Pop-Ups and Homepage Hijack

Wheezy · 05-12-2008, 12:38 AM

Since this morning, I have been getting pop-ups like mad when connected to the internet. Even when I'm not connected (ethernet cable not plugged into computer), I am getting pop-ups. I attempted to run the online Panda scan, but it got stuck on 42% for like 3 hours. I have a part of that log, but not the complete log.

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:23 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Downloads\Fraps\fraps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\command.exe
C:\WINDOWS\system32\qcntqkdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\?ystem\m?config.exe
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{E4-4A-A1-1D-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [{57f1c114-4341-45ba-c995-36f07ff493fd}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qcntqkdm.exe DWram
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [BM272d792e] Rundll32.exe "C:\WINDOWS\system32\rjqquyop.dll",s
O4 - HKLM\..\Run: [241e4ab2] rundll32.exe "C:\WINDOWS\system32\prqpdufe.dll",b
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [Vxp] "C:\Program Files\Common Files\?ystem\m?config.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

--
End of file - 4618 bytes

Part of Panda Active Scan

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-12 00:47:45
PROTECTIONS: 1
MALWARE: 65
SUSPECTS: 5
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Trend Micro Internet Security 16.00.1447 Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@trafficmp[1].txt[/email]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.casalemedia.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Downloads\Virus Programs 10.18.2007\SmitfraudFix\Process.exe
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@mediaplex[2].txt
00147796 Cookie/Entrepreneur TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@entrepreneur[2].txt
00148914 Cookie/Tucows TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@tucows[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.yadro.ru/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@yadro[2].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.yadro.ru/]
00167670 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@seeq[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@xiti[1].txt
00167709 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[4].txt
00167738 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[5].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.statcounter.com/]
00167758 Cookie/Barelylegal TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@c.fsx[1].txt
00168055 Cookie/RealTracker TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@web2.realtracker[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[ad.yieldmanager.com/]
00168057 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@counter10.sextracker[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[www.burstbeacon.com/]
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@weborama[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[server.iad.liveperson.net/hc/11719988]
00168113 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@fe.lea.lycos[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@stat.onestat[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[stat.onestat.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@statse.webtrendslive[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@ads.pointroll[2].txt
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@fortunecity[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.realmedia.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adrevolver.com/]
00199981 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@www48.seeq[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@searchportal.information[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@target[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.target.com/]
00219235 adware/commad Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
00219235 Adware/CommAd Adware Yes 1 Yes No C:\WINDOWS\U2HLBGXPZSBXYXRLCNM\ASAPPSRV.DLL
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\cmdservice
00219235 adware/commad Adware No 0 Yes No c:\windows\system32\atmtd.dll
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_network_monitor
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\cmdservice
00219235 adware/commad Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\network monitor
00219235 adware/commad Adware No 0 Yes No c:\windows\system32\atmtd.dll._
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\network monitor
00219235 adware/commad Adware No 0 Yes No c:\program files\network monitor
00219235 adware/commad Adware No 0 Yes No c:\documents and settings\Wheezy\local settings\temp\cmdinst.exe
00219235 adware/commad Adware No 0 Yes No c:\windows\uninstall_nmon.vbs
00219238 Adware/CommAd Adware Yes 1 Yes No C:\WINDOWS\U2HLBGXPZSBXYXRLCNM\COMMAND.EXE
00242884 Adware/SearchAid Adware Yes 1 Yes No C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
00250251 Adware/ISearch Adware No 0 No No C:\Temp\nxSUbt99.exe[gvserchka.exe]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.atwola.com/]
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[12].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[1].txt
00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@cgi-bin[5].txt
00293079 Spyware/7r7t Spyware No 1 Yes No C:\Documents and Settings\Wheezy\Local Settings\Temp\snapsnet.exe
00293079 Spyware/7r7t Spyware No 1 Yes No C:\Temp\nxSUbt99.exe
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@ads.addynamix[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@citi.bridgetrack[2].txt
00530382 Cookie/DriveCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@klik.klikadvertising[2].txt
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@enhance[2].txt
01196326 Cookie/GoClick TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@goclick[1].txt
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cookies.txt[.adserver.easyad.info/]
02688464 Adware/DnsInsider Adware No 0 Yes No C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Wheezy\Cookies\Wheezy@advancedcleaner[1].txt
02888175 Adware/Zenosearch Adware Yes 1 Yes No C:\PROGRAM FILES\OUTERINFO\FF\COMPONENTS\FF.DLL
02895017 Adware/PurityScan Adware Yes 1 Yes No C:\DOCUMENTS AND SETTINGS\WheezyS\APPLICATION DATA\ΑРPPATCH\DEXPLORE.EXE
02896112 Adware/Yazzle Adware No 0 No No C:\Documents and Settings\Wheezy\Local Settings\Temp\yazzsnet.exe[■ó1\Yazzle1281OinAdmin.exe]
02896112 Adware/Yazzle Adware No 0 Yes No C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
02896113 Adware/Yazzle Adware No 0 Yes No C:\Documents and Settings\Wheezy\Local Settings\Temp\yazzsnet.exe
02901906 Dialer.LAV Dialers No 0 Yes No C:\PROGRAM FILES\WINVI\WUPDA.EXE
02901906 Dialer.LAV Dialers No 0 Yes No C:\Program Files\winvi\wupda.exe
02901906 Dialer.LAV Dialers No 0 No No C:\Temp\nxSUbt99.exe[srkawe3.exe][wupda.exe]
02905415 Adware/Zenosearch Adware No 0 No No C:\Temp\nxSUbt99.exe[bvre32.exe]
02905415 Adware/Zenosearch Adware Yes 1 Yes No C:\WINDOWS\SYSTEM32\RWWNW64D.EXE
02915115 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\SSJF.DLL
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP28\A0000667.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000091.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP43\A0001239.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP44\A0001277.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP47\A0001610.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP55\A0002027.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP57\A0002081.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP58\A0002117.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000002.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP60\A0002207.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP61\A0002215.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP62\A0002246.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP63\A0002302.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0002355.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002596.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002627.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002632.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002638.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP73\A0002688.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP77\A0002745.exe
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\PROGRAM FILES\RABCO\RABCOSE.EXE
02915376 Generic Malware Virus/Trojan Yes 0 Yes No C:\PROGRAM FILES\RABCO\X_RABCOSE.EXE
02915376 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP59\A0002167.exe
02942076 Adware/PurityScan Adware Yes 1 Yes No C:\PROGRAM FILES\COMMON FILES\ЅYSTEM\MЅCONFIG.EXE
02944473 Trj/Downloader.MDW Virus/Trojan No 1 No No C:\Temp\nxSUbt99.exe[PI-setup03x.exe]
02945143 Trj/Downloader.TMZ Virus/Trojan No 0 No No C:\Temp\nxSUbt99.exe[BD-2bin.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\PROGRAM FILES\RABCO\RABCO.DLL
No C:\PROGRAM FILES\WINVI\UPDATE.EXE
No C:\WINDOWS\MROFINU1000106.EXE
No C:\WINDOWS\SYSTEM32\QCNTQKDM.EXE
No C:\WINDOWS\SYSTEM32\{3C92EAEC-78F3-0B4C-8689-A6515D3E35BC}.DLL
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Deckard's Scanner System

