spyware/adware removal help/yellow exclamation mark

soundwavetapes · Nov 11, 2007

i've been getting popups in the right corner of my screen with a yellow exclamation mark telling me that i have viruses. i also have two icons that won't go away, live safety center and the online security guide. i followed the 5 steps before posting a log so hopefully i have this right.

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-11-11 13:48:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-11-11 18:48:46 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-11 13:52:21
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\AOL\1145122393\ee\aolsoftware.exe
C:\hp\KBD\kbd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/search/index.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B287F58-F521-4394-8AA5-CFD1C847A26E} - C:\WINDOWS\system32\jkhfe.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\efqkwyil.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: {871cf89f-7fde-43b9-f844-83d1ca149b3f} - {f3b941ac-1d38-448f-9b34-edf7f98fc178} - C:\WINDOWS\system32\xwkmfshx.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\efqkwyil.dll
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1197aea6] rundll32.exe "C:\WINDOWS\system32\iuaiabda.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154564546031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: efqkwyil - C:\WINDOWS\system32\efqkwyil.dll
O20 - Winlogon Notify: hgggfdd - C:\WINDOWS\system32\hgggfdd.dll (file missing)
O20 - Winlogon Notify: winuns32 - C:\WINDOWS\system32\winuns32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPWDSVC.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSVC - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVSCAN.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11788 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD>

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S0 Pml Driver HPZ12 - \systemroot\c:\windows\system32\hpzipm12.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-11-06 18:43:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-10-26 19:00:00 570 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job
2006-04-16 17:49:33 386 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job

-- Files created between 2007-10-11 and 2007-11-11 -----------------------------

2007-11-11 13:33:32 0 d-------- C:\Program Files\SpywareBlaster
2007-11-11 13:32:50 0 d-------- C:\ie-spyad_zo
2007-11-11 12:49:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-11 12:49:49 0 d-------- C:\WINDOWS\LastGood
2007-11-10 20:58:37 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-10 19:32:24 0 d-------- C:\Program Files\Lavasoft
2007-11-10 19:32:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-10 14:39:45 85056 --a------ C:\WINDOWS\system32\iuaiabda.dll
2007-11-10 14:33:39 81472 --a------ C:\WINDOWS\system32\xwkmfshx.dll
2007-11-09 12:24:07 3850 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-09 12:22:12 77888 --a------ C:\WINDOWS\system32\nifgkebi.dll
2007-11-09 12:01:02 145984 --a------ C:\WINDOWS\system32\efqkwyil.dll
2007-11-09 12:00:41 145984 --a------ C:\WINDOWS\system32\kfjpfftx.dll
2007-11-09 11:59:42 71232 --a------ C:\WINDOWS\system32\nvnoifks.exe <Not Verified; ; DDC>
2007-11-08 16:47:44 444772 ---hs---- C:\WINDOWS\system32\efhkj.bak2
2007-11-08 16:44:57 0 d-------- C:\Program Files\Veoh Networks
2007-11-08 16:44:32 0 d-------- C:\Program Files\Kutchka
2007-11-08 16:44:32 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Kutchka
2007-11-07 18:47:32 7077888 --a------ C:\Documents and Settings\HP_Administrator\ntuser.dat
2007-11-07 18:47:01 313440 --a------ C:\WINDOWS\system32\jkhfe.dll
2007-11-07 18:39:55 22016 --a------ C:\WINDOWS\system32\winuns32.dll
2007-11-04 23:12:15 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2007-11-04 22:02:55 99 --a------ C:\WINDOWS\system32\qwavecache.dat
2007-11-04 21:49:48 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-19 12:22:30 0 d-------- C:\Program Files\DVD Decrypter

