxEsq; 10-03-2007 at 02:38 PM. |
|
|
|
|
10-03-2007, 02:40 PM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
You still haven't told me what type of antivirus program you have installed on the machine.
If there isn't a resident security program protecting you all this while, damage done would have been too extensive. It's not really worth my OR your time to clean this machine. Would be better off to wipe the machine & start afresh
__________________
Question - what have you done for the community today? |
|
|
|
|
10-03-2007, 02:44 PM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Gotcha. No, I wasn't running anything in the background. I have zone-alarm on most of the time, but it wasn't activated at the time that I opened this thing. i guess I'll just reformat. Can you give me any advice to avoid backing up the virus to my external drive and reinstalling it into my clean system?
Thanks |
|
|
|
|
10-03-2007, 02:54 PM
|
#6 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Go perform this online scan > Online Scanner
You needn't do the complete scan. Just scan the critical areas. When it's done, look over the infection names. If you don't see 'Virut', you can do a Repair Install. The repair install wont get rid of all the infections but it will disable of them. When you have performed the repair install, download & install, a free antivirus programs. AntiVir & AVG are recommended. Get either one but never both. Have the antivirus scanner perform a full system scan; allow it to disinfect/delete any infected files found. Then perform a fulll Kaspersky scan using the link from above. Any files found then can be manually deleted. Using this stratergy, you minimise your losses. If you have difficulty figuring out the Kaspersky log, please come back to this thread so that I may assist you.
__________________
Question - what have you done for the community today? Last edited by sUBs; 10-03-2007 at 02:56 PM. |
|
|
|
|
10-10-2007, 03:29 PM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Hi,
I performed a Repair Install, scanned with AVG Anti-Virus, which is now running, and I finished a Kaspersky Scan of critical areas, and I've posted the log here. I would indeed like some assistance in reading it. I'm not sure of which files to delete or shred or leave alone. Thanks again! Best. ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, October 10, 2007 5:09:38 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 10/10/2007 Kaspersky Anti-Virus database records: 430564 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - Critical Areas: C:\WINDOWS C:\DOCUME~1\LINUSL~1\LOCALS~1\Temp\ Scan Statistics: Total number of scanned objects: 18541 Number of viruses found: 4 Number of infected objects: 9 Number of suspicious objects: 0 Duration of the scan process: 00:32:19 Infected Object Name / Virus Name / Last Action C:\WINDOWS\CSC\00000001 Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Debug\WPD\WPDTRACE.LOG Object is locked skipped C:\WINDOWS\Internet Logs\DBJPC871.ldb Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A1843A58-DE88-4C41-8652-8F253AE4FFBD}.crmlog Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edbtmp.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\DL1\MMEMDT83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\WINDOWS\SYSTEM32\DL1\MMEMDT83122.exe NSIS: infected - 1 skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\Z2\mon33dll.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped C:\WINDOWS\SYSTEM32\Z2\mon33dll.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped C:\WINDOWS\SYSTEM32\Z2\mon33dll.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\WINDOWS\SYSTEM32\Z2\mon33dll.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.jn skipped C:\WINDOWS\SYSTEM32\Z2\mon33dll.exe NSIS: infected - 4 skipped C:\WINDOWS\Temp\ZLT00dd9.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT00de0.TMP Object is locked skipped C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\DOCUME~1\LINUSL~1\LOCALS~1\Temp\WCESLog.log Object is locked skipped C:\DOCUME~1\LINUSL~1\LOCALS~1\Temp\~DF2B84.tmp Object is locked skipped Scan process completed. Pop-ups are still on the rise. Thanks! |
|
|
|
|
10-10-2007, 04:21 PM
|
#9 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Did you download anything after the Repair Install? Why are there active malware in the machine?
Stop ALL the scans & do this now. 1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
Question - what have you done for the community today? |
|
|
|
|
10-10-2007, 04:51 PM
|
#10 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Doing the Combofix now.