Deckard's System Scanner v20071014.68
Run by Wheezy on 2008-05-12 01:20:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Wheezy.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:30 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Downloads\Fraps\fraps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\command.exe
C:\WINDOWS\system32\qcntqkdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\?ystem\m?config.exe
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Wheezy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Wheezy~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOWNLO~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9D834F0-DF63-86E5-1193-A08F025379B1} - C:\WINDOWS\system32\ssjf.dll
O2 - BHO: gooochi browser optimizer - {bde7e5fb-5bd1-2731-b949-9ba980b059d9} - C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {F68A92D1-887E-46EF-AC3A-E4E224341BFF} - C:\WINDOWS\system32\geBroMFX.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{E4-4A-A1-1D-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [{57f1c114-4341-45ba-c995-36f07ff493fd}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qcntqkdm.exe DWram
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [BM272d792e] Rundll32.exe "C:\WINDOWS\system32\rjqquyop.dll",s
O4 - HKLM\..\Run: [241e4ab2] rundll32.exe "C:\WINDOWS\system32\prqpdufe.dll",b
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [Vxp] "C:\Program Files\Common Files\?ystem\m?config.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ssqRLETJ - C:\WINDOWS\SYSTEM32\ssqRLETJ.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

--
End of file - 5882 bytes

-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-11 20:28:22 114688 --a------ C:\WINDOWS\system32\prqpdufe.dll
2008-05-11 20:26:49 125440 --a------ C:\WINDOWS\system32\rjqquyop.dll
2008-05-11 20:25:21 1094349 --ahs---- C:\WINDOWS\system32\XFMorBeg.ini2
2008-05-11 20:25:16 372224 --a------ C:\WINDOWS\system32\geBroMFX.dll
2008-05-11 20:20:44 37376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-05-11 20:20:38 37376 --a------ C:\WINDOWS\mrofinu572.exe
2008-05-11 20:20:31 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-11 20:20:27 60928 --a------ C:\WINDOWS\system32\ssjf.dll
2008-05-11 20:20:27 0 d-------- C:\Program Files\Outerinfo
2008-05-11 20:20:27 0 d-------- C:\Program Files\Common Files\?ystem
2008-05-11 20:20:24 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-05-11 20:20:23 200769 --a------ C:\WINDOWS\system32\qcntqkdm.exe
2008-05-11 20:20:21 401965 --a------ C:\WINDOWS\system32\g97.exe
2008-05-11 20:20:19 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-05-11 20:20:19 0 d--hs---- C:\WINDOWS\U2hlbGxpZSBXYXRlcnM
2008-05-11 20:20:19 0 d-------- C:\Program Files\Network Monitor
2008-05-11 20:20:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-05-11 20:20:18 49162 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-05-11 20:20:17 0 d-------- C:\Program Files\winvi
2008-05-11 20:20:16 86144 --a------ C:\WINDOWS\system32\drivers\cdaudioo.sys
2008-05-11 20:20:15 0 d-------- C:\WINDOWS\system32\vdTMP
2008-05-11 20:20:15 0 d-------- C:\WINDOWS\system32\hNF
2008-05-11 20:20:15 0 d-------- C:\WINDOWS\system32\din3
2008-05-11 20:20:15 0 d-------- C:\WINDOWS\system32\2033b
2008-05-11 20:20:15 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-05-11 20:20:14 0 d-------- C:\Documents and Settings\Wheezy\Application Data\??pPatch
2008-05-11 20:20:13 0 d-------- C:\WINDOWS\system32\bkEur01
2008-05-11 20:20:12 52736 --a------ C:\WINDOWS\system32\ssqRLETJ.dll
2008-05-11 20:20:12 0 d-------- C:\Temp
2008-05-05 11:24:34 330752 --a------ C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll
2008-04-21 01:58:33 0 d-------- C:\Program Files\Panda Security

-- Find3M Report ---------------------------------------------------------------

2008-05-11 20:20:27 0 d-------- C:\Program Files\Common Files
2008-05-11 20:20:27 0 d-------- C:\Program Files\Common Files\?ystem
2008-05-11 20:20:14 0 d-------- C:\Documents and Settings\Wheezy\Application Data\??pPatch
2008-04-21 01:58:34 5701 --a----c- C:\WINDOWS\mozver.dat
2008-04-20 13:21:28 0 d-------- C:\Program Files\EA GAMES
2008-03-19 22:45:12 0 d-------- C:\Documents and Settings\Wheezy\Application Data\Real
2008-02-25 14:43:28 1309 --a----c- C:\Documents and Settings\Wheezy\Application Data\update.log

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
01/30/2008 03:02 PM 414992 --a------ C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9D834F0-DF63-86E5-1193-A08F025379B1}]
04/11/2008 12:51 PM 60928 --a------ C:\WINDOWS\system32\ssjf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bde7e5fb-5bd1-2731-b949-9ba980b059d9}]
05/05/2008 11:24 AM 330752 --a------ C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F68A92D1-887E-46EF-AC3A-E4E224341BFF}]
05/11/2008 08:25 PM 372224 --a------ C:\WINDOWS\system32\geBroMFX.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\qttask.exe" [06/29/2007 06:24 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/27/2007 06:02 PM]
"{E4-4A-A1-1D-DW}"="c:\windows\system32\rwwnw64d.exe" [05/11/2008 08:20 PM]
"{57f1c114-4341-45ba-c995-36f07ff493fd}"="C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll" [05/05/2008 11:24 AM]
"ExploreUpdSched"="C:\WINDOWS\system32\qcntqkdm.exe" [05/11/2008 08:20 PM]
"runner1"="C:\WINDOWS\mrofinu1000106.exe" [05/11/2008 08:20 PM]
"BM272d792e"="C:\WINDOWS\system32\rjqquyop.dll" [05/11/2008 08:26 PM]
"241e4ab2"="C:\WINDOWS\system32\prqpdufe.dll" [05/11/2008 08:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uaol"="C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe" [05/11/2008 08:20 PM]
"WinUpdater"="C:\Program Files\winvi\update.exe" [04/25/2008 02:57 AM]
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" [04/25/2008 02:57 AM]
"Vxp"="C:\Program Files\Common Files\?ystem\m?config.exe" []

C:\Documents and Settings\Wheezy\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\qcntqkdm.exe [5/11/2008 8:20:23 PM]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [5/11/2008 8:20:18 PM]
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2/23/2008 2:36:33 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WheezyExecuteHooks]
"{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}"= C:\WINDOWS\system32\ssqRLETJ.dll [05/11/2008 08:20 PM 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLETJ]
ssqRLETJ.dll 05/11/2008 08:20 PM 52736 C:\WINDOWS\system32\ssqRLETJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBroMFX

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"tmproxy"=3 (0x3)
"TmPfw"=3 (0x3)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NetSvc"=3 (0x3)
"MDM"=2 (0x2)
"KService"=2 (0x2)
"IAANTMon"=2 (0x2)
"ELService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - CDAUDIOO
*Newly Created Service* - CMDSERVICE
*Newly Created Service* - NETWORK_MONITOR

-- End of Deckard's System Scanner: finished at 2008-05-12 01:22:02 ------------

Wheezy · 05-13-2008, 03:53 PM

I am still at my wit's end here - the problems are still persisting and any guidance to clean my machine would be much appreciated.

Ried · 05-13-2008, 07:05 PM

What happened Wheezy? The infections present on this system are the same ones I just cleaned for you in February.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Wheezy · 05-13-2008, 08:17 PM

Hi Reid. Unfortunately my security program (Trend Micro) wasn't activated all this time, so I have been a completely unprotected system since my last infection clean :S I have been trying to contact Trend Micro about this problem after this latest infection, but haven't had much time to successfully stay connected to the internet. But hopefully with some help from this site, I will be able to get in contact with them and activate my security or else download something different that will help protect me.