-- Find3M Report ---------------------------------------------------------------

2007-11-11 13:51:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-11 13:01:50 0 d-a------ C:\Program Files\Common Files\LightScribe
2007-11-11 13:01:31 0 d-------- C:\Program Files\iTunes
2007-11-11 13:01:21 0 d-------- C:\Program Files\AIM
2007-11-11 13:01:13 0 d-------- C:\Program Files\Linksys EasyLink Advisor
2007-11-11 12:44:34 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Viewpoint
2007-11-11 12:44:31 0 d-------- C:\Program Files\Viewpoint
2007-11-10 19:31:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 16:06:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-08 03:28:37 2220 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-11-04 22:14:16 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-15 17:02:30 0 d-------- C:\Program Files\AIM6
2007-10-14 13:27:20 0 d-------- C:\Program Files\Red Kawa
2007-10-02 18:14:18 0 d--h----- C:\Documents and Settings\HP_Administrator\Application Data\GTek
2007-09-23 22:47:18 0 d-------- C:\Program Files\LimeWire
2007-09-20 18:32:00 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-19 13:21:10 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2007-09-19 12:12:45 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Final Draft
2007-09-19 12:11:23 0 d-------- C:\Program Files\Final Draft Tagger
2007-09-19 12:11:23 0 d-------- C:\Program Files\Final Draft 7
2007-09-19 12:10:52 0 d-------- C:\Program Files\Common Files
2007-09-19 10:22:27 0 d-------- C:\Program Files\Microsoft Works
2007-09-18 22:13:13 0 d-------- C:\Program Files\Apple Software Update
2007-09-18 15:42:18 0 d-------- C:\Program Files\iPod
2007-09-18 15:21:33 1258 --a------ C:\WINDOWS\checkip.dat
2007-09-18 15:15:47 1258 --a------ C:\WINDOWS\ipconfig.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B287F58-F521-4394-8AA5-CFD1C847A26E}]
11/07/2007 06:47 PM 313440 --a------ C:\WINDOWS\system32\jkhfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{837B45D6-BF85-457D-AABF-6D2E7815F791}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
11/09/2007 12:01 PM 145984 --a------ C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f3b941ac-1d38-448f-9b34-edf7f98fc178}]
11/10/2007 02:33 PM 81472 --a------ C:\WINDOWS\system32\xwkmfshx.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\efqkwyil.dll [11/09/2007 12:01 PM 145984]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/02/2005 01:35 AM]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/27/2005 01:54 PM]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [03/29/2005 07:03 PM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [09/21/2005 12:41 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [05/12/2005 09:12 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe" [05/09/2006 07:24 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 11:59 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 03:44 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/14/2007 09:00 AM]
"1197aea6"="C:\WINDOWS\system32\iuaiabda.dll" [11/10/2007 02:39 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [08/01/2006 02:35 PM]
"@"="" []
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [03/15/2007 05:16 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 9:23:26 AM]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [12/23/2005 5:58:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efqkwyil]
efqkwyil.dll 11/09/2007 12:01 PM 145984 C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggfdd]
hgggfdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]
winuns32.dll 11/07/2007 06:39 PM 22016 C:\WINDOWS\system32\winuns32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhfe.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f334fa6-6054-11db-ab96-0013d3f91e08}]
AutoRun\command- K:\JDLightning\Windows\JDLightning.exe

-- End of Deckard's System Scanner: finished at 2007-11-11 13:53:09 ------------

alba · Nov 12, 2007

Hi soundwavetapes

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

===============================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

===============================================

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

=================

Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer.

Alternate link

Make sure you close down EVERY open window and close ALL browser windows. The only thing that should be open is the HijackThis program.

Double-click on the file you just downloaded.
Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

If it gives you an intro screen, just choose 'Do a system scan and save a log file'.
If not, run a scan and save the log file.
Copy the text file (Ctrl+A then Ctrl+C) and paste it here.
Do not fix any entries in HijackThis since they may be harmless.
[*]Make sure to include the System information at the top of the log as well.

=================

In your next post, please include fresh logs from:

ComboFix.txt
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

soundwavetapes · Nov 12, 2007

okay here are my combofix and hijack this logs respectively.

