• Announcements

    • Andrew Browne

      Support for other products than adaware, ad block and Web Companion

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock


      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/

Sign in to follow this  
Followers 0
jbholsters

Popups Galore

15 posts in this topic

Just ran the software and created the hijack file. Any and all help would be greatly appriciated.

 

Logfile of HijackThis v1.99.1

Scan saved at 5:06:47 PM, on 5/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

C:\Program Files\Yahoo!\Antivirus\ISafe.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\AdwareAlert\AdwareAlert.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\smanager.7.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

C:\WINDOWS\system32\wwSecure.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Documents and Settings\Joshua Bulman\My Documents\hijackthislog\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: (no name) - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [adwarealert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [{1F-FF-F6-64-ZN}] c:\windows\system32\dwdsregt.exe CHD001

O4 - HKLM\..\Run: [sManager] smanager.7.exe

O4 - HKLM\..\Run: [system]

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\khigda.dll",realset

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: *.winantivirus.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

O20 - AppInit_DLLs: c:\windows\system32\pmkhhhi.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Hello,

 

Please perform my instructions in the right order..

 

I see you have AdwareAlert installed. If you didn't purchase it, I suggest you uninstall it - because there are better scanners out there.

Also uninstall NewDotNet if still present.

Then reboot.

 

After reboot,

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O3 - Toolbar: (no name) - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - (no file)

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [{1F-FF-F6-64-ZN}] c:\windows\system32\dwdsregt.exe CHD001

O4 - HKLM\..\Run: [sManager] smanager.7.exe

O4 - HKLM\..\Run: [system]

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\khigda.dll",realset

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O15 - Trusted Zone: *.winantivirus.com

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

O20 - AppInit_DLLs: c:\windows\system32\pmkhhhi.dll

O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

I wasn't able to complete your instuctions. When I try to delete newdotnet I get the following windows prompt.post-27605-1180020208.jpg

 

What should I do?

 

Thanks

Share this post


Link to post
Share on other sites

Did you uninstall it as I asked? And then rebooted? Because manually deleting won't indeed work.

Anyway, if that fails, just skip that step and deal with the next steps. Then we'll deal with it afterwards if still present.

Share this post


Link to post
Share on other sites

Thanks for all of the help so far!! I was able to remove NEWDOTNET. I did not remove AdWare. I have the full version.

Here are the log files you requested.

 

Logfile of HijackThis v1.99.1

Scan saved at 4:11:04 PM, on 5/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Yahoo!\Antivirus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

C:\WINDOWS\system32\wwSecure.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\AdwareAlert\AdwareAlert.exe

C:\WINDOWS\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Joshua Bulman\My Documents\hijackthislog\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4E86A50B-A7FF-4cae-B8B7-28A13B6D46F0} - C:\WINDOWS\system32\mprmem.dll

O2 - BHO: (no name) - {9858A660-B48C-4079-9E6B-4CEBED41490F} - C:\WINDOWS\system32\mprmem.dll

O2 - BHO: 0 - {B8DB0242-6120-467C-D4AD-0BFFEC130382} - C:\Program Files\MSN Gaming Zone\rycir.dll

O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [adwarealert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: *.winantivirus.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

O20 - AppInit_DLLs: c:\windows\system32\pmkhhhi.dll

O20 - Winlogon Notify: mprmem - C:\WINDOWS\SYSTEM32\mprmem.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

 

 

"Joshua Bulman" - 2007-05-24 16:03:23 Service Pack 2

ComboFix 07-05.24.7.V - Running from: "C:\Documents and Settings\Joshua Bulman\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\bbakddtr.dll

C:\WINDOWS\system32\uoxuguni.dll

C:\WINDOWS\system32\awtqpnm.dll

C:\WINDOWS\system32\pmnomll.dll

C:\WINDOWS\system32\vturqqr.dll

C:\WINDOWS\system32\xxyxyyv.dll

C:\WINDOWS\system32\yaywuvs.dll

C:\WINDOWS\system32\pdkbymyi.exe

C:\WINDOWS\system32\winepi32.dll

C:\WINDOWS\system32\pqtss.bak1

C:\WINDOWS\system32\pqtss.bak2

C:\WINDOWS\system32\pqtss.ini

C:\WINDOWS\system32\pqtss.bak1

C:\WINDOWS\system32\pqtss.bak2

C:\WINDOWS\system32\pqtss.ini

C:\WINDOWS\system32\sstqp.dll

C:\WINDOWS\system32\rqrqpnn.dll

C:\WINDOWS\Config\bakad.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

"C:\WINDOWS\cfg32a.exe"