ComboFix Log

ComboFix 08-05-12.1 - Wheezy 2008-05-13 20:56:31.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.399 [GMT -5:00]
Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Wheezy\Application Data\PPATCH~1
C:\Documents and Settings\Wheezy\Application Data\PPATCH~1\??pPatch\
C:\Documents and Settings\Wheezy\Application Data\PPATCH~1\dexplore.exe
C:\Documents and Settings\Wheezy\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Wheezy\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Wheezy\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\kmd.exe
C:\Program Files\Common Files\ystem~1
C:\Program Files\Common Files\ystem~1\m?config.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll
C:\WINDOWS\system32\drivers\cdaudioo.sys
C:\WINDOWS\system32\efudpqrp.ini
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nynpwvas.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ssjf.dll
C:\WINDOWS\system32\XFMorBeg.ini
C:\WINDOWS\system32\XFMorBeg.ini2
C:\WINDOWS\system32\ybqenque.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\
C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\\asappsrv.dll
C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\\command.exe
C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\\oZ15v3UDtm1rsrl5wBg.vbs
C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\command.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDAUDIOO
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cdaudioo
-------\Service_cmdService
-------\Service_Network Monitor

((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 21:01 . 2008-05-13 21:01 294 ---hs---- C:\WINDOWS\system32\nynpwvas.ini
2008-05-13 20:53 . 2008-05-13 20:53 115,712 --a------ C:\WINDOWS\system32\savwpnyn.dll
2008-05-13 20:53 . 2008-05-13 20:53 2,048 --a------ C:\WINDOWS\system32\utnvbhrn.exe
2008-05-13 20:50 . 2008-05-13 20:51 124,416 --a------ C:\WINDOWS\system32\nqcbjgjk.dll
2008-05-12 16:54 . 2008-05-12 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-12 16:49 . 2008-05-12 16:49 49,169 --a------ C:\WINDOWS\system32\jpwnw64l.exe
2008-05-12 01:06 . 2008-05-12 01:06 <DIR> d-------- C:\Deckard
2008-05-11 20:26 . 2008-05-11 20:26 125,440 --a------ C:\WINDOWS\system32\rjqquyop.dll
2008-05-11 20:26 . 2008-05-13 21:01 109,803 --a------ C:\WINDOWS\BM272d792e.xml
2008-05-11 20:25 . 2008-05-11 20:25 372,224 --a------ C:\WINDOWS\system32\geBroMFX.dll
2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\Temp\maxsv15
2008-05-11 20:20 . 2008-05-12 16:49 <DIR> d-------- C:\Program Files\winvi
2008-05-11 20:20 . 2008-05-11 20:20 493,855 --a------ C:\Temp\nxSUbt99.exe
2008-05-11 20:20 . 2008-05-11 20:20 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-21 01:58 . 2008-04-21 01:58 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 11:01 37,376 ----a-r C:\WINDOWS\mrofinu1000106.exe
2008-05-12 01:20 37,376 ----a-w C:\WINDOWS\mrofinu572.exe
2008-05-12 01:20 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-11 05:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 18:21 --------- d-----w C:\Program Files\EA GAMES
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 07:49 1,498 ----a-w C:\Program Files\Calculator.lnk
2007-06-29 11:25 8,612 ----a-w C:\Program Files\QuickTime Read Me.htm
2007-06-29 11:25 749,568 -c--a-w C:\Program Files\QTOControl.dll
2007-06-29 11:25 684,032 -c--a-w C:\Program Files\QTOLibrary.dll
2007-06-29 11:25 618,496 -c--a-w C:\Program Files\QTInfo.exe
2007-06-29 11:25 6,124,864 ----a-w C:\Program Files\QuickTimePlayer.exe
2007-06-29 11:25 574,784 ----a-w C:\Program Files\QTPlugin.ocx
2007-06-29 11:25 303,104 -c--a-w C:\Program Files\QTUIPanelControl.dll
2007-06-29 11:24 55,622 -c--a-w C:\Program Files\Sample.mov
2007-06-29 11:24 483,328 -c--a-w C:\Program Files\PictureViewer.exe
2007-06-29 11:24 286,720 ----a-w C:\Program Files\QTTask.exe
2007-06-29 11:24 18,663 -c--a-w C:\Program Files\Sample.qtif
2006-10-21 21:54 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys
2006-10-21 21:54 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16A1FBA0-383F-4CBA-A8BB-4735CEA86801}]
2008-05-11 20:25 372224 --a------ C:\WINDOWS\system32\geBroMFX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]
2008-05-11 20:20 52736 --a------ C:\WINDOWS\system32\ssqRLETJ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uaol"="C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe" [ ]
"WinUpdater"="C:\Program Files\winvi\update.exe" [2008-04-25 02:57 174038]
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" [2008-04-25 02:57 198185]
"Vxp"="C:\Program Files\Common Files\?ystem\m?config.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\qttask.exe" [2007-06-29 06:24 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-27 18:02 185632]
"{E4-4A-A1-1D-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-05-11 20:20 49162]
"241e4ab2"="C:\WINDOWS\system32\savwpnyn.dll" [2008-05-13 20:53 115712]
"BM272d792e"="C:\WINDOWS\system32\nqcbjgjk.dll" [2008-05-13 20:51 124416]
"ExploreUpdSched"="C:\WINDOWS\system32\qcntqkdm.exe" [2008-05-11 20:20 200769]

C:\Documents and Settings\Wheezy\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\qcntqkdm.exe [2008-05-11 20:20:23 200769]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-05-11 20:20:18 49162]
RABCO - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir [2008-02-23 14:36:33 183216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Wheezyexecutehooks]
"{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}"= C:\WINDOWS\system32\ssqRLETJ.dll [2008-05-11 20:20 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLETJ]
ssqRLETJ.dll 2008-05-11 20:20 52736 C:\WINDOWS\system32\ssqRLETJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2005-10-05 03:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-04-11 03:07 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a--c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-05-18 13:21 1033800 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-10-04 18:14 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-27 18:02 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"tmproxy"=3 (0x3)
"TmPfw"=3 (0x3)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NetSvc"=3 (0x3)
"MDM"=2 (0x2)
"KService"=2 (0x2)
"IAANTMon"=2 (0x2)
"ELService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Kontiki\\KService.exe"=

S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Wheezy\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Wheezy\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 21:01:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\nynpwvas.ini 294 bytes
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqRLETJ.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-05-13 21:04:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 02:04:07
ComboFix2.txt 2008-02-26 07:22:19

Pre-Run: 119,172,423,680 bytes free
Post-Run: 119,199,154,176 bytes free

247 --- E O F --- 2008-05-14 01:56:47

New HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:50 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\winvi\wupda.exe
C:\WINDOWS\system32\qcntqkdm.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{E4-4A-A1-1D-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [241e4ab2] rundll32.exe "C:\WINDOWS\system32\savwpnyn.dll",b
O4 - HKLM\..\Run: [BM272d792e] Rundll32.exe "C:\WINDOWS\system32\nqcbjgjk.dll",s
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [Vxp] "C:\Program Files\Common Files\?ystem\m?config.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

--
End of file - 3905 bytes

Ried · 05-14-2008, 07:23 AM

There's a lot to do Wheezy. Be sure you complete all the steps I've laid out for you, in their entirety. If you run into any problems, please let me know.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Close any open browsers.

---------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.

Press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

From Normal Mode--

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/248687-pop-ups-homepage-hijack.html#post1482752

Collect::
C:\WINDOWS\system32\ssqRLETJ.dll
C:\WINDOWS\system32\savwpnyn.dll
C:\WINDOWS\system32\utnvbhrn.exe
C:\WINDOWS\system32\nqcbjgjk.dll
C:\WINDOWS\system32\jpwnw64l.exe
C:\WINDOWS\system32\rjqquyop.dll
C:\WINDOWS\BM272d792e.xml
C:\WINDOWS\system32\geBroMFX.dll
C:\Temp\nxSUbt99.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\qcntqkdm.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe

File::
C:\WINDOWS\system32\nynpwvas.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\drivers\core.cache.dsk

Folder::
C:\Temp\maxsv15

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16A1FBA0-383F-4CBA-A8BB-4735CEA86801}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uaol"=- 
"Vxp"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{E4-4A-A1-1D-DW}"=-
"241e4ab2"=- 
"BM272d792e"=-

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Now let's get an AV on your system. Here is a very good free Antivirus product:

Avira AntiVir PersonalEdition Classic.