ComboFix 07-11-08.3 - HP_Administrator 2007-11-12 15:40:32.1 - NTFSx86
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\3EWJFHZU\www.broadcaster.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\3EWJFHZU\www.broadcaster.com\played_list.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\3EWJFHZU\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\HP_Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Administrator\Favorites\Online Security Guide.lnk
C:\Program Files\Accoona
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efqkwyil.dllbox
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jxhwakey.dllbox
C:\WINDOWS\system32\winuns32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-12 15:30 89,664 --a------ C:\WINDOWS\system32\vnretsxo.dll
2007-11-12 15:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 15:24 81,472 --a------ C:\WINDOWS\system32\hqhocruf.dll
2007-11-12 15:22 71,232 --a------ C:\WINDOWS\system32\pykbbcra.exe
2007-11-12 12:18 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-12 12:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-12 12:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-12 12:18 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-12 12:18 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-11 14:37 88,128 --a------ C:\WINDOWS\system32\iuywtusb.dll
2007-11-11 14:34 79,936 --a------ C:\WINDOWS\system32\lxifrxfs.dll
2007-11-11 14:28 71,232 --a------ C:\WINDOWS\system32\arxcyyni.exe
2007-11-11 13:48 <DIR> d-------- C:\Deckard
2007-11-11 13:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-11 13:32 <DIR> d-------- C:\ie-spyad_zo
2007-11-11 12:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-10 20:58 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-10 14:33 81,472 --a------ C:\WINDOWS\system32\xwkmfshx.dll
2007-11-09 12:24 4,022 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-09 12:22 77,888 --a------ C:\WINDOWS\system32\nifgkebi.dll
2007-11-09 12:01 145,984 --a------ C:\WINDOWS\system32\efqkwyil.dll
2007-11-09 12:00 145,984 --a------ C:\WINDOWS\system32\kfjpfftx.dll
2007-11-09 11:59 71,232 --a------ C:\WINDOWS\system32\nvnoifks.exe
2007-11-08 16:44 <DIR> d-------- C:\Program Files\Kutchka
2007-11-08 16:44 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Kutchka
2007-11-08 11:55 582,940 --a------ C:\WINDOWS\system32\fldqoimf.ini.ren
2007-11-08 11:55 86,080 --a------ C:\WINDOWS\system32\fmioqdlf.dll.ren
2007-11-08 11:47 422,970 --a------ C:\WINDOWS\system32\efhkj.bak2.ren
2007-11-07 18:47 450,941 --a------ C:\WINDOWS\system32\efhkj.ini.ren
2007-11-07 18:39 22,016 --a------ C:\WINDOWS\system32\winuns32.dll.ren
2007-11-04 22:02 99 --a------ C:\WINDOWS\system32\qwavecache.dat
2007-11-04 21:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-19 12:22 <DIR> d-------- C:\Program Files\DVD Decrypter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 16:54 2,220 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-11-12 05:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-12 04:20 --------- d-----w C:\Program Files\Java
2007-11-11 19:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-11 19:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 19:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 18:01 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-11 18:01 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-11 18:01 --------- d-----w C:\Program Files\iTunes
2007-11-11 18:01 --------- d-----w C:\Program Files\AIM
2007-11-11 17:44 --------- d-----w C:\Program Files\Viewpoint
2007-11-11 17:44 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Viewpoint
2007-11-11 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-06 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-15 22:02 --------- d-----w C:\Program Files\AIM6
2007-10-14 18:27 --------- d-----w C:\Program Files\Red Kawa
2007-10-02 23:14 --------- d--h--w C:\Documents and Settings\HP_Administrator\Application Data\GTek
2007-10-02 23:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-02 22:55 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-24 03:47 --------- d-----w C:\Program Files\LimeWire
2007-09-20 23:32 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-19 18:21 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Final Draft
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Final Draft
2007-09-19 17:11 --------- d-----w C:\Program Files\Final Draft Tagger
2007-09-19 17:11 --------- d-----w C:\Program Files\Final Draft 7
2007-09-19 15:22 --------- d-----w C:\Program Files\Microsoft Works
2007-09-19 03:13 --------- d-----w C:\Program Files\Apple Software Update
2007-09-18 20:42 --------- d-----w C:\Program Files\iPod
2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2006-03-17 07:49 251 ----a-w C:\Program Files\wt3d.ini
2005-05-12 14:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-09 12:01 145984 --a------ C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e049afa2-702f-4b6e-8802-58941b81921f}]
2007-11-12 15:24 81472 --a------ C:\WINDOWS\system32\hqhocruf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\efqkwyil.dll [2007-11-09 12:01 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\efqkwyil.dll [2007-11-09 12:01 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 01:35]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-27 13:54]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2005-03-29 19:03]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 09:12]
"HostManager"="C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe" [2006-05-09 19:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"1197aea6"="C:\WINDOWS\system32\vnretsxo.dll" [2007-11-12 15:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 14:35]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-23 17:04:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 09:23:26]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-23 17:58:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efqkwyil]
efqkwyil.dll 2007-11-09 12:01 145984 C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggfdd]
hgggfdd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhfe.dll