"C:\Program Files\Common Files\Yazzle1162OinAdmin.exe"

"C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe"

"C:\WINDOWS\system32\~.exe"

"C:\WINDOWS\retadpu1000106.exe"

"C:\WINDOWS\retadpu1000272.exe"

"C:\WINDOWS\system32\tmp12.tmp.dll"

"C:\WINDOWS\system32\tmp14.tmp.dll"

"C:\WINDOWS\system32\tmp17.tmp.dll"

"C:\WINDOWS\system32\tmp1C.tmp.dll"

"C:\WINDOWS\system32\tmp1E.tmp.dll"

"C:\WINDOWS\system32\tmp1F.tmp.dll"

"C:\WINDOWS\system32\tmp20.tmp.dll"

"C:\WINDOWS\system32\tmp21.tmp.dll"

"C:\WINDOWS\system32\tmp22.tmp.dll"

"C:\WINDOWS\system32\tmp24.tmp.dll"

"C:\WINDOWS\system32\tmp2D.tmp.dll"

"C:\WINDOWS\system32\tmp30.tmp.dll"

"C:\WINDOWS\system32\tmp31.tmp.dll"

"C:\WINDOWS\system32\tmp32.tmp.dll"

"C:\WINDOWS\system32\tmp33.tmp.dll"

"C:\WINDOWS\system32\tmp35.tmp.dll"

"C:\WINDOWS\system32\tmp37.tmp.dll"

"C:\WINDOWS\system32\tmp39.tmp.dll"

"C:\WINDOWS\system32\tmp3C.tmp.dll"

"C:\WINDOWS\system32\tmp3D.tmp.dll"

"C:\WINDOWS\system32\tmp3E.tmp.dll"

"C:\WINDOWS\system32\tmp3F.tmp.dll"

"C:\WINDOWS\system32\tmp42.tmp.dll"

"C:\WINDOWS\system32\tmp46.tmp.dll"

"C:\WINDOWS\system32\tmp48.tmp.dll"

"C:\WINDOWS\system32\tmp4A.tmp.dll"

"C:\WINDOWS\system32\tmp4C.tmp.dll"

"C:\WINDOWS\system32\tmp52.tmp.dll"

"C:\WINDOWS\system32\tmp56.tmp.dll"

"C:\WINDOWS\system32\tmp5B.tmp.dll"

"C:\WINDOWS\system32\tmp5D.tmp.dll"

"C:\WINDOWS\system32\tmp61.tmp.dll"

"C:\WINDOWS\system32\tmp73.tmp.dll"

"C:\WINDOWS\system32\tmp78.tmp.dll"

"C:\WINDOWS\system32\tmp9F.tmp.dll"

"C:\Temp\17O7\tmpTF.log"

"C:\Program Files\Common Files\svchost.exe"

"C:\WINDOWS\svchost.exe"

"C:\WINDOWS\b122.exe"

"C:\WINDOWS\system32\dnsersnd.dll"

"C:\WINDOWS\cfg32r.dll"

"C:\WINDOWS\cfg32s.dll"

"C:\WINDOWS\sammy3.exe"

"C:\WINDOWS\rau001978.exe"

"C:\WINDOWS\Config\ntp2.ini"

"C:\WINDOWS\system32\smpi1"

"C:\Temp\17O7"

 

 

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_NET_AGENT

-------\Net Agent

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))

 

 