Download, install, update definitions, and run a full system scan.

-----------------------------------------------------------------

Please return with the following reports, in the order listed:

C:\SDFix\Report.txt
C:\ComboFix.txt
New HijackThis log

Wheezy · 05-14-2008, 03:25 PM

SDFix Report

SDFix: Version 1.182
Run by Wheezy on Wed 05/14/2008 at 02:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting

Checking Files :

Trojan Files Found:

C:\PROGRA~1\MESSEN~1\WOGUVY~1 - Deleted
C:\WINDOWS\system32\bkEur01\bkEur011065.exe - Deleted
C:\Program Files\winvi\Uninst.exe - Deleted
C:\Program Files\winvi\update.exe - Deleted
C:\Program Files\winvi\version.ini - Deleted
C:\Program Files\winvi\wupda.exe - Deleted
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js - Deleted
C:\Program Files\winvi\dsktp\desktop.html - Deleted
C:\Program Files\winvi\dsktp\internetDetection.swf - Deleted
C:\Program Files\winvi\dsktp\settings.sol - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\Documents and Settings\Wheezy\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\Wheezy\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted

Folder C:\Program Files\winvi - Removed
Folder C:\Temp\maxsv15 - Removed
Folder C:\WINDOWS\system32\bkEur01 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 14:40:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:60bfa608
"s2"=dword:b02c3d4b

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 13 Apr 2006 56 A.SHR --- "C:\i386\11D43EA203.sys"
Thu 13 Apr 2006 3,350 A.SH. --- "C:\i386\KGyGaAvL.sys"
Sat 21 Oct 2006 152 ..SHR --- "C:\WINDOWS\system32\11D43EA203.sys"
Sat 21 Oct 2006 7,520 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 7 May 2007 54,272 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL0001.tmp"
Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL1189.tmp"
Mon 7 May 2007 55,296 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL1868.tmp"
Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL1986.tmp"
Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL2493.tmp"
Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL3597.tmp"
Tue 13 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\069dce5b3a6a576c9856befb57fca0a9\BITA.tmp"
Thu 20 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITE.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2.tmp"
Tue 11 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 11 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Tue 11 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Thu 13 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

ComboFix Log

ComboFix 08-05-12.1 - Wheezy 2008-05-14 14:55:48.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -5:00]
Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wheezy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\nynpwvas.ini
C:\WINDOWS\system32\zxdnt3d.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\nxSUbt99.exe
C:\WINDOWS\BM272d792e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\geBroMFX.dll
C:\WINDOWS\system32\jpwnw64l.exe
C:\WINDOWS\system32\nqcbjgjk.dll
C:\WINDOWS\system32\nynpwvas.ini
C:\WINDOWS\system32\qcntqkdm.exe
C:\WINDOWS\system32\rjqquyop.dll
C:\WINDOWS\system32\savwpnyn.dll
C:\WINDOWS\system32\ssqRLETJ.dll
C:\WINDOWS\system32\utnvbhrn.exe
C:\WINDOWS\system32\XFMorBeg.ini
C:\WINDOWS\system32\XFMorBeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 14:28 . 2008-05-14 14:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 14:26 . 2008-05-14 14:48 <DIR> d-------- C:\SDFix
2008-05-12 16:54 . 2008-05-12 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-12 01:06 . 2008-05-12 01:06 <DIR> d-------- C:\Deckard
2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\vdTMP
2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\hNF
2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\din3
2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\2033b
2008-05-11 20:20 . 2008-05-14 14:55 <DIR> d-------- C:\Temp
2008-05-11 20:20 . 2008-05-11 20:20 401,965 --a------ C:\WINDOWS\system32\g97.exe
2008-05-11 20:20 . 2008-05-11 20:20 63,902 --a------ C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll-uninst.exe
2008-05-11 20:20 . 2008-05-11 20:20 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-21 01:58 . 2008-04-21 01:58 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 05:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 18:21 --------- d-----w C:\Program Files\EA GAMES
2008-01-15 07:49 1,498 ----a-w C:\Program Files\Calculator.lnk
2007-06-29 11:25 8,612 ----a-w C:\Program Files\QuickTime Read Me.htm
2007-06-29 11:25 749,568 -c--a-w C:\Program Files\QTOControl.dll
2007-06-29 11:25 684,032 -c--a-w C:\Program Files\QTOLibrary.dll
2007-06-29 11:25 618,496 -c--a-w C:\Program Files\QTInfo.exe
2007-06-29 11:25 6,124,864 ----a-w C:\Program Files\QuickTimePlayer.exe
2007-06-29 11:25 574,784 ----a-w C:\Program Files\QTPlugin.ocx
2007-06-29 11:25 303,104 -c--a-w C:\Program Files\QTUIPanelControl.dll
2007-06-29 11:24 55,622 -c--a-w C:\Program Files\Sample.mov
2007-06-29 11:24 483,328 -c--a-w C:\Program Files\PictureViewer.exe
2007-06-29 11:24 286,720 ----a-w C:\Program Files\QTTask.exe
2007-06-29 11:24 18,663 -c--a-w C:\Program Files\Sample.qtif
2006-10-21 21:54 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys
2006-10-21 21:54 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_21.03.51.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 02:00:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 19:58:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 07:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-14 19:28:52 8,208,384 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-14 19:28:52 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-13 07:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-14 19:28:50 8,208,384 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-14 19:28:50 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\qttask.exe" [2007-06-29 06:24 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-27 18:02 185632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLETJ]
ssqRLETJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2005-10-05 03:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-04-11 03:07 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a--c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-05-18 13:21 1033800 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-10-04 18:14 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-27 18:02 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"tmproxy"=3 (0x3)
"TmPfw"=3 (0x3)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NetSvc"=3 (0x3)
"MDM"=2 (0x2)
"KService"=2 (0x2)
"IAANTMon"=2 (0x2)
"ELService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Kontiki\\KService.exe"=

S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Wheezy\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 14:58:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-14 15:01:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 20:01:16
ComboFix2.txt 2008-05-14 02:04:11
ComboFix3.txt 2008-02-26 07:22:19

Pre-Run: 119,637,438,464 bytes free
Post-Run: 119,624,994,816 bytes free

181 --- E O F --- 2008-05-14 07:38:30

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:40 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOWNLO~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ssqRLETJ - ssqRLETJ.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4161 bytes

Ried · 05-14-2008, 10:12 PM

Files received, thank you.

Please refrain from editing the reports that you post. You've been replacing path names which has caused a lot of confusion for me, and can render some of these fixes useless since that is not the actual path to a registry key, file or folder that Windows sees on your computer.

Additonally, by editing the reports you also run the risk of a Helper possibly damaging your system by taking out what appears to be an invalid path or key, when in fact it is not.

***************************************************

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Now that you've installed Avira, please ensure that TrendMicro has been uninstalled via the Add/Remove programs panel. Let me know if you have any problems uninstalling it. Once you work out the activation issues with TrendMicro, uninstall Avira before you re-install TrendMicro.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\g97.exe
C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll-uninst.exe
C:\WINDOWS\system32\winpfz33.sys

Folder::
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\din3
C:\WINDOWS\system32\2033b

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis.exe and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior

Wheezy · 05-15-2008, 12:23 AM

I'm sorry for the editing - is there a way to edit the computer name so that I don't have to edit it myself?

My computer is acting normally as far as I can notice. I have had no pop-ups, and my homepage is no longer hijacked. But it seems like the online scanner caught some infections still unfortunately.