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f334fa6-6054-11db-ab96-0013d3f91e08}]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 23:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-27 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2006-04-16 22:49:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 15:57:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 16:00:54 - machine was rebooted
.
--- E O F ---

soundwavetapes · Nov 12, 2007

Logfile of HijackThis v1.99.1
Scan saved at 4:02:00 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\eHome\ehRecvr.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\efqkwyil.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: {f12918b1-4985-2088-e6b4-f2072afa940e} - {e049afa2-702f-4b6e-8802-58941b81921f} - C:\WINDOWS\system32\hqhocruf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\efqkwyil.dll
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1197aea6] rundll32.exe "C:\WINDOWS\system32\vnretsxo.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154564546031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: efqkwyil - C:\WINDOWS\SYSTEM32\efqkwyil.dll
O20 - Winlogon Notify: hgggfdd - hgggfdd.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

alba · Nov 13, 2007

Hi soundwavetapes

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Open notepad and carefully copy/paste all the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\vnretsxo.dll
C:\WINDOWS\system32\hqhocruf.dll
C:\WINDOWS\system32\pykbbcra.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\iuywtusb.dll
C:\WINDOWS\system32\lxifrxfs.dll
C:\WINDOWS\system32\arxcyyni.exe
C:\WINDOWS\system32\xwkmfshx.dll
C:\WINDOWS\system32\nifgkebi.dll
C:\WINDOWS\system32\efqkwyil.dll
C:\WINDOWS\system32\kfjpfftx.dll
C:\WINDOWS\system32\nvnoifks.exe
C:\WINDOWS\system32\fldqoimf.ini.ren
C:\WINDOWS\system32\fmioqdlf.dll.ren
C:\WINDOWS\system32\efhkj.bak2.ren
C:\WINDOWS\system32\efhkj.ini.ren
C:\WINDOWS\system32\winuns32.dll.ren
C:\WINDOWS\system32\qwavecache.dat
C:\Program Files\wt3d.ini
C:\WINDOWS\system32\jkhfe.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e049afa2-702f-4b6e-8802-58941b81921f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}”=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=- 
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1197aea6"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\efqkwyil]
[-HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\hgggfdd]

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=============================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
Kaspersky report
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

soundwavetapes · Nov 14, 2007

okay combofix log...

