Free Malware Removal Forum

[capsdeej]

Things are still popping up - albeit not as many!

==========
HiJackThis
==========

Logfile of HijackThis v1.99.1
Scan saved at 10:46:04 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Netropa\OSD.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\windows\system32\okdsregk.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\wdskctl.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\redistributor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\System Files\System.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
O2 - BHO: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\system32\fonts\svc\msapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [{DF-F3-30-01-ZN}] C:\windows\system32\okdsregk.exe GID002
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinlpez.exe GID002
O4 - HKLM\..\RunOnce: [wXsX56B0n] "C:\WINDOWS\system32\iqqr.exe" -SASg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinlpez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\zigi.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supporta ... gctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supporta ... gctlsi.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0483416765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5752504252
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wiz ... ctiveX.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/w ... tycoon.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


==========
Uninstall List
==========

Ad-Aware SE Personal
Adobe Acrobat 5.0
allTunes
a-squared Free 1.6.5
ATI Display Driver
Browser Mouse
Command
Conexant HCF V90 56K Data Fax PCI Modem
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
ewido anti-spyware 4.0
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB918766)
hp instant support
hp LaserJet 1010 Series
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
ImageMate CompactFlash USB (SDDR-31) Ver. 5.05
Internet Explorer Toolbar - Intelligent Explorer
InterVideo XPack (MP3 Only)
J2SE Runtime Environment 5.0 Update 7
Kaspersky On-line Scanner
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Picture It! Publishing 2001
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MSN Messenger 7.5
Muiltmedia keyboard utility 1.1
Norton WMI Update
PhoneTools
PowerDVD
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shockwave
Spybot - Search & Destroy 1.4
Symantec Client Security
TargetSaver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Wal-Mart Music Downloads Store
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2


=========
ComboFix
=========

Start Time= Tue 08/01/2006 22:42:40.06
Running from: C:\Documents and Settings\Cap'nTripps\Desktop\MalWareRemoval