I downloaded AVG Anti-Virus since I only had AVG Anti-Spyware, and I also attempted to download Windows Updates. On restart I received an error message about C:\WINDOWS\System32\prwxgqao.dll, and the Updates aren't installing for some reason. After all of those scans and the quarantine of tk58.exe, AVG picked it up tk58.exe again during restart. TTC-4444.exe keeps showing up as well, in scans, and under ZoneAlarm blocked programs, even though it was quarantined. I'll post log in a few.... Thanks continues.... |
|
|
|
|
10-10-2007, 05:11 PM
|
#11 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Hi,
ComboFix Log: ComboFix 07-10-11.3 - Linus Lux 2007-10-10 18:52:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.746 [GMT -4:00] Running from: C:\Documents and Settings\Linus Lux\Desktop\Anti-Virus & Anti-Spyware\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Movie Maker\hokevof4444.dll C:\Program Files\Movie Maker\hokevof83122.dll C:\Program Files\TTC.dll C:\Program Files\Windows NT\profsydyzaz.html C:\WINDOWS\cookies.ini C:\WINDOWS\system32\_001944_.tmp.dll C:\WINDOWS\system32\C2 C:\WINDOWS\system32\vMW04a C:\WINDOWS\system32\Z1 C:\WINDOWS\system32\Z2 C:\WINDOWS\system32\Z2\mon33dll.exe C:\WINDOWS\TTC-4444.exe C:\WINDOWS\x.exe C:\WINDOWS\y.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR -------\Network Monitor ((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 ))))))))))))))))))))))))))))))) . 2007-10-10 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-10 15:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-10 14:58 <DIR> d-------- C:\Documents and Settings\Linus Lux\Application Data\AVG7 2007-10-10 14:57 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2007-10-10 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-10-09 19:59 73,728 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresja.dll 2007-10-09 19:59 69,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresko.dll 2007-10-09 19:59 69,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresfr.dll 2007-10-09 19:59 69,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresde.dll 2007-10-09 19:48 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe 2007-10-09 19:35 152,576 --a------ C:\WINDOWS\SYSTEM32\irftp.exe 2007-10-09 19:35 27,136 --a------ C:\WINDOWS\SYSTEM32\irmon.dll 2007-10-09 19:35 8,192 --a------ C:\WINDOWS\SYSTEM32\wshirda.dll 2007-10-09 19:23 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll 2007-10-09 19:23 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll 2007-10-09 19:23 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll 2007-10-09 19:23 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll 2007-10-09 16:51 11,840 --a------ C:\WINDOWS\SYSTEM32\yosauvec.dll 2007-10-09 16:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab 2007-10-09 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-09 15:50 11,840 --a------ C:\WINDOWS\SYSTEM32\ldqmbpht.dll 2007-10-09 15:09 <DIR> d-------- C:\WINDOWS\dell 2007-10-08 15:48 11,840 --a------ C:\WINDOWS\SYSTEM32\mdljtdgr.dll 2007-10-04 13:58 11,840 --a------ C:\WINDOWS\SYSTEM32\mrupskje.dll 2007-10-03 01:25 218,112 --a------ C:\Program Files\Linus Lux.exe 2007-10-03 01:24 <DIR> d-------- C:\Deckard 2007-10-02 18:14 11,840 --a------ C:\WINDOWS\SYSTEM32\yjijamwp.dll 2007-10-02 17:13 11,840 --a------ C:\WINDOWS\SYSTEM32\bioepset.dll 2007-09-30 19:19 2,329,080 --ahs---- C:\WINDOWS\SYSTEM32\qrqss.bak1 2007-09-30 19:19 11,840 --a------ C:\WINDOWS\SYSTEM32\akeeusxk.dll 2007-09-28 18:25 965,816 --ahs---- C:\WINDOWS\SYSTEM32\qrqss.bak2 2007-09-28 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-09-28 01:29 11,840 --a------ C:\WINDOWS\SYSTEM32\qqlnqdsx.dll 2007-09-27 01:16 185,856 --a------ C:\WINDOWS\SYSTEM\FRAMEDYN.DLL 2007-09-25 12:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon 2007-09-25 12:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\GB9 2007-09-25 12:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\DL1 2007-09-11 15:25 <DIR> d-------- C:\WINDOWS\Intuit 2007-09-11 15:25 <DIR> d-------- C:\Program Files\Intuit 2007-09-11 15:25 1,694,992 --a------ C:\WINDOWS\SYSTEM32\vba6.dll 2007-09-11 15:25 66,048 --a------ C:\WINDOWS\SYSTEM32\mrtrate.dll 2007-09-11 15:25 65,024 --a------ C:\WINDOWS\SYSTEM32\mrtmngr.exe 2007-09-11 15:25 57,344 --a------ C:\WINDOWS\Icg32.dll 2007-09-11 15:25 6,838 --a------ C:\WINDOWS\Icoadb32.dat 2007-09-11 15:24 <DIR> d-------- C:\Documents and Settings\Linus Lux\WINDOWS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-03 04:44 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-10-03 04:41 --------- d-----w C:\Program Files\M-Audio Ozone 2007-10-03 04:41 --------- d-----w C:\Program Files\iTunes 2007-10-03 04:39 --------- d-----w C:\Program Files\Google 2007-10-03 03:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-09-28 18:01 --------- d-----w C:\Program Files\backups 2007-09-25 16:27 --------- d-----w C:\Documents and Settings\Linus Lux\Application Data\LimeWire 2007-09-19 03:48 --------- d-----w C:\Documents and Settings\Linus Lux\Application Data\AdobeUM 2007-09-17 14:15 --------- d-----w C:\Program Files\Dl_cats 2007-09-07 18:39 --------- d-----w C:\Program Files\EPSON 2007-08-15 00:41 --------- d-----w C:\Documents and Settings\Linus Lux\Application Data\Datalayer 2005-02-16 16:06 218,112 ----a-w C:\Program Files\HijackThis.exe 2004-08-10 10:00:00 73,728 --sha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe 2005-12-12 16:01:34 329,328 --sha-w C:\WINDOWS\SYSTEM32\hhhkj.bak1 2005-12-14 22:28:03 338,589 --sha-w C:\WINDOWS\SYSTEM32\hhhkj.bak2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1368106D-2E42-4172-89A5-6CAEE6867FF6}] C:\WINDOWS\system32\ssqrq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}] C:\Program Files\ISM\BndDrive4.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9317a54d-01eb-44d4-9359-6864ce934c8a}] C:\WINDOWS\system32\hgbeifm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7E22B43-DB34-4695-A1B2-CB22DE4FA9ED}] C:\Program Files\Windows NT\lavupagob.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-05-06 15:58] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-05-06 15:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 18:05] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-02 00:59] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 08:00 C:\WINDOWS\SYSTEM32\bthprops.cpl] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-06-18 18:54] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48] "M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2005-10-18 10:00] "FolderView"="C:\WINDOWS\system32\prwxgqao.dll" [] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 06:00] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 06:00] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33] "nwiz"="nwiz.exe" [2004-11-30 18:05 C:\WINDOWS\SYSTEM32\nwiz.exe] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-10 14:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 13:32] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ M-Audio Ozone Control Panel Launcher.lnk - C:\Program Files\M-Audio Ozone\OZTask.exe [2003-01-31 13:34:50] PayPal Plug-In for Outlook Express.lnk - C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe [2005-11-30 00:56:56] QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-09-11 15:25:40] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkkk] opnlkkk.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r R0 ezgmntr;EZ GIG II Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\ezgmntr.sys R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys R2 ezgfsfilt;EZ GIG II FS Filter;C:\WINDOWS\system32\DRIVERS\ezgfsfilt.sys S2 RKCMGQRF;RKCMGQRF;\??\C:\WINDOWS\system32\rkcmgqrf.wfp S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;C:\WINDOWS\system32\DRIVERS\HCWUSB2.sys S3 ma763008;M-Audio Ozone;C:\WINDOWS\system32\drivers\MA763008.sys S3 MADFU008;MADFU008;C:\WINDOWS\system32\DRIVERS\MADFU008.sys S3 RD1009;EDIROL UM-1 USB Driver;C:\WINDOWS\system32\Drivers\rdwm1009.sys S3 SEWModem;Sony Ericsson GPRS Modem;C:\WINDOWS\system32\DRIVERS\GC75.sys S3 SEWWNIC;Sony Ericsson Wireless WAN Adapter;C:\WINDOWS\system32\DRIVERS\GC75Net.sys S3 USBNZ1X1;M-Audio Ozone Midi;C:\WINDOWS\system32\drivers\usbnz1x1.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28597a92-3a9e-11dc-8710-0016419f5869}] AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ebfe8ec-3e09-11dc-8711-0016419f5869}] AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9543717-024b-11dc-86fa-001143762027}] AutoRun\command - G:\wd_windows_tools\setup.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-11 19:00:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-11 19:03:52 - machine was rebooted . --- E O F --- HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 7  40 PM, on 10/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\M-Audio\Ozone\Install\ozinst.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\System32\M-AudioTaskBarIcon.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\ehome\ehtray.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\M-Audio Ozone\OZTask.exe C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe C:\WINDOWS\system32\mrtMngr.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\PROGRA~1\Grisoft\AVG7\avgw.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\dumprep.exe \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE C:\WINDOWS\system32\dumprep.