ComboFix Log

ComboFix 08-05-12.1 - Wheezy 2008-05-14 23:28:18.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.684 [GMT -5:00]
Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wheezy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll-uninst.exe
C:\WINDOWS\system32\g97.exe
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll-uninst.exe
C:\WINDOWS\system32\2033b
C:\WINDOWS\system32\din3
C:\WINDOWS\system32\din3\PI-setup03x.exe
C:\WINDOWS\system32\g97.exe
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\vdTMP\bvre32.exe
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-14 15:19 . 2008-05-14 16:19 <DIR> d-------- C:\Program Files\Avira
2008-05-14 15:19 . 2008-05-14 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-14 15:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-14 15:11 . 2008-05-14 15:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-14 14:28 . 2008-05-14 14:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 14:26 . 2008-05-14 14:48 <DIR> d-------- C:\SDFix
2008-05-12 16:54 . 2008-05-12 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-12 01:06 . 2008-05-12 01:06 <DIR> d-------- C:\Deckard
2008-05-11 20:20 . 2008-05-14 14:55 <DIR> d-------- C:\Temp
2008-04-21 01:58 . 2008-04-21 01:58 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 01:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-14 20:12 --------- d-----w C:\Program Files\Java
2008-04-20 18:21 --------- d-----w C:\Program Files\EA GAMES
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-29 00:24 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-01-15 07:49 1,498 ----a-w C:\Program Files\Calculator.lnk
2007-06-29 11:25 8,612 ----a-w C:\Program Files\QuickTime Read Me.htm
2007-06-29 11:25 749,568 -c--a-w C:\Program Files\QTOControl.dll
2007-06-29 11:25 684,032 -c--a-w C:\Program Files\QTOLibrary.dll
2007-06-29 11:25 618,496 -c--a-w C:\Program Files\QTInfo.exe
2007-06-29 11:25 6,124,864 ----a-w C:\Program Files\QuickTimePlayer.exe
2007-06-29 11:25 574,784 ----a-w C:\Program Files\QTPlugin.ocx
2007-06-29 11:25 303,104 -c--a-w C:\Program Files\QTUIPanelControl.dll
2007-06-29 11:24 55,622 -c--a-w C:\Program Files\Sample.mov
2007-06-29 11:24 483,328 -c--a-w C:\Program Files\PictureViewer.exe
2007-06-29 11:24 286,720 ----a-w C:\Program Files\QTTask.exe
2007-06-29 11:24 18,663 -c--a-w C:\Program Files\Sample.qtif
2006-10-21 21:54 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys
2006-10-21 21:54 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_21.03.51.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 02:00:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 20:10:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 07:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-14 19:28:52 8,208,384 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-14 19:28:52 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-13 07:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-14 19:28:50 8,208,384 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-14 19:28:50 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-01-21 23:12:56 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-03-04 18:28:53 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
- 2003-11-19 21:36:26 24,681 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 06:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-11-19 21:36:30 28,779 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 06:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 07:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\qttask.exe" [2007-06-29 06:24 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-27 18:02 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLETJ]
ssqRLETJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2005-10-05 03:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-04-11 03:07 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a--c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-05-18 13:21 1033800 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-10-04 18:14 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-27 18:02 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"tmproxy"=3 (0x3)
"TmPfw"=3 (0x3)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NetSvc"=3 (0x3)
"MDM"=2 (0x2)
"KService"=2 (0x2)
"IAANTMon"=2 (0x2)
"ELService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Kontiki\\KService.exe"=

S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 23:30:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 23:31:36
ComboFix-quarantined-files.txt 2008-05-15 04:31:30
ComboFix2.txt 2008-05-14 20:01:20
ComboFix3.txt 2008-05-14 02:04:11
ComboFix4.txt 2008-02-26 07:22:19

Pre-Run: 119,254,179,840 bytes free
Post-Run: 119,247,998,976 bytes free

190 --- E O F --- 2008-05-14 07:38:30

Online Scan Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 15, 2008 1:08:02 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/05/2008
Kaspersky Anti-Virus database records: 774238
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 92317
Number of viruses found: 11
Number of infected objects: 54
Number of suspicious objects: 0
Duration of the scan process: 01:16:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Wheezy\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\cert8.db Object is locked skipped
C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\history.dat Object is locked skipped
C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\key3.db Object is locked skipped
C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\parent.lock Object is locked skipped
C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Wheezy\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Wheezy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Application Data\Mozilla\Firefox\Profiles\kuae1v1r.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\History\History.IE5\MSHist012008051420080515\index.dat Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Temp\~DFD1AB.tmp Object is locked skipped
C:\Documents and Settings\Wheezy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Wheezy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SWheezy\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\bydqykb.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM~1\mѕconfig.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\QooBox\Quarantine\C\Program Files\RABCO\X_RABCOse.exe.vir Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\din3\PI-setup03x.exe.vir Infected: Trojan.Win32.Agent.lom skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g97.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g97.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g97.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssjf.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vdTMP\bvre32.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\U2hlbGxpZSBXYXRlcnM\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000002.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP28\A0000667.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000091.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP43\A0001239.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP44\A0001277.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP47\A0001610.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP55\A0002027.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP57\A0002081.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP58\A0002117.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP59\A0002167.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP60\A0002207.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP61\A0002215.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP62\A0002246.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP63\A0002302.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP65\A0002355.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002596.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002627.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002632.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP70\A0002638.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP73\A0002688.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP77\A0002745.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP80\A0002793.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0002808.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0002817.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002832.dll Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002834.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002836.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002837.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002838.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002840.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002845.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP82\A0002853.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP84\A0002975.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP84\A0002994.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP85\A0003052.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP88\A0003227.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP88\A0003228.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP88\A0003229.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP89\A0003260.exe Infected: Trojan.Win32.Agent.lom skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP89\A0003261.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP89\A0003263.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP89\A0003263.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP89\A0003263.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP89\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{833285D9-2BD9-49C8-975D-96A79A15FEEA}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

New HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:18 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Downloads\Fraps\fraps.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOWNLO~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ssqRLETJ - ssqRLETJ.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4158 bytes

Ried · 05-15-2008, 03:19 PM

Quote:

Originally Posted by Ried

Please refrain from editing the reports that you post. You've been replacing path names which has caused a lot of confusion for me, and can render some of these fixes useless since that is not the actual path to a registry key, file or folder that Windows sees on your computer.

Quote:

I'm sorry for the editing - is there a way to edit the computer name so that I don't have to edit it myself?

You just edited again.

You have to at least let me know that you have edited. Luckily, I have no deletions that I need to copy/paste into the instructions.

Click Start>Control Panel>User Accounts

Click 'Change and Account'
Select the Account you wish to change
Click 'Change my name'

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
O20 - Winlogon Notify: ssqRLETJ - ssqRLETJ.dll (file missing)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Kaspersky is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls
http://miekiemoes.blogspot.com/search/label/Prevention

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

Wheezy · 05-18-2008, 09:55 PM

I was out of town for the weekend, but everything seems to be working fine on the machine. I really appreciate all of your help, and I will be definitely checking out those programs you linked.

Thank you a million times over :D

Ried · 05-18-2008, 10:29 PM

Good--please install them, they'll go a long way in protecting your system.

You're welcome, and take care, Wheezy.

05-13-2008, 03:53 PM	#2 (permalink)
Wheezy TSF Supporter Join Date: Oct 2007 Location: Minnesota, USA Posts: 101 OS: Windows XP	Re: Pop-Ups and Homepage Hijack I am still at my wit's end here - the problems are still persisting and any guidance to clean my machine would be much appreciated.