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-01 20:39:40 24296 ( A.... ) "C:\WINDOWS\icont.exe"
2006-08-01 11:37:04 78336 ( A.... ) "C:\WINDOWS\wnu_243.exe"
2006-08-01 09:09:30 578560 ( A.... ) "C:\Installer3.exe"
2006-08-01 09:09:22 159744 ( A.... ) "C:\WINDOWS\SYSTEM32\redist.dll"
2006-08-01 09:09:18 126464 ( A.... ) "C:\WINDOWS\SYSTEM32\redistributor.exe"
2006-08-01 09:09:06 ( .D... ) "C:\Program Files\System Icons"
2006-08-01 09:09:06 ( .D... ) "C:\Program Files\System Files"
2006-08-01 09:08:58 587016 ( A.... ) "C:\626_101newer.exe"
2006-08-01 09:08:46 ( .D... ) "C:\Program Files\Cas2Stub"
2006-08-01 09:08:44 27648 ( A.... ) "C:\dist13.exe"
2006-08-01 09:08:04 30208 ( A.... ) "C:\SS1001newer.exe"
2006-08-01 09:07:50 14848 ( A.... ) "C:\stub_113_4_0_4_0newer.exe"
2006-08-01 09:07:46 923 ( A.... ) "C:\WINDOWS\SYSTEM32\nt68rrtc12.sys"
2006-08-01 09:07:46 923 ( A.... ) "C:\WINDOWS\SYSTEM32\nt68rrtc12.sys"
2006-08-01 09:07:30 463212 ( A.... ) "C:\visfx500new.exe"
2006-08-01 09:07:10 48190 ( A.... ) "C:\RDFX4.exe"
2006-08-01 09:06:56 36864 ( A.... ) "C:\WINDOWS\system32n9nyb.exe"
2006-08-01 09:06:56 28672 ( A.... ) "C:\WINDOWS\system32bez6n4r21.exe"
2006-08-01 09:06:56 28672 ( A.... ) "C:\WINDOWS\SYSTEM32\iqqr.exe"
2006-08-01 09:06:54 45056 ( A.... ) "C:\WINDOWS\system32ghynf.exe"
2006-08-01 09:06:48 36864 ( A.... ) "C:\WINDOWS\SYSTEM32\n9nyb.exe"
2006-08-01 09:06:48 36864 ( A.... ) "C:\WINDOWS\ieunst.exe"
2006-08-01 09:06:46 28672 ( A.... ) "C:\WINDOWS\SYSTEM32\bez6n4r21.exe"
2006-08-01 09:06:42 16384 ( A.... ) "C:\WINDOWS\rgrt.exe"
2006-08-01 09:06:38 159840 ( A.... ) "C:\WINDOWS\SYSTEM32\nwinlpez.exe"
2006-08-01 09:06:36 14848 ( A.... ) "C:\WINDOWS\ts.exe"
2006-08-01 09:06:32 57344 ( A.... ) "C:\fym9bvo.exe"
2006-08-01 09:06:32 45080 ( A.... ) "C:\WINDOWS\SYSTEM32\okdsregk.exe"
2006-08-01 09:06:32 25105 ( A.... ) "C:\WINDOWS\id.exe"
2006-08-01 09:06:30 45058 ( A.... ) "C:\WINDOWS\zigi.exe"
2006-08-01 09:06:30 2 ( A.... ) "C:\WINDOWS\SYSTEM32\wcpsvit.exe"
2006-08-01 09:06:28 ( .D... ) "C:\Program Files\Common Files\?icrosoft"
2006-08-01 09:06:10 40320 ( A.... ) "C:\WINDOWS\dollar.exe"
2006-08-01 09:06:04 183872 ( A.... ) "C:\WINDOWS\yazzle.exe"
2006-08-01 09:06:00 333983 ( A.... ) "C:\WINDOWS\mynexus.exe"
2006-08-01 09:05:58 254940 ( A.... ) "C:\WINDOWS\extract.exe"
2006-08-01 08:14:30 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-07-31 10:22:26 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-27 13:21:32 ( .D... ) "C:\Program Files\HijackThis"
2006-07-27 11:52:22 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\?ymbols"
2006-07-27 11:43:32 ( .D... ) "C:\Program Files\a-squared"
2006-07-27 10:34:40 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Lavasoft"
2006-07-27 10:34:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-27 02:13:40 0 ( A.... ) "C:\WINDOWS\win32103-214342374.exe"
2006-07-25 02:38:42 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\System Restore"
2006-07-24 21:28:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\SYSTEM32\tsuninst.exe"
2006-06-23 21:05:16 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Sun"
2006-06-23 20:57:22 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Google"
2006-06-23 20:57:20 ( .D... ) "C:\Program Files\Google"
2006-06-23 20:54:56 ( .D... ) "C:\Program Files\Java"
2006-06-23 20:52:22 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-06-06 20:49:18 745531 ( A...R ) "C:\WINDOWS\gmer.exe"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\SYSTEM32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\SYSTEM32\iphlpapi.dll"
2006-05-16 03:38:40 499712 ( A.... ) "C:\WINDOWS\SYSTEM32\msvcp71.dll"
2006-05-16 03:38:40 348160 ( A.... ) "C:\WINDOWS\SYSTEM32\msvcr71.dll"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\SYSTEM32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\SYSTEM32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\SYSTEM32\java.exe"
2001-07-26 17:58:46 47 ( A.... ) "C:\Program Files\ACMonitor_X73.ini"
2001-07-05 13:46:44 8116 ( A.... ) "C:\Program Files\OSLO3071b2.USB"
2001-05-11 12:39:16 53248 ( A.... ) "C:\Program Files\ACMonitor_X73.exe"