2007-05-24 16:05 49,204 --a------ C:\WINDOWS\system32\htdpqmqk.dll

2007-05-24 15:48 106,425 --a------ C:\WINDOWS\ursrpo.dll

2007-05-24 15:14 106,575 --a------ C:\WINDOWS\byyxut.dll

2007-05-24 10:50 106,585 --a------ C:\WINDOWS\jkjhed.dll

2007-05-24 10:46 20,480 --a------ C:\WINDOWS\avp.exe

2007-05-23 15:13 106,324 --a------ C:\WINDOWS\wvwxxy.dll

2007-05-23 14:32 11,264 --a------ C:\WINDOWS\smanager.7.exe

2007-05-23 14:32 10,240 --a------ C:\WINDOWS\system32\klikalka.exe

2007-05-23 14:31 933 --a------ C:\WINDOWS\system32\winpfz32.sys

2007-05-23 14:31 8,464 --a------ C:\WINDOWS\system32\sporder.dll

2007-05-23 14:31 217,276 --a------ C:\WINDOWS\Setup89.exe

2007-05-23 14:31 20,480 --a------ C:\WINDOWS\stub_mma2.exe

2007-05-23 14:31 20,480 --a------ C:\WINDOWS\stub_mma1.exe

2007-05-23 14:31 <DIR> d-------- C:\WINDOWS\system32\TQ0

2007-05-23 14:31 <DIR> d-------- C:\WINDOWS\system32\T6

2007-05-23 14:31 <DIR> d-------- C:\WINDOWS\system32\T4

2007-05-23 14:31 <DIR> d-------- C:\WINDOWS\system32\T3

2007-05-23 14:31 <DIR> d-------- C:\WINDOWS\system32\pog

2007-05-23 14:31 <DIR> d-------- C:\Program Files\Ofb11

2007-05-23 14:30 <DIR> d-------- C:\WINDOWS\system32\T5QaSQ

2007-05-23 14:30 <DIR> d-------- C:\Tempb9

2007-05-21 18:02 106,526 --a------ C:\WINDOWS\wvtqrq.dll

2007-05-20 17:40 106,387 --a------ C:\WINDOWS\qomnmm.dll

2007-05-14 19:07 106,768 --a------ C:\WINDOWS\yabcyw.dll

2007-05-07 14:04 106,768 --a------ C:\WINDOWS\wvtspn.dll

2007-05-05 14:12 106,768 --a------ C:\WINDOWS\rqrstq.dll

2007-04-27 15:27 967,993 --a------ C:\Temp\gorPUS.exe

2007-04-27 15:27 <DIR> d-------- C:\Temp

2007-04-27 13:21 106,752 --a------ C:\WINDOWS\awtqno.dll

2007-04-27 11:51 106,752 --a------ C:\WINDOWS\iihhfg.dll

2007-04-27 11:22 106,752 --a------ C:\WINDOWS\fccawt.dll

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-23 19:47:44 -------- d-----w C:\Program Files\AdwareAlert

2007-05-23 18:31:44 -------- d-----w C:\Program Files\MSN Gaming Zone

2007-05-14 22:34:47 106,768 ----a-w C:\WINDOWS\wvtspo.dll

2007-05-02 11:36:49 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys

2007-05-02 11:36:49 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-13 11:51:36 -------- d--h--w C:\DOCUME~1\JOSHUA~1\APPLIC~1\Gtek

2007-04-13 11:27:18 -------- d-----w C:\Program Files\DellSupport

2007-04-12 15:33:36 -------- d-----w C:\DOCUME~1\JOSHUA~1\APPLIC~1\ultra

2007-04-10 18:33:33 106,767 ----a-w C:\WINDOWS\pmlife.dll

2007-04-10 14:47:20 106,767 ----a-w C:\WINDOWS\yaaywu.dll

2007-04-09 17:58:53 106,767 ----a-w C:\WINDOWS\opqrop.dll

2007-04-09 11:03:37 106,767 ----a-w C:\WINDOWS\qonlmk.dll

2007-04-06 22:39:42 106,767 ----a-w C:\WINDOWS\mlmklk.dll

2007-04-06 19:03:52 106,767 ----a-w C:\WINDOWS\vtrpnm.dll

2007-03-30 21:14:47 -------- d-----w C:\Program Files\HP

2007-03-29 15:25:03 106,539 ----a-w C:\WINDOWS\gebxwx.dll

2007-03-28 18:11:41 106,539 ----a-w C:\WINDOWS\ssttts.dll

2007-03-25 23:51:28 106,539 ----a-w C:\WINDOWS\awusqr.dll

2007-03-24 19:52:51 106,539 ----a-w C:\WINDOWS\urrppo.dll

2007-03-23 11:09:56 106,539 ----a-w C:\WINDOWS\pmklmn.dll

2007-03-21 11:38:59 105,656 ----a-w C:\WINDOWS\tuvwtr.dll

2007-03-21 11:25:34 -------- d-----w C:\Program Files\Messenger

2007-03-21 11:23:25 -------- d-----w C:\Program Files\Common Files\Webroot Shared

2007-03-19 10:52:38 87,248 ----a-w C:\DOCUME~1\JOSHUA~1\APPLIC~1\antivirus.exe

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-16 13:45:40 105,656 ----a-w C:\WINDOWS\yabbcy.dll

2007-03-13 14:57:00 136,992 ----a-w C:\DOCUME~1\JOSHUA~1\APPLIC~1\privprotect.exe