05-13-2008, 07:05 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,900 OS: WinXP and Vista	Re: Pop-Ups and Homepage Hijack What happened Wheezy? The infections present on this system are the same ones I just cleaned for you in February. This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-13-2008, 08:17 PM	#4 (permalink)
Wheezy TSF Supporter Join Date: Oct 2007 Location: Minnesota, USA Posts: 101 OS: Windows XP	Re: Pop-Ups and Homepage Hijack Hi Reid. Unfortunately my security program (Trend Micro) wasn't activated all this time, so I have been a completely unprotected system since my last infection clean :S I have been trying to contact Trend Micro about this problem after this latest infection, but haven't had much time to successfully stay connected to the internet. But hopefully with some help from this site, I will be able to get in contact with them and activate my security or else download something different that will help protect me. ComboFix Log ComboFix 08-05-12.1 - Wheezy 2008-05-13 20:56:31.8 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.399 [GMT -5:00] Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Rabio C:\Documents and Settings\LocalService\Application Data\NetMon C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt C:\Documents and Settings\Wheezy\Application Data\PPATCH~1 C:\Documents and Settings\Wheezy\Application Data\PPATCH~1\??pPatch\ C:\Documents and Settings\Wheezy\Application Data\PPATCH~1\dexplore.exe C:\Documents and Settings\Wheezy\Start Menu\Programs\Outerinfo C:\Documents and Settings\Wheezy\Start Menu\Programs\Outerinfo\Terms.lnk C:\Documents and Settings\Wheezy\Start Menu\Programs\Outerinfo\Uninstall.lnk C:\kmd.exe C:\Program Files\Common Files\ystem~1 C:\Program Files\Common Files\ystem~1\m?config.exe C:\Program Files\network monitor C:\Program Files\network monitor\netmon.exe C:\Program Files\outerinfo C:\Program Files\outerinfo\FF\chrome.manifest C:\Program Files\outerinfo\FF\components\FF.dll C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt C:\Program Files\outerinfo\FF\install.rdf C:\Program Files\outerinfo\Terms.rtf C:\Program Files\RABCO C:\Program Files\RABCO\ExecutionDll.dll C:\Program Files\RABCO\RABCO.dll C:\Program Files\RABCO\RABCO.dll.intermediate.manifest C:\Program Files\RABCO\RABCOse.exe C:\Program Files\RABCO\RABCOse.info C:\Program Files\RABCO\RABCOse.original C:\Program Files\RABCO\Setup.log C:\Program Files\RABCO\un_RABCOSetup_16230.exe C:\Program Files\RABCO\un_RABCOSetup_16230.txt C:\Program Files\RABCO\X_RABCOse.exe C:\Program Files\RABCO\X_RABCOse.log C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\pskt.ini C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll C:\WINDOWS\system32\drivers\cdaudioo.sys C:\WINDOWS\system32\efudpqrp.ini C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\nynpwvas.ini C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\ssjf.dll C:\WINDOWS\system32\XFMorBeg.ini C:\WINDOWS\system32\XFMorBeg.ini2 C:\WINDOWS\system32\ybqenque.ini C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\ C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\\asappsrv.dll C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\\command.exe C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\\oZ15v3UDtm1rsrl5wBg.vbs C:\WINDOWS\U2hlbGxpZSBXYXRlcnM\command.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CDAUDIOO -------\Legacy_CMDSERVICE -------\Legacy_NETWORK_MONITOR -------\Service_cdaudioo -------\Service_cmdService -------\Service_Network Monitor ((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 ))))))))))))))))))))))))))))))) . 2008-05-13 21:01 . 2008-05-13 21:01 294 ---hs---- C:\WINDOWS\system32\nynpwvas.ini 2008-05-13 20:53 . 2008-05-13 20:53 115,712 --a------ C:\WINDOWS\system32\savwpnyn.dll 2008-05-13 20:53 . 2008-05-13 20:53 2,048 --a------ C:\WINDOWS\system32\utnvbhrn.exe 2008-05-13 20:50 . 2008-05-13 20:51 124,416 --a------ C:\WINDOWS\system32\nqcbjgjk.dll 2008-05-12 16:54 . 2008-05-12 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-05-12 16:49 . 2008-05-12 16:49 49,169 --a------ C:\WINDOWS\system32\jpwnw64l.exe 2008-05-12 01:06 . 2008-05-12 01:06 <DIR> d-------- C:\Deckard 2008-05-11 20:26 . 2008-05-11 20:26 125,440 --a------ C:\WINDOWS\system32\rjqquyop.dll 2008-05-11 20:26 . 2008-05-13 21:01 109,803 --a------ C:\WINDOWS\BM272d792e.xml 2008-05-11 20:25 . 2008-05-11 20:25 372,224 --a------ C:\WINDOWS\system32\geBroMFX.dll 2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\Temp\maxsv15 2008-05-11 20:20 . 2008-05-12 16:49 <DIR> d-------- C:\Program Files\winvi 2008-05-11 20:20 . 2008-05-11 20:20 493,855 --a------ C:\Temp\nxSUbt99.exe 2008-05-11 20:20 . 2008-05-11 20:20 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2008-04-21 01:58 . 2008-04-21 01:58 <DIR> d-------- C:\Program Files\Panda Security . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-12 11:01 37,376 ----a-r C:\WINDOWS\mrofinu1000106.exe 2008-05-12 01:20 37,376 ----a-w C:\WINDOWS\mrofinu572.exe 2008-05-12 01:20 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk 2008-05-11 05:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-20 18:21 --------- d-----w C:\Program Files\EA GAMES 2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2008-01-15 07:49 1,498 ----a-w C:\Program Files\Calculator.lnk 2007-06-29 11:25 8,612 ----a-w C:\Program Files\QuickTime Read Me.htm 2007-06-29 11:25 749,568 -c--a-w C:\Program Files\QTOControl.dll 2007-06-29 11:25 684,032 -c--a-w C:\Program Files\QTOLibrary.dll 2007-06-29 11:25 618,496 -c--a-w C:\Program Files\QTInfo.exe 2007-06-29 11:25 6,124,864 ----a-w C:\Program Files\QuickTimePlayer.exe 2007-06-29 11:25 574,784 ----a-w C:\Program Files\QTPlugin.ocx 2007-06-29 11:25 303,104 -c--a-w C:\Program Files\QTUIPanelControl.dll 2007-06-29 11:24 55,622 -c--a-w C:\Program Files\Sample.mov 2007-06-29 11:24 483,328 -c--a-w C:\Program Files\PictureViewer.exe 2007-06-29 11:24 286,720 ----a-w C:\Program Files\QTTask.exe 2007-06-29 11:24 18,663 -c--a-w C:\Program Files\Sample.qtif 2006-10-21 21:54 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys 2006-10-21 21:54 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16A1FBA0-383F-4CBA-A8BB-4735CEA86801}] 2008-05-11 20:25 372224 --a------ C:\WINDOWS\system32\geBroMFX.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}] 2008-05-11 20:20 52736 --a------ C:\WINDOWS\system32\ssqRLETJ.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Uaol"="C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe" [ ] "WinUpdater"="C:\Program Files\winvi\update.exe" [2008-04-25 02:57 174038] "WebSUpdater"="C:\Program Files\winvi\wupda.exe" [2008-04-25 02:57 198185] "Vxp"="C:\Program Files\Common Files\?ystem\m?config.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\qttask.exe" [2007-06-29 06:24 286720] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-27 18:02 185632] "{E4-4A-A1-1D-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-05-11 20:20 49162] "241e4ab2"="C:\WINDOWS\system32\savwpnyn.dll" [2008-05-13 20:53 115712] "BM272d792e"="C:\WINDOWS\system32\nqcbjgjk.dll" [2008-05-13 20:51 124416] "ExploreUpdSched"="C:\WINDOWS\system32\qcntqkdm.exe" [2008-05-11 20:20 200769] C:\Documents and Settings\Wheezy\Start Menu\Programs\Startup\ Deewoo.lnk - C:\WINDOWS\system32\qcntqkdm.exe [2008-05-11 20:20:23 200769] DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-05-11 20:20:18 49162] RABCO - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir [2008-02-23 14:36:33 183216] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\Wheezyexecutehooks] "{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}"= C:\WINDOWS\system32\ssqRLETJ.dll [2008-05-11 20:20 52736] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLETJ] ssqRLETJ.dll 2008-05-11 20:20 52736 C:\WINDOWS\system32\ssqRLETJ.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA] --a--c--- 2005-09-08 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a--c--- 2005-10-05 03:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a--c--- 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2006-04-11 03:07 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] --a--c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a--c--- 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a--c--- 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx] --a------ 2007-05-18 13:21 1033800 C:\Program Files\Kontiki\KHost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a--c--- 2007-10-04 18:14 81920 C:\WINDOWS\system32\NvMcTray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a--c--- 2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 C:\Program Files\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] --a--c--- 2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-09-27 18:02 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "usnjsvc"=3 (0x3) "tmproxy"=3 (0x3) "TmPfw"=3 (0x3) "TMBMServer"=2 (0x2) "SfCtlCom"=2 (0x2) "ose"=3 (0x3) "NVSvc"=2 (0x2) "NetSvc"=3 (0x3) "MDM"=2 (0x2) "KService"=2 (0x2) "IAANTMon"=2 (0x2) "ELService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Kontiki\\KService.exe"= S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Wheezy\AutoRun\command - D:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Wheezy\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-03-20 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-13 21:01:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\nynpwvas.ini 294 bytes C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes scan completed successfully hidden files: 2 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\ssqRLETJ.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE . ********************************************************************** . Completion time: 2008-05-13 21:04:10 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-14 02:04:07 ComboFix2.txt 2008-02-26 07:22:19 Pre-Run: 119,172,423,680 bytes free Post-Run: 119,199,154,176 bytes free 247 --- E O F --- 2008-05-14 01:56:47 New HijackThis Log** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:10:50 PM, on 5/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\winvi\wupda.exe C:\WINDOWS\system32\qcntqkdm.exe c:\windows\system32\rwwnw64d.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [{E4-4A-A1-1D-DW}] c:\windows\system32\rwwnw64d.exe DWram O4 - HKLM\..\Run: [241e4ab2] rundll32.exe "C:\WINDOWS\system32\savwpnyn.dll",b O4 - HKLM\..\Run: [BM272d792e] Rundll32.exe "C:\WINDOWS\system32\nqcbjgjk.dll",s O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Wheezy~1\APPLIC~1\PPATCH~1\dexplore.exe" -vt yazb O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background O4 - HKCU\..\Run: [Vxp] "C:\Program Files\Common Files\?ystem\m?config.exe" O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntqkdm.exe O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL -- End of file - 3905 bytes