2001-05-08 17:36:42 114688 ( A.... ) "C:\Program Files\lxarscan.dll"
2001-04-23 15:22:14 1437 ( A.... ) "C:\Program Files\gtx73.ini"
2001-02-22 10:54:36 768 ( A.... ) "C:\Program Files\x73_lut.dat"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-01 20:39 24,296 C:\WINDOWS\icont.exe
2006-08-01 11:37 78,336 C:\WINDOWS\wnu_243.exe
2006-08-01 09:09 578,560 C:\Installer3.exe
2006-08-01 09:09 159,744 C:\WINDOWS\system32\redist.dll
2006-08-01 09:09 126,464 C:\WINDOWS\system32\redistributor.exe
2006-08-01 09:08 587,016 C:\626_101newer.exe
2006-08-01 09:08 30,208 C:\SS1001newer.exe
2006-08-01 09:08 27,648 C:\dist13.exe
2006-08-01 09:07 48,190 C:\RDFX4.exe
2006-08-01 09:07 463,212 C:\visfx500new.exe
2006-08-01 09:07 14,848 C:\stub_113_4_0_4_0newer.exe
2006-08-01 09:06 61,440 C:\WINDOWS\getnexus.exe
2006-08-01 09:06 57,344 C:\fym9bvo.exe
2006-08-01 09:06 45,080 C:\WINDOWS\system32\okdsregk.exe
2006-08-01 09:06 45,058 C:\WINDOWS\zigi.exe
2006-08-01 09:06 45,056 C:\WINDOWS\system32ghynf.exe
2006-08-01 09:06 40,320 C:\WINDOWS\dollar.exe
2006-08-01 09:06 36,864 C:\WINDOWS\system32n9nyb.exe
2006-08-01 09:06 36,864 C:\WINDOWS\system32\n9nyb.exe
2006-08-01 09:06 36,864 C:\WINDOWS\ieunst.exe
2006-08-01 09:06 28,672 C:\WINDOWS\system32bez6n4r21.exe
2006-08-01 09:06 28,672 C:\WINDOWS\system32\iqqr.exe
2006-08-01 09:06 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-08-01 09:06 25,105 C:\WINDOWS\id.exe
2006-08-01 09:06 2 C:\WINDOWS\system32\wcpsvit.exe
2006-08-01 09:06 183,872 C:\WINDOWS\yazzle.exe
2006-08-01 09:06 16,384 C:\WINDOWS\rgrt.exe
2006-08-01 09:06 159,840 C:\WINDOWS\system32\nwinlpez.exe
2006-08-01 09:06 14,848 C:\WINDOWS\ts.exe
2006-08-01 09:05 86,016 C:\WINDOWS\wdskctl.exe
2006-08-01 09:05 69,632 C:\WINDOWS\wupdt.exe
2006-08-01 09:05 401,408 C:\WINDOWS\systb.dll
2006-08-01 09:05 333,983 C:\WINDOWS\mynexus.exe
2006-08-01 09:05 254,940 C:\WINDOWS\extract.exe
2006-08-01 09:00 267,468,800 C:\hiberfil.sys
2006-08-01 08:14 745,531 C:\WINDOWS\gmer.exe
2006-08-01 08:14 528,446 C:\WINDOWS\gmer.dll
2006-07-31 08:44 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-28 07:45 923 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-27 14:19 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-07-27 02:13 0 C:\WINDOWS\win32103-214342374.exe
2006-06-23 20:56 53,346 C:\WINDOWS\system32\javaw.exe
2006-06-23 20:56 49,248 C:\WINDOWS\system32\java.exe
2006-06-23 20:56 127,078 C:\WINDOWS\system32\javaws.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\Wkfud.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"SandIcon"="C:\\ImageMate CompactFlash USB\\SandIcon.Exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser Mouse\\mouse32a.exe"
"Windows System Tray"="C:\\WINDOWS\\system32\\fonts\\svc\\msapp.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"QuickTime Task"="C:\\WINDOWS\\System32\\qttask.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
@=""
"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Win Server Updt"="C:\\WINDOWS\\wupdt.exe"
"{DF-F3-30-01-ZN}"="C:\\windows\\system32\\okdsregk.exe GID002"
"wdskctl"="C:\\WINDOWS\\wdskctl.exe"
"BrowserUpdateSched"="C:\\WINDOWS\\system32\\nwinlpez.exe GID002"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"CAS2"="\"C:\\Program Files\\System Files\\System.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"wXsX56B0n"="\"C:\\WINDOWS\\system32\\iqqr.exe\" -SASg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Outlook Express\\kybeqiki.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Online Services\\hoxy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="C:\\Program Files\\WindowsUpdate\\kybeqiki.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source"="C:\\Program Files\\Internet Explorer\\hoxy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ee,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Files and Settings Transfer Wizard.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1068310400.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 08/01/2006 22:43:20.95
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-01.220828.txt
ComboFix.2006-08-01.224239.txt