2007-03-12 17:05:50 105,656 ----a-w C:\WINDOWS\byyyvs.dll

2007-03-12 11:03:14 40,518 ----a-w C:\WINDOWS\nsreg.dat

2007-03-10 23:40:12 105,656 ----a-w C:\WINDOWS\yaxwvu.dll

2007-03-09 17:32:18 105,656 ----a-w C:\WINDOWS\jkhhii.dll

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2007-03-07 19:07:55 -------- d-----w C:\Program Files\USPSShippingAssistant

2007-03-07 16:37:20 87,760 ----a-w C:\DOCUME~1\JOSHUA~1\APPLIC~1\errsafer.exe

2007-03-06 23:06:52 -------- d-----w C:\Program Files\QuickTime

2007-03-06 22:50:45 105,656 ----a-w C:\WINDOWS\urstst.dll

2007-03-06 18:15:55 105,656 ----a-w C:\WINDOWS\efcyyw.dll

2007-03-03 23:26:30 105,288 ----a-w C:\WINDOWS\ssrpnk.dll

2007-03-01 16:08:54 95,696 ----a-w C:\DOCUME~1\JOSHUA~1\APPLIC~1\sysdoctor.exe

2007-02-25 01:45:11 105,288 ----a-w C:\WINDOWS\efdaba.dll

2007-02-23 22:31:28 105,288 ----a-w C:\WINDOWS\jkkjkh.dll

2007-02-23 22:01:35 124,112 ----a-w C:\DOCUME~1\JOSHUA~1\APPLIC~1\drvcleaner.exe

2007-02-23 01:23:34 105,288 ----a-w C:\WINDOWS\jkkjhe.dll

2007-02-19 22:48:26 105,130 ----a-w C:\WINDOWS\yaawxu.dll

2007-02-19 21:55:54 105,130 ----a-w C:\WINDOWS\opqoml.dll

2007-02-19 20:33:04 105,130 ----a-w C:\WINDOWS\wvwxwt.dll

2007-02-19 18:13:40 105,130 ----a-w C:\WINDOWS\yaaxxx.dll

2007-02-17 20:41:34 105,130 ----a-w C:\WINDOWS\iihhef.dll

2007-02-17 00:59:39 105,130 ----a-w C:\WINDOWS\jkhifd.dll

2007-02-16 19:10:53 105,130 ----a-w C:\WINDOWS\ursqpq.dll

2007-02-14 18:47:48 105,130 ----a-w C:\WINDOWS\wvwxww.dll

2007-02-13 22:59:55 105,130 ----a-w C:\WINDOWS\iiighh.dll

2007-02-13 18:24:59 105,130 ----a-w C:\WINDOWS\opooon.dll

2007-02-13 00:08:10 105,130 ----a-w C:\WINDOWS\rqpmlj.dll

2007-02-12 21:03:40 105,130 ----a-w C:\WINDOWS\jkhffd.dll

2007-02-08 20:31:24 105,130 ----a-w C:\WINDOWS\qopoom.dll

2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

2007-02-05 18:02:25 105,130 ----a-w C:\WINDOWS\dddebb.dll

2006-11-16 05:28:18 -------- --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2006-11-16 05:28:16 -------- --sh--r C:\WINDOWS\system32\5ADE550AF6.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{4E86A50B-A7FF-4cae-B8B7-28A13B6D46F0}=C:\WINDOWS\system32\mprmem.dll [2006-09-23 11:52]

{9858A660-B48C-4079-9E6B-4CEBED41490F}=C:\WINDOWS\system32\mprmem.dll [2006-09-23 11:52]

{B8DB0242-6120-467C-D4AD-0BFFEC130382}=C:\Program Files\MSN Gaming Zone\rycir.dll [2007-05-23 14:31]

{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 21:51]

"SigmatelSysTrayApp"="stsystra.exe" []

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 08:56]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]

"@"="" []

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]

"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 12:35]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]

"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 13:20]

"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 12:03]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-30 19:29]

"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]

"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-08-08 02:03]

"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-08-08 02:03]

"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-06-16 23:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-25 08:05]

"adwarealert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2006-11-30 19:03]

"avp"="C:\WINDOWS\avp.exe" [2007-05-24 10:46]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

"svchost.exe"=C:\WINDOWS\svchost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mprmem]

mprmem.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=c:\windows\system32\pmkhhhi.dll

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command- E:\setup.exe

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070524-160015-568

O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)

 

backup-20070524-160005-608

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

backup-20070524-160005-408

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

 