05-14-2008, 07:23 AM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,900 OS: WinXP and Vista	Re: Pop-Ups and Homepage Hijack There's a lot to do Wheezy. Be sure you complete all the steps I've laid out for you, in their entirety. If you run into any problems, please let me know. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) -------------------------------------------------------------------- Close any open browsers. --------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply. -------------------------------------------------------------------- From Normal Mode-- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntqkdm.exe O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/248687-pop-ups-homepage-hijack.html#post1482752 Collect:: C:\WINDOWS\system32\ssqRLETJ.dll C:\WINDOWS\system32\savwpnyn.dll C:\WINDOWS\system32\utnvbhrn.exe C:\WINDOWS\system32\nqcbjgjk.dll C:\WINDOWS\system32\jpwnw64l.exe C:\WINDOWS\system32\rjqquyop.dll C:\WINDOWS\BM272d792e.xml C:\WINDOWS\system32\geBroMFX.dll C:\Temp\nxSUbt99.exe C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Program Files\Common Files\Yazzle1281OinAdmin.exe c:\windows\system32\rwwnw64d.exe C:\WINDOWS\system32\qcntqkdm.exe C:\WINDOWS\mrofinu1000106.exe C:\WINDOWS\mrofinu572.exe File:: C:\WINDOWS\system32\nynpwvas.ini C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\system32\drivers\core.cache.dsk Folder:: C:\Temp\maxsv15 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16A1FBA0-383F-4CBA-A8BB-4735CEA86801}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Uaol"=- "Vxp"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "{E4-4A-A1-1D-DW}"=- "241e4ab2"=- "BM272d792e"=- Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file. --------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows** platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Now let's get an AV on your system. Here is a very good free Antivirus product: Avira AntiVir PersonalEdition Classic. Download, install, update definitions, and run a full system scan. ----------------------------------------------------------------- Please return with the following reports, in the order listed: C:\SDFix\Report.txt C:\ComboFix.txt New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 05-14-2008 at 07:46 AM.