[Shaba]

Hi

Yes, looking better.

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
O2 - BHO: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [{DF-F3-30-01-ZN}] C:\windows\system32\okdsregk.exe GID002
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinlpez.exe GID002
O4 - HKLM\..\RunOnce: [wXsX56B0n] "C:\WINDOWS\system32\iqqr.exe" -SASg
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinlpez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\zigi.exe
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll

Close all windows including browser and press fix checked.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\icont.exe
C:\WINDOWS\wnu_243.exe
C:\Installer3.exe
C:\WINDOWS\SYSTEM32\redist.dll
C:\WINDOWS\SYSTEM32\redistributor.exe
C:\626_101newer.exe
C:\dist13.exe
C:\SS1001newer.exe
C:\stub_113_4_0_4_0newer.exe
C:\WINDOWS\SYSTEM32\nt68rrtc12.sys
C:\visfx500new.exe
C:\RDFX4.exe
C:\WINDOWS\system32n9nyb.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\SYSTEM32\iqqr.exe
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\SYSTEM32\n9nyb.exe
C:\WINDOWS\ieunst.exe
C:\WINDOWS\SYSTEM32\bez6n4r21.exe
C:\WINDOWS\rgrt.exe
C:\WINDOWS\SYSTEM32\nwinlpez.exe
C:\WINDOWS\ts.exe
C:\fym9bvo.exe
C:\WINDOWS\SYSTEM32\okdsregk.exe
C:\WINDOWS\id.exe
C:\WINDOWS\zigi.exe
C:\WINDOWS\SYSTEM32\wcpsvit.exe
C:\WINDOWS\dollar.exe
C:\WINDOWS\yazzle.exe
C:\WINDOWS\mynexus.exe
C:\WINDOWS\extract.exe
C:\WINDOWS\win32103-214342374.exe
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\wupdt.exe
C:\WINDOWS\wdskctl.exe
C:\WINDOWS\system32\iqqr.exe
C:\Program Files\System Files\System.exe
C:\WINDOWS\system32\xeymi.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder -> C:\!KillBox

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Re-run combofix

Send:

- a fresh HijackThis log
- the log from Dr.Web
- combofix report

[capsdeej]

==========
DrWeb
==========

RegUBP2b-Cap'nTripps.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
cas2stub.exe;C:\Program Files\Cas2Stub;Trojan.DownLoader.5053;Deleted.;



==========
HiJackThis
==========

Logfile of HijackThis v1.99.1
Scan saved at 10:02:10 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\system32\fonts\svc\msapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supporta ... gctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supporta ... gctlsi.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0483416765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5752504252
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wiz ... ctiveX.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/w ... tycoon.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


==========
ComboFix
==========

Start Time= Wed 08/02/2006 10:03:24.73
Running from: C:\Documents and Settings\Cap'nTripps\Desktop\MalWareRemoval