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\dumprep.exe C:\WINDOWS\system32\dumprep.exe C:\Program Files\HijackThis.exe O2 - BHO: (no name) - {1368106D-2E42-4172-89A5-6CAEE6867FF6} - C:\WINDOWS\system32\ssqrq.dll (file missing) O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll (file missing) O2 - BHO: (no name) - {9317a54d-01eb-44d4-9359-6864ce934c8a} - C:\WINDOWS\system32\hgbeifm.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: 0 - {F7E22B43-DB34-4695-A1B2-CB22DE4FA9ED} - C:\Program Files\Windows NT\lavupagob.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\prwxgqao.dll",sitypnow O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192048412960 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: opnlkkk - opnlkkk.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: M-Audio Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio\Ozone\Install\ozinst.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe THANKS! |
|
|
|
|
10-10-2007, 05:25 PM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Looking at it now. Don't go away
__________________
Question - what have you done for the community today? |
|
|
|
|
10-10-2007, 05:31 PM
|
#14 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
C:\Program Files\Linus Lux.exe
Is this a file you created ? Perhaps a renamed copy of Hijackthis ?
__________________
Question - what have you done for the community today? |
|
|
|
|
10-10-2007, 05:39 PM
|
#16 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: sUBs' crap
Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
--------------- Do a HijackThis scan & place a check next to these items and select "Fix checked": O2 - BHO: (no name) - {1368106D-2E42-4172-89A5-6CAEE6867FF6} - C:\WINDOWS\system32\ssqrq.dll (file missing) O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll (file missing) O2 - BHO: (no name) - {9317a54d-01eb-44d4-9359-6864ce934c8a} - C:\WINDOWS\system32\hgbeifm.dll (file missing) O2 - BHO: 0 - {F7E22B43-DB34-4695-A1B2-CB22DE4FA9ED} - C:\Program Files\Windows NT\lavupagob.dll (file missing) O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\prwxgqao.dll",sitypnow O20 - Winlogon Notify: opnlkkk - opnlkkk.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ --------------- Open notepad and copy/paste the text in the quotebox below into it: Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/185522-several-viruses-including-trojan-downloader-trojan-galgar-dy.html
Collect::
C:\WINDOWS\SYSTEM32\yosauvec.dll
C:\WINDOWS\SYSTEM32\ldqmbpht.dll
C:\WINDOWS\SYSTEM32\mdljtdgr.dll
C:\WINDOWS\SYSTEM32\mrupskje.dll
C:\WINDOWS\SYSTEM32\yjijamwp.dll
C:\WINDOWS\SYSTEM32\bioepset.dll
File::
C:\WINDOWS\SYSTEM32\qrqss.bak1
C:\WINDOWS\SYSTEM32\akeeusxk.dll
C:\WINDOWS\SYSTEM32\qrqss.bak2
C:\WINDOWS\SYSTEM32\qqlnqdsx.dll
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
Folder::
C:\WINDOWS\SYSTEM32\GB9
C:\WINDOWS\SYSTEM32\DL1
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\LocalService\Application Data\NetMon
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1368106D-2E42-4172-89A5-6CAEE6867FF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9317a54d-01eb-44d4-9359-6864ce934c8a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7E22B43-DB34-4695-A1B2-CB22DE4FA9ED}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FolderView"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkkk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip Before proceeding to the next step, lease submit this file to http://www.bleepingcomputer.com/subm....php?channel=4 --------------- Click here perform an online scan >> Online Scanner Follow the guide to the letter. I need a complete scan --------------- In your next post, please include fresh logs from:
__________________
Question - what have you done for the community today? |
|
|
|
|
10-10-2007, 05:56 PM
|
#17 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Performing ComboFix scan now. ViewPoint didn't show up on the Add or Remove Programs. I remember it being there before, and I remember removing it or trying to. the only strange one to me was a program called Digital Line Detect, but It shows the last used date as being 5-9-2005. So I might just be buggin about it.
|
|
|
|
|
10-10-2007, 06:15 PM
|
#18 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Finished ComboFix scan and submitted to bleepingcomputer. Now I'm running into problems accepting the terms for the Kapersky scan. There's an error ! in the bottom left of the window. Uninstalled Kapersky from my programs list. Tried again to run from the webpage. Same problem. [pulling hair out]
|
|
|
|
|
10-10-2007, 06:18 PM
|
#19 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Post the ComboFix log.