05-14-2008, 03:25 PM	#6 (permalink)
Wheezy TSF Supporter Join Date: Oct 2007 Location: Minnesota, USA Posts: 101 OS: Windows XP	Re: Pop-Ups and Homepage Hijack SDFix Report SDFix: Version 1.182 Run by Wheezy on Wed 05/14/2008 at 02:32 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default Desktop Wallpaper Rebooting Checking Files : Trojan Files Found: C:\PROGRA~1\MESSEN~1\WOGUVY~1 - Deleted C:\WINDOWS\system32\bkEur01\bkEur011065.exe - Deleted C:\Program Files\winvi\Uninst.exe - Deleted C:\Program Files\winvi\update.exe - Deleted C:\Program Files\winvi\version.ini - Deleted C:\Program Files\winvi\wupda.exe - Deleted C:\Program Files\winvi\dsktp\AC_RunActiveContent.js - Deleted C:\Program Files\winvi\dsktp\desktop.html - Deleted C:\Program Files\winvi\dsktp\internetDetection.swf - Deleted C:\Program Files\winvi\dsktp\settings.sol - Deleted C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted C:\WINDOWS\mrofinu1000106.exe - Deleted C:\WINDOWS\mrofinu572.exe - Deleted C:\Documents and Settings\Wheezy\Start Menu\Programs\Startup\Deewoo.lnk - Deleted C:\Documents and Settings\Wheezy\Start Menu\Programs\Startup\DW_Start.lnk - Deleted C:\WINDOWS\system32\atmtd.dll - Deleted C:\WINDOWS\system32\atmtd.dll._ - Deleted C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted C:\WINDOWS\system32\msnav32.ax - Deleted C:\WINDOWS\system32\rwwnw64d.exe - Deleted C:\WINDOWS\system32\zxdnt3d.cfg - Deleted C:\WINDOWS\uninstall_nmon.vbs - Deleted Folder C:\Program Files\winvi - Removed Folder C:\Temp\maxsv15 - Removed Folder C:\WINDOWS\system32\bkEur01 - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-14 14:40:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:60bfa608 "s2"=dword:b02c3d4b scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe::Enabled:Delivery Manager Service" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 13 Apr 2006 56 A.SHR --- "C:\i386\11D43EA203.sys" Thu 13 Apr 2006 3,350 A.SH. --- "C:\i386\KGyGaAvL.sys" Sat 21 Oct 2006 152 ..SHR --- "C:\WINDOWS\system32\11D43EA203.sys" Sat 21 Oct 2006 7,520 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Mon 7 May 2007 54,272 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL0001.tmp" Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL1189.tmp" Mon 7 May 2007 55,296 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL1868.tmp" Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL1986.tmp" Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL2493.tmp" Mon 7 May 2007 54,784 ...H. --- "C:\Documents and Settings\Wheezy\My Documents\Sims Stories\~WRL3597.tmp" Tue 13 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\069dce5b3a6a576c9856befb57fca0a9\BITA.tmp" Thu 20 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITE.tmp" Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2.tmp" Tue 11 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp" Tue 11 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp" Tue 11 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp" Thu 13 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp" Finished! ComboFix Log ComboFix 08-05-12.1 - Wheezy 2008-05-14 14:55:48.9 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -5:00] Running from: C:\Documents and Settings\Wheezy\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wheezy\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\nynpwvas.ini C:\WINDOWS\system32\zxdnt3d.cfg . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\nxSUbt99.exe C:\WINDOWS\BM272d792e.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\geBroMFX.dll C:\WINDOWS\system32\jpwnw64l.exe C:\WINDOWS\system32\nqcbjgjk.dll C:\WINDOWS\system32\nynpwvas.ini C:\WINDOWS\system32\qcntqkdm.exe C:\WINDOWS\system32\rjqquyop.dll C:\WINDOWS\system32\savwpnyn.dll C:\WINDOWS\system32\ssqRLETJ.dll C:\WINDOWS\system32\utnvbhrn.exe C:\WINDOWS\system32\XFMorBeg.ini C:\WINDOWS\system32\XFMorBeg.ini2 . ((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 ))))))))))))))))))))))))))))))) . 2008-05-14 14:28 . 2008-05-14 14:28 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-14 14:26 . 2008-05-14 14:48 <DIR> d-------- C:\SDFix 2008-05-12 16:54 . 2008-05-12 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-05-12 01:06 . 2008-05-12 01:06 <DIR> d-------- C:\Deckard 2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\vdTMP 2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\hNF 2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\din3 2008-05-11 20:20 . 2008-05-11 20:20 <DIR> d-------- C:\WINDOWS\system32\2033b 2008-05-11 20:20 . 2008-05-14 14:55 <DIR> d-------- C:\Temp 2008-05-11 20:20 . 2008-05-11 20:20 401,965 --a------ C:\WINDOWS\system32\g97.exe 2008-05-11 20:20 . 2008-05-11 20:20 63,902 --a------ C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll-uninst.exe 2008-05-11 20:20 . 2008-05-11 20:20 860 --a------ C:\WINDOWS\system32\winpfz33.sys 2008-04-21 01:58 . 2008-04-21 01:58 <DIR> d-------- C:\Program Files\Panda Security . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-11 05:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-20 18:21 --------- d-----w C:\Program Files\EA GAMES 2008-01-15 07:49 1,498 ----a-w C:\Program Files\Calculator.lnk 2007-06-29 11:25 8,612 ----a-w C:\Program Files\QuickTime Read Me.htm 2007-06-29 11:25 749,568 -c--a-w C:\Program Files\QTOControl.dll 2007-06-29 11:25 684,032 -c--a-w C:\Program Files\QTOLibrary.dll 2007-06-29 11:25 618,496 -c--a-w C:\Program Files\QTInfo.exe 2007-06-29 11:25 6,124,864 ----a-w C:\Program Files\QuickTimePlayer.exe 2007-06-29 11:25 574,784 ----a-w C:\Program Files\QTPlugin.ocx 2007-06-29 11:25 303,104 -c--a-w C:\Program Files\QTUIPanelControl.dll 2007-06-29 11:24 55,622 -c--a-w C:\Program Files\Sample.mov 2007-06-29 11:24 483,328 -c--a-w C:\Program Files\PictureViewer.exe 2007-06-29 11:24 286,720 ----a-w C:\Program Files\QTTask.exe 2007-06-29 11:24 18,663 -c--a-w C:\Program Files\Sample.qtif 2006-10-21 21:54 152 --sh--r C:\WINDOWS\system32\11D43EA203.sys 2006-10-21 21:54 7,520 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-05-13_21.03.51.45 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-14 02:00:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-14 19:58:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-13 07:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-05-14 19:28:52 8,208,384 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-05-14 19:28:52 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-05-13 07:55:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-05-14 19:28:50 8,208,384 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-05-14 19:28:50 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\qttask.exe" [2007-06-29 06:24 286720] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-27 18:02 185632] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLETJ] ssqRLETJ.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA] --a--c--- 2005-09-08 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a--c--- 2005-10-05 03:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a--c--- 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2006-04-11 03:07 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] --a--c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a--c--- 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a--c--- 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx] --a------ 2007-05-18 13:21 1033800 C:\Program Files\Kontiki\KHost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a--c--- 2007-10-04 18:14 81920 C:\WINDOWS\system32\NvMcTray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a--c--- 2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 C:\Program Files\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] --a--c--- 2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-09-27 18:02 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "usnjsvc"=3 (0x3) "tmproxy"=3 (0x3) "TmPfw"=3 (0x3) "TMBMServer"=2 (0x2) "SfCtlCom"=2 (0x2) "ose"=3 (0x3) "NVSvc"=2 (0x2) "NetSvc"=3 (0x3) "MDM"=2 (0x2) "KService"=2 (0x2) "IAANTMon"=2 (0x2) "ELService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Kontiki\\KService.exe"= S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Wheezy\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-03-20 15:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-14 14:58:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe . ********************************************************************** . Completion time: 2008-05-14 15:01:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-14 20:01:16 ComboFix2.txt 2008-05-14 02:04:11 ComboFix3.txt 2008-02-26 07:22:19 Pre-Run: 119,637,438,464 bytes free Post-Run: 119,624,994,816 bytes free 181 --- E O F --- 2008-05-14 07:38:30 HijackThis Log** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:20:40 PM, on 5/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOWNLO~1\SPYBOT~1\SDHelper.dll (file missing) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: ssqRLETJ - ssqRLETJ.dll (file missing) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- End of file - 4161 bytes

05-14-2008, 10:12 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,900 OS: WinXP and Vista	Re: Pop-Ups and Homepage Hijack Files received, thank you. Please refrain from editing the reports that you post. You've been replacing path names which has caused a lot of confusion for me, and can render some of these fixes useless since that is not the actual path to a registry key, file or folder that Windows sees on your computer. Additonally, by editing the reports you also run the risk of a Helper possibly damaging your system by taking out what appears to be an invalid path or key, when in fact it is not. ************************************************* Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *********************************************** Now that you've installed Avira, please ensure that TrendMicro has been uninstalled via the Add/Remove programs panel. Let me know if you have any problems uninstalling it. Once you work out the activation issues with TrendMicro, uninstall Avira before you re-install TrendMicro. *********************************************** Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: Open notepad and copy/paste the text in the code box below into it: Code: File:: C:\WINDOWS\system32\g97.exe C:\WINDOWS\system32\{3c92eaec-78f3-0b4c-8689-a6515d3e35bc}.dll-uninst.exe C:\WINDOWS\system32\winpfz33.sys Folder:: C:\WINDOWS\system32\vdTMP C:\WINDOWS\system32\hNF C:\WINDOWS\system32\din3 C:\WINDOWS\system32\2033b Save this as "CFScript.txt"*, and as Type: All Files (.) in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt* Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------- Run a new scan with HijackThis.exe and save the log. --------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Kaspersky results New HijackThis log Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-18-2008, 09:55 PM	#10 (permalink)
Wheezy TSF Supporter Join Date: Oct 2007 Location: Minnesota, USA Posts: 101 OS: Windows XP	Re: Pop-Ups and Homepage Hijack I was out of town for the weekend, but everything seems to be working fine on the machine. I really appreciate all of your help, and I will be definitely checking out those programs you linked. Thank you a million times over :D

05-18-2008, 10:29 PM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,900 OS: WinXP and Vista	Re: Pop-Ups and Homepage Hijack Good--please install them, they'll go a long way in protecting your system. You're welcome, and take care, Wheezy. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."