ComboFix 07-11-08.3 - HP_Administrator 2007-11-13 20:15:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.425 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Administrator\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\efqkwyil.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-12 15:30 89,664 --a------ C:\WINDOWS\system32\vnretsxo.dll
2007-11-12 15:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 15:24 81,472 --a------ C:\WINDOWS\system32\hqhocruf.dll
2007-11-12 15:22 71,232 --a------ C:\WINDOWS\system32\pykbbcra.exe
2007-11-12 12:18 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-12 12:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-12 12:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-12 12:18 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-12 12:18 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-11 14:37 88,128 --a------ C:\WINDOWS\system32\iuywtusb.dll
2007-11-11 14:34 79,936 --a------ C:\WINDOWS\system32\lxifrxfs.dll
2007-11-11 14:28 71,232 --a------ C:\WINDOWS\system32\arxcyyni.exe
2007-11-11 13:48 <DIR> d-------- C:\Deckard
2007-11-11 13:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-11 13:32 <DIR> d-------- C:\ie-spyad_zo
2007-11-11 12:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-10 20:58 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-10 14:33 81,472 --a------ C:\WINDOWS\system32\xwkmfshx.dll
2007-11-09 12:24 4,022 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-09 12:22 77,888 --a------ C:\WINDOWS\system32\nifgkebi.dll
2007-11-09 12:01 145,984 --a------ C:\WINDOWS\system32\efqkwyil.dll
2007-11-09 12:00 145,984 --a------ C:\WINDOWS\system32\kfjpfftx.dll
2007-11-09 11:59 71,232 --a------ C:\WINDOWS\system32\nvnoifks.exe
2007-11-08 16:44 <DIR> d-------- C:\Program Files\Kutchka
2007-11-08 16:44 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Kutchka
2007-11-08 11:55 582,940 --a------ C:\WINDOWS\system32\fldqoimf.ini.ren
2007-11-08 11:55 86,080 --a------ C:\WINDOWS\system32\fmioqdlf.dll.ren
2007-11-08 11:47 422,970 --a------ C:\WINDOWS\system32\efhkj.bak2.ren
2007-11-07 18:47 450,941 --a------ C:\WINDOWS\system32\efhkj.ini.ren
2007-11-07 18:39 22,016 --a------ C:\WINDOWS\system32\winuns32.dll.ren
2007-11-04 22:02 99 --a------ C:\WINDOWS\system32\qwavecache.dat
2007-11-04 21:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-19 12:22 <DIR> d-------- C:\Program Files\DVD Decrypter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 16:54 2,220 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-11-12 05:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-12 04:20 --------- d-----w C:\Program Files\Java
2007-11-11 19:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-11 19:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 19:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 18:01 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-11 18:01 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-11 18:01 --------- d-----w C:\Program Files\iTunes
2007-11-11 18:01 --------- d-----w C:\Program Files\AIM
2007-11-11 17:44 --------- d-----w C:\Program Files\Viewpoint
2007-11-11 17:44 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Viewpoint
2007-11-11 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-06 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-15 22:02 --------- d-----w C:\Program Files\AIM6
2007-10-14 18:27 --------- d-----w C:\Program Files\Red Kawa
2007-10-02 23:14 --------- d--h--w C:\Documents and Settings\HP_Administrator\Application Data\GTek
2007-10-02 23:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-02 22:55 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-24 03:47 --------- d-----w C:\Program Files\LimeWire
2007-09-20 23:32 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-19 18:21 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Final Draft
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Final Draft
2007-09-19 17:11 --------- d-----w C:\Program Files\Final Draft Tagger
2007-09-19 17:11 --------- d-----w C:\Program Files\Final Draft 7
2007-09-19 15:22 --------- d-----w C:\Program Files\Microsoft Works
2007-09-19 03:13 --------- d-----w C:\Program Files\Apple Software Update
2007-09-18 20:42 --------- d-----w C:\Program Files\iPod
2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2006-03-17 07:49 251 ----a-w C:\Program Files\wt3d.ini
2005-05-12 14:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( [email protected]_15.59.40.67 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-09 12:01 145984 --a------ C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\efqkwyil.dll [2007-11-09 12:01 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\efqkwyil.dll [2007-11-09 12:01 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 01:35]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-27 13:54]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2005-03-29 19:03]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 09:12]
"HostManager"="C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe" [2006-05-09 19:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 14:35]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-23 17:04:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 09:23:26]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-23 17:58:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efqkwyil]
efqkwyil.dll 2007-11-09 12:01 145984 C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggfdd]
hgggfdd.dll

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f334fa6-6054-11db-ab96-0013d3f91e08}]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 23:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-27 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2006-04-16 22:49:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 20:22:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-13 20:25:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-12 16:00
.
--- E O F ---

soundwavetapes · Nov 14, 2007

kaspersky log...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 13, 2007 11:52:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/11/2007
Kaspersky Anti-Virus database records: 457896
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 110043
Number of viruses found: 8
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 02:08:09