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

 

backup-20070524-160005-786

O15 - Trusted Zone: *.winantivirus.com

 

backup-20070524-160005-669

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

 

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

 

backup-20070524-160004-675

O4 - HKLM\..\Run: [system]

 

backup-20070524-155113-138

O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)

 

backup-20070524-155054-918

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

backup-20070524-155054-676

O15 - Trusted Zone: *.winantivirus.com

 

backup-20070524-155054-810

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

 

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

 

backup-20070524-155054-222

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

 

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

 

backup-20070524-155054-485

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\byyxut.dll",realset

 

backup-20070524-155054-730

O4 - HKLM\..\Run: [system]

 

backup-20070524-155054-737

O4 - HKLM\..\Run: [sManager] smanager.7.exe

 

backup-20070524-155054-932

O4 - HKLM\..\Run: [{1F-FF-F6-64-ZN}] c:\windows\system32\mqdsregn.exe CHD001

 

backup-20070524-155054-665

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

 

backup-20070524-155054-632

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

 

backup-20070524-155054-853

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

 

backup-20070524-155054-842

O3 - Toolbar: (no name) - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - (no file)

 

backup-20070524-155054-936

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-24 16:07:01

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-24 16:09:28 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-24 16:09

 

--- E O F ---

Share this post


Link to post
Share on other sites

I noticed that some of the entires that I checked off on HijackThis are still present in the current log that I have posted above, which was created after removing them and then running combofix

Thanks

Josh

Share this post


Link to post
Share on other sites

I see more malware present on this system than anything else :D

What a mess here. I am actually wondering if your Yahoo Antivirus even recognised them - apparently not, otherwise it should already delete them as well... :D

 

Malware damages a lot and the more malware, the more damage, so I cannot guarantee that we will be able to fix all damage it already caused though...

 

But First, In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

 

Then, Do next please..

 

Open notepad and copy/paste the entire text in the quotebox below into it, so EVERYTHING present in the quotebox:

 

File::