Then describe the Kaspersky error in detail.
__________________
Question - what have you done for the community today? |
|
|
|
|
10-10-2007, 06:28 PM
|
#20 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 20
OS: WinXP sp2
|
Re: Several Viruses Including Trojan/Downloader and Trojan/Galgar.DY
Here's ComboFix:
ComboFix 07-10-11.3 - Linus Lux 2007-10-11 19:53:45.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.625 [GMT -4:00] Running from: C:\Documents and Settings\Linus Lux\Desktop\Anti-Virus & Anti-Spyware\ComboFix.exe Command switches used :: C:\Documents and Settings\Linus Lux\Desktop\Anti-Virus & Anti-Spyware\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\SYSTEM32\akeeusxk.dll C:\WINDOWS\SYSTEM32\hhhkj.bak1 C:\WINDOWS\SYSTEM32\hhhkj.bak2 C:\WINDOWS\SYSTEM32\qqlnqdsx.dll C:\WINDOWS\SYSTEM32\qrqss.bak1 C:\WINDOWS\SYSTEM32\qrqss.bak2 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Viewpoint C:\Documents and Settings\LocalService\Application Data\NetMon C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt C:\WINDOWS\SYSTEM32\akeeusxk.dll C:\WINDOWS\SYSTEM32\bioepset.dll C:\WINDOWS\SYSTEM32\DL1 C:\WINDOWS\SYSTEM32\DL1\MMEMDT83122.exe C:\WINDOWS\SYSTEM32\GB9 C:\WINDOWS\SYSTEM32\hhhkj.bak1 C:\WINDOWS\SYSTEM32\hhhkj.bak2 C:\WINDOWS\SYSTEM32\ldqmbpht.dll C:\WINDOWS\SYSTEM32\mdljtdgr.dll C:\WINDOWS\SYSTEM32\mrupskje.dll C:\WINDOWS\SYSTEM32\qqlnqdsx.dll C:\WINDOWS\SYSTEM32\qrqss.bak1 C:\WINDOWS\SYSTEM32\qrqss.bak2 C:\WINDOWS\SYSTEM32\yjijamwp.dll C:\WINDOWS\SYSTEM32\yosauvec.dll . ((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 ))))))))))))))))))))))))))))))) . 2007-10-10 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-10 15:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-10 14:58 <DIR> d-------- C:\Documents and Settings\Linus Lux\Application Data\AVG7 2007-10-10 14:57 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2007-10-10 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-10-09 19:59 73,728 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresja.dll 2007-10-09 19:59 69,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresko.dll 2007-10-09 19:59 69,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresfr.dll 2007-10-09 19:59 69,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ehresde.dll 2007-10-09 19:48 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe 2007-10-09 19:35 152,576 --a------ C:\WINDOWS\SYSTEM32\irftp.exe 2007-10-09 19:35 27,136 --a------ C:\WINDOWS\SYSTEM32\irmon.dll 2007-10-09 19:35 8,192 --a------ C:\WINDOWS\SYSTEM32\wshirda.dll 2007-10-09 19:23 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll 2007-10-09 19:23 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll 2007-10-09 19:23 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll 2007-10-09 19:23 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll 2007-10-09 16:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab 2007-10-09 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-09 15:09 <DIR> d-------- C:\WINDOWS\dell 2007-10-03 01:25 218,112 --a------ C:\Program Files\Linus Lux.exe 2007-10-03 01:24 <DIR> d-------- C:\Deckard 2007-09-28 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-09-27 01:16 185,856 --a------ C:\WINDOWS\SYSTEM\FRAMEDYN.DLL . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-11 23:48 --------- d-----w C:\Program Files\backups 2007-10-11 23:06 9,134 ----a-w C:\Program Files\hijackthis.log 2007-10-03 04:44 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-10-03 04:41 --------- d-----w C:\Program Files\M-Audio Ozone 2007-10-03 04:41 --------- d-----w C:\Program Files\iTunes 2007-10-03 04:39 --------- d-----w C:\Program Files\Google 2007-09-25 16:27 --------- d-----w C:\Documents and Settings\Linus Lux\Application Data\LimeWire 2007-09-19 03:48 --------- d-----w C:\Documents and Settings\Linus Lux\Application Data\AdobeUM 2007-09-17 14:15 --------- d-----w C:\Program Files\Dl_cats 2007-09-11 19:25 --------- d-----w C:\Program Files\Intuit 2007-09-07 18:39 --------- d-----w C:\Program Files\EPSON 2007-08-15 00:41 --------- d-----w C:\Documents and Settings\Linus Lux\Application Data\Datalayer 2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll 2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll 2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe 2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll 2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll 2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll 2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll 2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll 2005-02-16 16:06 218,112 ----a-w C:\Program Files\HijackThis.exe 2004-08-10 10:00:00 73,728 --sha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe . ((((((((((((((((((((((((((((( snapshot@2007-10-11_19.02.52.65 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 60,568 2007-10-11 23:09:02 C:\WINDOWS\SYSTEM32\PERFC009.DAT ----a-w 396,080 2007-10-11 23:09:02 C:\WINDOWS\SYSTEM32\PERFH009.DAT . ----a-w 60,568 2007-10-10 22:47:02 C:\WINDOWS\SYSTEM32\PERFC009.DAT ----a-w 396,080 2007-10-10 22:47:02 C:\WINDOWS\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-05-06 15:58] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-05-06 15:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 18:05] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-02 00:59] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 08:00 C:\WINDOWS\SYSTEM32\bthprops.cpl] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-06-18 18:54] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48] "M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2005-10-18 10:00] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 06:00] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 06:00] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33] "nwiz"="nwiz.exe" [2004-11-30 18:05 C:\WINDOWS\SYSTEM32\nwiz.exe] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-10 14:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-06-16 14:38] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 13:32] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ M-Audio Ozone Control Panel Launcher.lnk - C:\Program Files\M-Audio Ozone\OZTask.exe [2003-01-31 13:34:50] PayPal Plug-In for Outlook Express.lnk - C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe [2005-11-30 00:56:56] QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2007-09-11 15:25:40] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r R0 ezgmntr;EZ GIG II Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\ezgmntr.sys R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys R2 ezgfsfilt;EZ GIG II FS Filter;C:\WINDOWS\system32\DRIVERS\ezgfsfilt.sys S2 RKCMGQRF;RKCMGQRF;\??\C:\WINDOWS\system32\rkcmgqrf.wfp S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;C:\WINDOWS\system32\DRIVERS\HCWUSB2.sys S3 ma763008;M-Audio Ozone;C:\WINDOWS\system32\drivers\MA763008.sys S3 MADFU008;MADFU008;C:\WINDOWS\system32\DRIVERS\MADFU008.sys S3 RD1009;EDIROL UM-1 USB Driver;C:\WINDOWS\system32\Drivers\rdwm1009.sys S3 SEWModem;Sony Ericsson GPRS Modem;C:\WINDOWS\system32\DRIVERS\GC75.sys S3 SEWWNIC;Sony Ericsson Wireless WAN Adapter;C:\WINDOWS\system32\DRIVERS\GC75Net.sys S3 USBNZ1X1;M-Audio Ozone Midi;C:\WINDOWS\system32\drivers\usbnz1x1.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28597a92-3a9e-11dc-8710-0016419f5869}] AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ebfe8ec-3e09-11dc-8711-0016419f5869}] AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9543717-024b-11dc-86fa-001143762027}] AutoRun\command - G:\wd_windows_tools\setup.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-11 20:00:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-11 20:03:28 - machine was rebooted C:\ComboFix2.txt ... 2007-10-11 19:03 . --- E O F --- Kaspersky error, aside from spelling it wrong in my last reply: I clicked on the link from your reply, which opens to this: Online Scanner clicked on the link on that page which opens to this: http://www.kaspersky.com/virusscanner clicked on "Kaspersky Online Scanner" which opened a window with Benefits, Requirements, Privacy and the such, clicked on "Accept", and the bottom left of the status bar turns to a yellow triangle with an exclamation point in it. Reads "Error on the page". "Done". Double clicking on that reveals an error message. The details read "line 311, char 1, error: permission denied, code 0, URL: http//www.kaspersky.com/kos/english/kavwebscan.html Hope that helps... Thanks |
|
|
|
| Thread Tools | |
|
|