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mofugclq.exe Infected: not-a-virus

ownloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\qrjatydi.exe Infected: not-a-virus

ownloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\rhvqsuwb.exe Infected: not-a-virus

ownloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\urclqecd.exe Infected: not-a-virus

ownloader.Win32.WinFixer.au skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d13fa5ae98ce01eecc5b1d9e38e25352_ec0c6562-b4c2-46e9-a0ee-37f8e9caa4fe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture01.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture02.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture03.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture04.jpg.41b2cd62.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture05.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture06.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture07.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture08.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture09.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture10.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\cert8.db Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\history.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\key3.db Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\parent.lock Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\search.sqlite Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\p74wqjii.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007111320071114\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\_hphtra07.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Mozilla Firefox\install.exe Infected: Virus.Win32.Virut.av skipped
C:\Program Files\Mozilla Firefox\keygen.exe Infected: Trojan-Downloader.Win32.Small.gmx skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0105NAV~.TMP Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\L0000009.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.idx Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\qoobox\Quarantine\C\WINDOWS\NDNuninstall7_22.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\winuns32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0001299.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0001300.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0001301.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E4A340DB-6A47-46F1-B9A6-7C109739BADD}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\arxcyyni.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\nvnoifks.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\pykbbcra.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winuns32.dll.ren Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP6\change.log Object is locked skipped

Scan process completed.

soundwavetapes · Nov 14, 2007

hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 11:53:20 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\efqkwyil.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\efqkwyil.dll
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154564546031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: efqkwyil - C:\WINDOWS\SYSTEM32\efqkwyil.dll
O20 - Winlogon Notify: hgggfdd - hgggfdd.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

alba · Nov 14, 2007

Hi soundwavetapes

Did you have any problems or error messages when you ran Combofix last time

soundwavetapes · Nov 14, 2007

no everything went seemingly smooth.

alba · Nov 14, 2007

Hi soundwavetapes

It seems Combo didn't work properly can you try the following please

Please download the text file CFScript.txt that I have attached below and save it to your desktop(delete the previous one first).
Unplug/disconnect from the from the Internet
Disable\shut down Norton Anti-virus

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the new log produced in your next post