C:\WINDOWS\system32\mprmem.dll

C:\WINDOWS\system32\htdpqmqk.dll

c:\windows\system32\pmkhhhi.dll

C:\WINDOWS\svchost.exe

C:\Program Files\MSN Gaming Zone\rycir.dll

C:\WINDOWS\ursrpo.dll

C:\WINDOWS\byyxut.dll

C:\WINDOWS\jkjhed.dll

C:\WINDOWS\avp.exe

C:\WINDOWS\wvwxxy.dll

C:\WINDOWS\smanager.7.exe

C:\WINDOWS\system32\klikalka.exe

C:\WINDOWS\system32\winpfz32.sys

C:\WINDOWS\Setup89.exe

C:\WINDOWS\stub_mma2.exe

C:\WINDOWS\stub_mma1.exe

C:\WINDOWS\wvtqrq.dll

C:\WINDOWS\qomnmm.dll

C:\WINDOWS\yabcyw.dll

C:\WINDOWS\wvtspn.dll

C:\WINDOWS\rqrstq.dll

C:\WINDOWS\awtqno.dll

C:\WINDOWS\iihhfg.dll

C:\WINDOWS\fccawt.dll

C:\WINDOWS\wvtspo.dll

C:\WINDOWS\pmlife.dll

C:\WINDOWS\yaaywu.dll

C:\WINDOWS\opqrop.dll

C:\WINDOWS\qonlmk.dll

C:\WINDOWS\mlmklk.dll

C:\WINDOWS\vtrpnm.dll

C:\WINDOWS\gebxwx.dll

C:\WINDOWS\ssttts.dll

C:\WINDOWS\awusqr.dll

C:\WINDOWS\urrppo.dll

C:\WINDOWS\pmklmn.dll

C:\WINDOWS\tuvwtr.dll

C:\DOCUME~1\JOSHUA~1\APPLIC~1\antivirus.exe

C:\WINDOWS\yabbcy.dll

C:\DOCUME~1\JOSHUA~1\APPLIC~1\privprotect.exe

C:\WINDOWS\byyyvs.dll

C:\WINDOWS\yaxwvu.dll

C:\WINDOWS\jkhhii.dll

C:\DOCUME~1\JOSHUA~1\APPLIC~1\errsafer.exe

C:\WINDOWS\urstst.dll

C:\WINDOWS\efcyyw.dll

C:\WINDOWS\ssrpnk.dll

C:\DOCUME~1\JOSHUA~1\APPLIC~1\sysdoctor.exe

C:\WINDOWS\efdaba.dll

C:\WINDOWS\jkkjkh.dll

C:\DOCUME~1\JOSHUA~1\APPLIC~1\drvcleaner.exe

C:\WINDOWS\jkkjhe.dll

C:\WINDOWS\yaawxu.dll

C:\WINDOWS\opqoml.dll

C:\WINDOWS\wvwxwt.dll

C:\WINDOWS\yaaxxx.dll

C:\WINDOWS\iihhef.dll

C:\WINDOWS\jkhifd.dll

C:\WINDOWS\ursqpq.dll

C:\WINDOWS\wvwxww.dll

C:\WINDOWS\iiighh.dll

C:\WINDOWS\opooon.dll

C:\WINDOWS\rqpmlj.dll

C:\WINDOWS\jkhffd.dll

C:\WINDOWS\qopoom.dll

C:\WINDOWS\dddebb.dll

 

Folder::

C:\Temp

C:\WINDOWS\system32\TQ0

C:\WINDOWS\system32\T6

C:\WINDOWS\system32\T4

C:\WINDOWS\system32\T3

C:\WINDOWS\system32\pog

C:\Program Files\Ofb11

C:\WINDOWS\system32\T5QaSQ

C:\Tempb9

 

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E86A50B-A7FF-4cae-B8B7-28A13B6D46F0}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9858A660-B48C-4079-9E6B-4CEBED41490F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8DB0242-6120-467C-D4AD-0BFFEC130382}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avp"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mprmem]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=""

 

Save this as ComboFix-Do.txt

 

Then drag the ComboFix-Do.txt into ComboFix.exe as you will see in the screenshot below.

 

Combo-Do.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Share this post


Link to post
Share on other sites

What would be a good program to install that would detect the malware? Thanks again!

 

here is the log file:

 

"Joshua Bulman" - 2007-05-24 17:40:57 Service Pack 2

ComboFix 07-05.24.7.V - Running from: "C:\Documents and Settings\Joshua Bulman\"

Command switches used :: ""C:\Documents and Settings\Joshua Bulman\Desktop\ComboFix-Do.txt""

 

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\htdpqmqk.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

"C:\Temp\gorPUS.exe"

"C:\Tempb9\tmpTF.log"

"C:\WINDOWS\system32\TQ0\dl52.exe"

"C:\WINDOWS\system32\T6\dlwr.exe"

"C:\WINDOWS\system32\T3\dlltk67.exe"

"C:\Program Files\Ofb11\Ofb11.dll"

"C:\Program Files\Ofb11\sites.ini"

"C:\WINDOWS\system32\T5QaSQ\T5QaSQ1083.exe"

"C:\WINDOWS\system32\htdpqmqk.dll"

"C:\Program Files\MSN Gaming Zone\rycir.dll"

"C:\WINDOWS\ursrpo.dll"

"C:\WINDOWS\byyxut.dll"

"C:\WINDOWS\jkjhed.dll"

"C:\WINDOWS\avp.exe"

"C:\WINDOWS\wvwxxy.dll"

"C:\WINDOWS\smanager.7.exe"

"C:\WINDOWS\system32\klikalka.exe"

"C:\WINDOWS\system32\winpfz32.sys"

"C:\WINDOWS\Setup89.exe"

"C:\WINDOWS\stub_mma2.exe"

"C:\WINDOWS\stub_mma1.exe"

"C:\WINDOWS\wvtqrq.dll"

"C:\WINDOWS\qomnmm.dll"

"C:\WINDOWS\yabcyw.dll"

"C:\WINDOWS\wvtspn.dll"

"C:\WINDOWS\rqrstq.dll"

"C:\WINDOWS\awtqno.dll"

"C:\WINDOWS\iihhfg.dll"

"C:\WINDOWS\fccawt.dll"

"C:\WINDOWS\wvtspo.dll"

"C:\DOCUME~1\JOSHUA~1\APPLIC~1\antivirus.exe"

"C:\DOCUME~1\JOSHUA~1\APPLIC~1\privprotect.exe"

"C:\DOCUME~1\JOSHUA~1\APPLIC~1\errsafer.exe"

"C:\DOCUME~1\JOSHUA~1\APPLIC~1\sysdoctor.exe"

"C:\DOCUME~1\JOSHUA~1\APPLIC~1\drvcleaner.exe"

"C:\WINDOWS\Config\ntp2.ini"

"C:\Temp"

"C:\WINDOWS\system32\TQ0"