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-01 09:09:06 ( .D... ) "C:\Program Files\System Icons"
2006-08-01 09:09:06 ( .D... ) "C:\Program Files\System Files"
2006-08-01 09:08:46 ( .D... ) "C:\Program Files\Cas2Stub"
2006-08-01 09:06:28 ( .D... ) "C:\Program Files\Common Files\?icrosoft"
2006-08-01 08:14:30 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-07-31 10:22:26 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-27 13:21:32 ( .D... ) "C:\Program Files\HijackThis"
2006-07-27 11:52:22 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\?ymbols"
2006-07-27 11:43:32 ( .D... ) "C:\Program Files\a-squared"
2006-07-27 10:34:40 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Lavasoft"
2006-07-27 10:34:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-25 02:38:42 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\System Restore"
2006-07-24 21:28:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-23 21:05:16 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Sun"
2006-06-23 20:57:22 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Google"
2006-06-23 20:57:20 ( .D... ) "C:\Program Files\Google"
2006-06-23 20:54:56 ( .D... ) "C:\Program Files\Java"
2006-06-23 20:52:22 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-06-06 20:49:18 745531 ( A...R ) "C:\WINDOWS\gmer.exe"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\SYSTEM32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\SYSTEM32\iphlpapi.dll"
2006-05-16 03:38:40 499712 ( A.... ) "C:\WINDOWS\SYSTEM32\msvcp71.dll"
2006-05-16 03:38:40 348160 ( A.... ) "C:\WINDOWS\SYSTEM32\msvcr71.dll"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\SYSTEM32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\SYSTEM32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\SYSTEM32\java.exe"
2001-07-26 17:58:46 47 ( A.... ) "C:\Program Files\ACMonitor_X73.ini"
2001-07-05 13:46:44 8116 ( A.... ) "C:\Program Files\OSLO3071b2.USB"
2001-05-11 12:39:16 53248 ( A.... ) "C:\Program Files\ACMonitor_X73.exe"
2001-05-08 17:36:42 114688 ( A.... ) "C:\Program Files\lxarscan.dll"
2001-04-23 15:22:14 1437 ( A.... ) "C:\Program Files\gtx73.ini"
2001-02-22 10:54:36 768 ( A.... ) "C:\Program Files\x73_lut.dat"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-01 09:00 267,468,800 C:\hiberfil.sys
2006-08-01 08:14 745,531 C:\WINDOWS\gmer.exe
2006-08-01 08:14 528,446 C:\WINDOWS\gmer.dll
2006-07-31 08:44 221,184 C:\WINDOWS\system32\wmpns.dll
2006-06-23 20:56 53,346 C:\WINDOWS\system32\javaw.exe
2006-06-23 20:56 49,248 C:\WINDOWS\system32\java.exe
2006-06-23 20:56 127,078 C:\WINDOWS\system32\javaws.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\Wkfud.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"SandIcon"="C:\\ImageMate CompactFlash USB\\SandIcon.Exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser Mouse\\mouse32a.exe"
"Windows System Tray"="C:\\WINDOWS\\system32\\fonts\\svc\\msapp.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"QuickTime Task"="C:\\WINDOWS\\System32\\qttask.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
@=""
"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"NwCplMonitor"="C:\\WINDOWS\\system32\\redistributor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Outlook Express\\kybeqiki.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Online Services\\hoxy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="C:\\Program Files\\WindowsUpdate\\kybeqiki.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source"="C:\\Program Files\\Internet Explorer\\hoxy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ee,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Files and Settings Transfer Wizard.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1068310400.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 08/02/2006 10:04:07.51
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-01.220828.txt
ComboFix.2006-08-01.224239.txt
ComboFix.2006-08-02.100324.txt

[Shaba]

Hi

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll

Close all windows including browser and press fix checked.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]

Doubleclick fix.reg, press Yes and ok.
Boot in safe mode

Delete these if found:

C:\WINDOWS\system32\xeymi.dll
C:\Program Files\Cas2Stub
C:\Program Files\Common Files\?icrosoft (may look like"Microsoft". Order folders in Windows Explorer (navigate to C:\Program Files\Common Files\) in alphabetical folder
; that folder should on bottom of that list)
C:\Documents and Settings\Cap'nTripps\Application Data\?ymbols (may look like "Symbols", see above)
C:\Program Files\Online Services\hoxy.html
C:\Program Files\WindowsUpdate\kybeqiki.html
C:\Program Files\Internet Explorer\hoxy.html

Reboot

Re-scan with kaspersky

Re-run combofix

Send:

- a fresh HijackThis log
- combofix log
- kaspersky report

[capsdeej]

==========
KASPERSKY
==========

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 02, 2006 1:09:10 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 2/08/2006
Kaspersky Anti-Virus database records: 211637
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 47367
Number of viruses found: 31
Number of infected objects: 152
Number of suspicious objects: 0
Duration of the scan process: 01:14:40