soundwavetapes · Nov 14, 2007

ComboFix 07-11-08.3 - HP_Administrator 2007-11-14 11:54:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.486 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\wt3d.ini
C:\WINDOWS\system32\arxcyyni.exe
C:\WINDOWS\system32\efhkj.bak2.ren
C:\WINDOWS\system32\efhkj.ini.ren
C:\WINDOWS\system32\efqkwyil.dll
C:\WINDOWS\system32\fldqoimf.ini.ren
C:\WINDOWS\system32\fmioqdlf.dll.ren
C:\WINDOWS\system32\hqhocruf.dll
C:\WINDOWS\system32\iuywtusb.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\kfjpfftx.dll
C:\WINDOWS\system32\lxifrxfs.dll
C:\WINDOWS\system32\nifgkebi.dll
C:\WINDOWS\system32\nvnoifks.exe
C:\WINDOWS\system32\pykbbcra.exe
C:\WINDOWS\system32\qwavecache.dat
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\vnretsxo.dll
C:\WINDOWS\system32\winuns32.dll.ren
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\xwkmfshx.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Administrator\Favorites\Online Security Guide.lnk
C:\Program Files\wt3d.ini
C:\WINDOWS\system32\arxcyyni.exe
C:\WINDOWS\system32\efhkj.bak2.ren
C:\WINDOWS\system32\efhkj.ini.ren
C:\WINDOWS\system32\efqkwyil.dll
C:\WINDOWS\system32\efqkwyil.dllbox
C:\WINDOWS\system32\fldqoimf.ini.ren
C:\WINDOWS\system32\fmioqdlf.dll.ren
C:\WINDOWS\system32\hqhocruf.dll
C:\WINDOWS\system32\iuywtusb.dll
C:\WINDOWS\system32\kfjpfftx.dll
C:\WINDOWS\system32\lxifrxfs.dll
C:\WINDOWS\system32\nifgkebi.dll
C:\WINDOWS\system32\nvnoifks.exe
C:\WINDOWS\system32\pykbbcra.exe
C:\WINDOWS\system32\qwavecache.dat
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\vnretsxo.dll
C:\WINDOWS\system32\winuns32.dll.ren
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\xwkmfshx.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-13 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 20:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 15:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 12:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-12 12:18 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-11 13:48 <DIR> d-------- C:\Deckard
2007-11-11 13:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-11 13:32 <DIR> d-------- C:\ie-spyad_zo
2007-11-11 12:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-10 20:58 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-09 12:24 4,022 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-09 12:01 145,984 --------- C:\WINDOWS\system32\efqkwyil.dll
2007-11-08 16:44 <DIR> d-------- C:\Program Files\Kutchka
2007-11-08 16:44 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Kutchka
2007-11-04 21:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-19 12:22 <DIR> d-------- C:\Program Files\DVD Decrypter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-12 16:54 2,220 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-11-12 04:20 --------- d-----w C:\Program Files\Java
2007-11-11 19:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-11 19:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 19:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 18:01 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-11 18:01 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-11 18:01 --------- d-----w C:\Program Files\iTunes
2007-11-11 18:01 --------- d-----w C:\Program Files\AIM
2007-11-11 17:44 --------- d-----w C:\Program Files\Viewpoint
2007-11-11 17:44 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Viewpoint
2007-11-11 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-06 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-15 22:02 --------- d-----w C:\Program Files\AIM6
2007-10-14 18:27 --------- d-----w C:\Program Files\Red Kawa
2007-10-02 23:14 --------- d--h--w C:\Documents and Settings\HP_Administrator\Application Data\GTek
2007-10-02 23:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-02 22:55 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-24 03:47 --------- d-----w C:\Program Files\LimeWire
2007-09-20 23:32 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-19 18:21 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Final Draft
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Final Draft
2007-09-19 17:11 --------- d-----w C:\Program Files\Final Draft Tagger
2007-09-19 17:11 --------- d-----w C:\Program Files\Final Draft 7
2007-09-19 15:22 --------- d-----w C:\Program Files\Microsoft Works
2007-09-19 03:13 --------- d-----w C:\Program Files\Apple Software Update
2007-09-18 20:42 --------- d-----w C:\Program Files\iPod
2005-05-12 14:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( [email protected]_15.59.40.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-06 02:59:44 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-14 07:31:22 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-11-06 02:59:44 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-14 07:31:22 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-11-06 02:59:44 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-14 07:31:22 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-11-06 02:59:45 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-14 07:31:22 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-11-06 02:59:45 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-14 07:31:22 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-11-06 02:59:45 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-14 07:31:22 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-11-06 02:59:44 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-11-14 07:31:22 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-11-06 02:59:45 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-14 07:31:22 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-11-06 02:59:44 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-14 07:31:22 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-11-06 02:59:44 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-14 07:31:22 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-08-21 10:13:33 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-14 11:57 145984 --------- C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\efqkwyil.dll [2007-11-14 11:57 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 01:35]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-27 13:54]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2005-03-29 19:03]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 09:12]
"HostManager"="C:\Program Files\Common Files\AOL\1145122393\ee\AOLSoftware.exe" [2006-05-09 19:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 14:35]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-23 17:04:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 09:23:26]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-23 17:58:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efqkwyil]
efqkwyil.dll 2007-11-14 11:57 145984 C:\WINDOWS\system32\efqkwyil.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggfdd]
hgggfdd.dll

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f334fa6-6054-11db-ab96-0013d3f91e08}]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 23:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-27 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2006-04-16 22:49:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 12:00:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 12:03:19 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-13 20:25
C:\ComboFix3.txt ... 2007-11-12 16:00
.
--- E O F ---

alba · Nov 14, 2007

Hi soundwavetapes

We are nearly there just a couple of tenacious files to delete.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

========================

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\efqkwyil.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

=================

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\efqkwyil.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\efqkwyil.dll
O20 - Winlogon Notify: efqkwyil - C:\WINDOWS\SYSTEM32\efqkwyil.dll
O20 - Winlogon Notify: hgggfdd - hgggfdd.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

====================

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Bitdefender results
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

===============================================

spyware/adware removal help/yellow exclamation mark

soundwavetapes

Attachments

alba

soundwavetapes

soundwavetapes

alba

soundwavetapes

soundwavetapes

soundwavetapes

alba

soundwavetapes

alba

Attachments

soundwavetapes

alba

Top Contributors this Month