"C:\WINDOWS\system32\T6"

"C:\WINDOWS\system32\T4"

"C:\WINDOWS\system32\T3"

"C:\WINDOWS\system32\pog"

"C:\Program Files\Ofb11"

"C:\WINDOWS\system32\T5QaSQ"

"C:\WINDOWS\system32\mprmem.dll"

"c:\windows\system32\pmkhhhi.dll"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))

 

 

2007-05-24 16:09 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-23 14:31 8,464 --a------ C:\WINDOWS\system32\sporder.dll

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-24 21:42:08 -------- d-----w C:\Program Files\MSN Gaming Zone

2007-05-23 19:47:44 -------- d-----w C:\Program Files\AdwareAlert

2007-05-02 11:36:49 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys

2007-05-02 11:36:49 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-13 11:51:36 -------- d--h--w C:\DOCUME~1\JOSHUA~1\APPLIC~1\Gtek

2007-04-13 11:27:18 -------- d-----w C:\Program Files\DellSupport

2007-04-12 15:33:36 -------- d-----w C:\DOCUME~1\JOSHUA~1\APPLIC~1\ultra

2007-03-30 21:14:47 -------- d-----w C:\Program Files\HP

2007-03-21 11:25:34 -------- d-----w C:\Program Files\Messenger

2007-03-21 11:23:25 -------- d-----w C:\Program Files\Common Files\Webroot Shared

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-12 11:03:14 40,518 ----a-w C:\WINDOWS\nsreg.dat

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2007-03-07 19:07:55 -------- d-----w C:\Program Files\USPSShippingAssistant

2007-03-06 23:06:52 -------- d-----w C:\Program Files\QuickTime

2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

2006-11-16 05:28:18 -------- --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2006-11-16 05:28:16 -------- --sh--r C:\WINDOWS\system32\5ADE550AF6.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 21:51]

"SigmatelSysTrayApp"="stsystra.exe" []

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 08:56]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]

"@"="" []

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]

"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 12:35]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]

"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 13:20]

"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 12:03]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-30 19:29]

"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]

"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-08-08 02:03]

"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-08-08 02:03]

"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-06-16 23:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-25 08:05]

"adwarealert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2006-11-30 19:03]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command- E:\setup.exe

 

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-24 17:43:35

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-24 17:45:23 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-24 17:45

C:\ComboFix2.txt ... 2007-05-24 16:09

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

Can you also post a new HijackThislog please?

 

Edit.. Overlooked your previous question

What would be a good program to install that would detect the malware? Thanks again!
Well, it certainly looks like Yahoo Antivirus isn't that good in detection and when it doesn't detect, it won't remove either. Unless you never update your Yahoo Antivirus.

But, I suggest you install a more powerful Antivirus instead. Look in my signature under Antivirusscanners for the ones I recommend. My personal Favorite is Avira which is free and great in detection and removal.

Keep in mind, if you decide to install another Antivirus, you have to uninstall your Yahoo Antivirus first.

Share this post


Link to post
Share on other sites

here is the hijack log file you requested.

 

Logfile of HijackThis v1.99.1

Scan saved at 6:45:56 PM, on 5/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Yahoo!\Antivirus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

C:\WINDOWS\system32\wwSecure.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\AdwareAlert\AdwareAlert.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Documents and Settings\Joshua Bulman\My Documents\hijackthislog\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [adwarealert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\RunOnce: [index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Joshua Bulman"

O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: *.winantivirus.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Hi,

 

I would love to have some samples afterwards as well from the combofix quarantined, so can you post the contents of the following log in your next reply please ?

 

C:\ComboFix-quarantined-files.txt

 

From that log, It's easier for me to gather the right paths for later upload.

 

In a meanwhile, I'll analyze your HijackThislog and post instructions.

Share this post


Link to post
Share on other sites

Hi,

 

Ignore my previous post, the ComboFix-quarantined-files.txt is actually not needed.

 

Let's collect some files now from the quarantine. We'll have to do this in two attempts, this because the cabfiles it will create will be too big otherwise.