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240000.VBN Infected: Trojan-Clicker.Win32.VB.is skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240002.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240003.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240004.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240005.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240006.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240007.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240008.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240009.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0224000A.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0224000B.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0224000C.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0224000D.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0224000E.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0224000F.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240010.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240011.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240012.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240013.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240014.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240015.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240016.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02240017.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0168333.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0168333.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0168333.exe CAB: infected - 2 skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169497.exe Infected: not-a-virus:AdWare.Win32.PurityScan.er skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169739.exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169739.exe Inno: infected - 1 skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169819.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169820.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169821.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169822.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169923.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169924.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169944.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169945.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169946.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169947.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169996.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169997.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0169998.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170017.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170019.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170024.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170025.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170031.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170032.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170034.exe Infected: not-a-virus:AdWare.Win32.Iebar.j skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170036.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170037.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170038.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170040.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170042.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170044.exe Infected: Trojan-Downloader.Win32.Adload.az skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170050.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170052.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170060.exe Infected: not-a-virus:AdWare.Win32.Iebar.j skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170061.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170062.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170066.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170067.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170072.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170073.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170074.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170075.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170077.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170080.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170085.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170090.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170093.exe Infected: Trojan-Downloader.Win32.Adload.az skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\A0170096.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\backup-20060802-070031-645.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\getnexus.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\hose.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\kybeqiki.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine\plugin.dll Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP845\A0168484.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP845\A0168484.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169644.exe Infected: Trojan-Spy.Win32.IamBigBrother.91 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169658.exe/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169658.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169658.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169659.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169659.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169659.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe/data0007 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169665.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169665.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169666.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169666.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169729.exe Infected: Trojan-Spy.Win32.IamBigBrother.91 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169744.exe/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169744.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169744.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe/data0007 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169752.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169752.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169752.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169755.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169755.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169756.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169756.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170000.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170028.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170028.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170028.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170029.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170030.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170033.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170035.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170045.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170045.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe/getnexus.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe/webnexus.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe/wdskctl.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe/getnexus.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe/webnexus.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170064.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170068.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170068.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170068.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170076.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170078.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170081.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170089.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170089.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe/wdskctl.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170101.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170102.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170103.dll Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170104.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped

Scan process completed.



==========
HiJackThis
==========

Logfile of HijackThis v1.99.1
Scan saved at 1:09:31 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\DELLMMKB.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\system32\fonts\svc\msapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supporta ... gctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supporta ... gctlsi.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0483416765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5752504252
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wiz ... ctiveX.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/w ... tycoon.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


==========
ComboFix
==========

Start Time= Wed 08/02/2006 13:11:48.51
Running from: C:\Documents and Settings\Cap'nTripps\Desktop\MalWareRemoval