So do next:

 

* Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

 

Paste the following bold part into the Suspicious File Packer window:

 

C:\Qoobox\Quarantine\C\WINDOWS\system32\htdpqmqk.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ursrpo.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\byyxut.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\jkjhed.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\wvwxxy.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\smanager.7.exe.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\klikalka.exe.vir

C:\Qoobox\Quarantine\C\WINDOWS\Setup89.exe.vir

C:\Qoobox\Quarantine\C\WINDOWS\stub_mma1.exe.vir

C:\Qoobox\Quarantine\C\WINDOWS\avp.exe.vir

 

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

The cab file will be called requested-files[*].cab (the * stands for the date and hour)

 

Then, open Suspicious File Packer again and paste the following part in the Window:

 

C:\Qoobox\Quarantine\C\WINDOWS\wvtqrq.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\qomnmm.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\yabcyw.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\awtqno.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\pmlife.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\gebxwx.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\tuvwtr.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ssrpnk.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\opooon.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\rqpmlj.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\jkhffd.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\qopoom.dll.vir

 

Another cab file will be created on your desktop.

 

Then,

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to one of the requested-files[*].cab that was been created on your desktop.

 

Then click the Send File button below.

 

Do the same for the other cab file present on your desktop. So you have to upload each requested-files[*].cab one by one.

Once you've uploaded them, delete them.

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O15 - Trusted Zone: *.winantivirus.com

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Let me know in your next reply how things are now..;

Share this post


Link to post
Share on other sites

Thanks again for all of the help. The PC seems to be fine now. Here are the hijackthis and combofix log files.

 

Logfile of HijackThis v1.99.1

Scan saved at 1:38:38 PM, on 5/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\AdwareAlert\AdwareAlert.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Yahoo!\Antivirus\ISafe.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\wwSecure.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Joshua Bulman\My Documents\hijackthislog\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [adwarealert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\RunOnce: [index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Joshua Bulman"

O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

 

"Joshua Bulman" - 2007-05-29 13:38:55 Service Pack 2

ComboFix 07-05.24.7.V - Running from: "C:\Documents and Settings\Joshua Bulman\Desktop\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-29 ))))))))))))))))))))))))))))))))))

 

 

2007-05-25 13:39 <DIR> d-------- C:\DOCUME~1\JOSHUA~1\.SunDownloadManager

2007-05-24 16:09 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-23 14:31 8,464 --a------ C:\WINDOWS\system32\sporder.dll

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-25 20:01:07 -------- d-----w C:\DOCUME~1\JOSHUA~1\APPLIC~1\Yahoo!

2007-05-24 21:42:08 -------- d-----w C:\Program Files\MSN Gaming Zone

2007-05-23 19:47:44 -------- d-----w C:\Program Files\AdwareAlert

2007-05-02 11:36:49 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys

2007-05-02 11:36:49 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-13 11:51:36 -------- d--h--w C:\DOCUME~1\JOSHUA~1\APPLIC~1\Gtek

2007-04-13 11:27:18 -------- d-----w C:\Program Files\DellSupport

2007-04-12 15:33:36 -------- d-----w C:\DOCUME~1\JOSHUA~1\APPLIC~1\ultra

2007-03-30 21:14:47 -------- d-----w C:\Program Files\HP

2007-03-21 11:25:34 -------- d-----w C:\Program Files\Messenger

2007-03-21 11:23:25 -------- d-----w C:\Program Files\Common Files\Webroot Shared

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-12 11:03:14 40,518 ----a-w C:\WINDOWS\nsreg.dat

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2007-03-07 19:07:55 -------- d-----w C:\Program Files\USPSShippingAssistant

2007-03-06 23:06:52 -------- d-----w C:\Program Files\QuickTime

2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

2006-11-16 05:28:18 -------- --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2006-11-16 05:28:16 -------- --sh--r C:\WINDOWS\system32\5ADE550AF6.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-09-29 12:53]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 17:07]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 21:51]

"SigmatelSysTrayApp"="stsystra.exe" []

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 08:56]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]

"@"="" []

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]

"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 12:35]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]

"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 13:20]

"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-30 19:29]

"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]

"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-08-08 02:03]

"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-08-08 02:03]

"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-06-16 23:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-25 08:05]

"adwarealert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2006-11-30 19:03]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command- E:\setup.exe

 

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-29 13:39:48

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-29 13:40:25

C:\ComboFix-quarantined-files.txt ... 2007-05-29 13:40

C:\ComboFix2.txt ... 2007-05-29 13:38

C:\ComboFix3.txt ... 2007-05-24 17:45

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

I was almost going to close this thread since there was no reply anymore.. :)

 

Anyway, your logs look clean again and good to hear your problems are gone.

Now delete the C:\Qoobox folder and delete the cab files present on your desktop (in case you didn't delete them already).

 

Next entries in HijackThis are not required either, so you may fix them as well:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

 

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0