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-01 09:09:06 ( .D... ) "C:\Program Files\System Icons"
2006-08-01 09:09:06 ( .D... ) "C:\Program Files\System Files"
2006-08-01 08:14:30 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-07-31 10:22:26 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-27 13:21:32 ( .D... ) "C:\Program Files\HijackThis"
2006-07-27 11:43:32 ( .D... ) "C:\Program Files\a-squared"
2006-07-27 10:34:40 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Lavasoft"
2006-07-27 10:34:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-25 02:38:42 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\System Restore"
2006-07-24 21:28:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-23 21:05:16 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Sun"
2006-06-23 20:57:22 ( .D... ) "C:\Documents and Settings\Cap'nTripps\Application Data\Google"
2006-06-23 20:57:20 ( .D... ) "C:\Program Files\Google"
2006-06-23 20:54:56 ( .D... ) "C:\Program Files\Java"
2006-06-23 20:52:22 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-06-06 20:49:18 745531 ( A...R ) "C:\WINDOWS\gmer.exe"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\SYSTEM32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\SYSTEM32\iphlpapi.dll"
2006-05-16 03:38:40 499712 ( A.... ) "C:\WINDOWS\SYSTEM32\msvcp71.dll"
2006-05-16 03:38:40 348160 ( A.... ) "C:\WINDOWS\SYSTEM32\msvcr71.dll"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\SYSTEM32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\SYSTEM32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\SYSTEM32\java.exe"
2001-07-26 17:58:46 47 ( A.... ) "C:\Program Files\ACMonitor_X73.ini"
2001-07-05 13:46:44 8116 ( A.... ) "C:\Program Files\OSLO3071b2.USB"
2001-05-11 12:39:16 53248 ( A.... ) "C:\Program Files\ACMonitor_X73.exe"
2001-05-08 17:36:42 114688 ( A.... ) "C:\Program Files\lxarscan.dll"
2001-04-23 15:22:14 1437 ( A.... ) "C:\Program Files\gtx73.ini"
2001-02-22 10:54:36 768 ( A.... ) "C:\Program Files\x73_lut.dat"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-02 11:20 267,468,800 C:\hiberfil.sys
2006-08-01 08:14 745,531 C:\WINDOWS\gmer.exe
2006-08-01 08:14 528,446 C:\WINDOWS\gmer.dll
2006-07-31 08:44 221,184 C:\WINDOWS\system32\wmpns.dll
2006-06-23 20:56 53,346 C:\WINDOWS\system32\javaw.exe
2006-06-23 20:56 49,248 C:\WINDOWS\system32\java.exe
2006-06-23 20:56 127,078 C:\WINDOWS\system32\javaws.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\Wkfud.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"SandIcon"="C:\\ImageMate CompactFlash USB\\SandIcon.Exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser Mouse\\mouse32a.exe"
"Windows System Tray"="C:\\WINDOWS\\system32\\fonts\\svc\\msapp.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"QuickTime Task"="C:\\WINDOWS\\System32\\qttask.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
@=""
"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Files and Settings Transfer Wizard.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1068310400.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 08/02/2006 13:12:32.67
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-01.220828.txt
ComboFix.2006-08-01.224239.txt
ComboFix.2006-08-02.100324.txt
ComboFix.2006-08-02.131148.txt

[Shaba]

Hi

That looks quite good

Boot in safe mode

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
C:\Documents and Settings\Cap'nTripps\DoctorWeb\Quarantine

Reboot

Upload this file -> C:\WINDOWS\system32\fonts\svc\msapp.exe to VirusTotal and send results here.

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report
- virustotal results

[capsdeej]

Good morning Shaba. (It's morning for me anyway).

Hey - when I was navigating to those locations in safe mode, I saw a folder called QooBox. I've never heard of that - it's got a file in it called bvlvlp.dat.vir. Is that supposed to be there? Or should I delete it?

Thanks...

[Shaba]

Hi capsdeej (it's afternoon here )

There are qoologic infection backups in that directory (combofix created it and copied files there). Feel free to empty it

[capsdeej]

Can't find that file you wanted me to upload and have scanned... There isn't even a fonts directory in the system32 directory. I searched the system to see if I could find such a file and I could not.

Here are the other two things you asked for...

==========
HiJackThis
==========

Logfile of HijackThis v1.99.1
Scan saved at 9:07:10 AM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\DELLMMKB.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\system32\fonts\svc\msapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supporta ... gctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supporta ... gctlsi.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0483416765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5752504252
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wiz ... ctiveX.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/w ... tycoon.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


==========
Kaspersky
==========

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, August 03, 2006 9:06:35 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 3/08/2006
Kaspersky Anti-Virus database records: 211964
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 47395
Number of viruses found: 33
Number of infected objects: 155
Number of suspicious objects: 0
Duration of the scan process: 01:14:18

Infected Object Name / Virus Name / Last Action
C:\I386\REG.EXE Infected: Net-Worm.Win32.Randon skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc1.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc10.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc11.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc12.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc13.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc14.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc15.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc16.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc17.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc18.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc19.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc2.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc20.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc21.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc22.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc23.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc24.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc26.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc26.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc26.exe CAB: infected - 2 skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc27.exe Infected: not-a-virus:AdWare.Win32.PurityScan.er skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc28.exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc28.exe Inno: infected - 1 skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc29.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc3.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc30.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc31.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc32.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc33.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc34.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc35.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc36.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc37.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc38.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc39.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc4.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc40.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc41.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc43.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc44.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc45.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc46.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc47.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc48.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc49.exe Infected: not-a-virus:AdWare.Win32.Iebar.j skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc5.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc50.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc51.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc52.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc53.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc54.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc55.exe Infected: Trojan-Downloader.Win32.Adload.az skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc56.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc57.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc58.exe Infected: not-a-virus:AdWare.Win32.Iebar.j skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc59.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc6.VBN Infected: Trojan-Clicker.Win32.VB.is skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc60.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc61.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc62.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc63.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc64.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc65.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc66.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc67.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc68.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc69.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc70.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc71.exe Infected: Trojan-Downloader.Win32.Adload.az skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc72.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc73.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc75.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc76.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc79.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc8.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc80.dll Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\RECYCLER\S-1-5-21-3685698554-3238835185-2771580065-1008\Dc9.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP845\A0168484.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP845\A0168484.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169644.exe Infected: Trojan-Spy.Win32.IamBigBrother.91 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169658.exe/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169658.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169658.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169659.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169659.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169659.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe/data0007 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169661.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169665.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169665.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169666.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP847\A0169666.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169729.exe Infected: Trojan-Spy.Win32.IamBigBrother.91 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169744.exe/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169744.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169744.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe/data0007 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169748.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169752.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169752.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169752.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169755.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169755.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169756.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP848\A0169756.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170000.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170022.exe Infected: Trojan-PSW.Win32.LdPinch.arr skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170028.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170028.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170028.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170029.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170030.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170033.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170035.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170045.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170045.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe/getnexus.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe/webnexus.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170046.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe/wdskctl.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170047.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe/getnexus.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe/webnexus.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170063.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170064.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170068.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170068.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170068.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170070.exe Infected: Trojan-PSW.Win32.LdPinch.arr skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170076.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170078.exe Infected: Trojan.Win32.Runner.j skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170081.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170089.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170089.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe/wdskctl.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe MimarSinan: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP850\A0170094.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170101.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170102.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170103.dll Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP851\A0170104.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped

Scan process completed.

[Shaba]

Hi

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\system32\fonts\svc\msapp.exe

Close all windows including browser and press fix checked.

Delete this file -> C:\I386\REG.EXE

Empty Recycle Bin

Reboot and send a fresh HijackThis log.

How are things running now?

[capsdeej]

Things seem better. Windows seems slow to start, but I will tend to that after we're done here and I beef up security on this system.

There are no popups and that Word SR-1 installer not longer pops up.

Looking SO much better!!

==========
HiJackThis
==========

Logfile of HijackThis v1.99.1
Scan saved at 10:01:27 AM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supporta ... gctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supporta ... gctlsi.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0483416765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5752504252
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wiz ... ctiveX.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/w ... tycoon.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Shaba]

Nice to hear

Guess what?

You're clean!

You can disable ewido guard; that should boost up start-up:

Open Ewido

Click on Change state next to Resident shield. It should now change to inactive.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
   You can find instructions on how to enable and re enable system restore here:
   Managing Windows Millennium System Restore
   or
   Windows XP System Restore Guide
   re-enable system restore with instructions from tutorial above
   
   
   • Make your Internet Explorer more secure - This can be done by following these simple instructions:
   • From within Internet Explorer click on the Tools menu and then click on Options.
   • Click once on the Security tab
   • Click once on the Internet icon so it becomes highlighted.
   • Click once on the Custom Level button.
   • Change the Download signed ActiveX controls to Prompt
     
   • Change the Download unsigned ActiveX controls to Disable
     
   • Change the Initialize and script ActiveX controls not marked as safe to Disable
     
   • Change the Installation of desktop items to Prompt
     
   • Change the Launching programs and files in an IFRAME to Prompt
     
   • Change the Navigate sub-frames across different domains to Prompt
     
   • When all these settings have been made, click on the OK button.
     
   • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
   • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
2. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
3. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
4. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
5. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
6. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
   Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

[capsdeej]

YAY! Shaba!!!! Thank you so much!!

It's been a pleasure working with you! Youv'e inspired me - I'm joining the university - so maybe I'll see you there!

Thanks again!

-Deej

[Shaba]

You're welcome

I'm sure we'll see to there - you are already MRU Freshman

['KotaGuy]

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.