Free Malware Removal Forum

by **motoman765** » October 18th, 2007, 12:57 pm

I have this stubborn trojan that I can't seem to get rid of and need some help. I typed the name of it into google and got to here where there was some help in getting rid of it but I still can't seem to get rid of it. I tried the Vundofix.exe, but didn't want to go farther than that with out the guidance of someone here. The one I get that keeps coming up is Win32.BHO.df it's in the registry and comes back when the computer restarts.

by **amateur** » October 18th, 2007, 2:23 pm

Hello and welcome to MR.

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:

Save HJTInstall.exe to your desktop.
Double-click on HJTInstall.exe to run the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
Come back here to this thread and paste the log in your next reply.
Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

by **motoman765** » October 18th, 2007, 3:40 pm

Here is what I got from hyjackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:11 PM, on 10/18/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0A644696-8F0D-3061-6A0B-EB8E60093173} - C:\WINDOWS\system32\javaov32.dll (file missing)
O2 - BHO: Class - {0DCB855C-7AF4-46FC-F0C0-27DCB8195678} - C:\WINDOWS\system32\d3lk.dll (file missing)
O2 - BHO: Class - {18EA7FE0-8BD6-2D3D-4A77-6732EFEC2B2C} - C:\WINDOWS\ntwm.dll (file missing)
O2 - BHO: Class - {42B625C4-F206-ADFA-4FA4-AC97FDC73591} - C:\WINDOWS\d3hs.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Class - {6F8DB982-F820-7376-2AB9-CA0E147B64BE} - C:\WINDOWS\ntcw.dll (file missing)
O2 - BHO: Class - {6F9B4B7B-3DF9-DBFD-32CB-C97C202BF5F0} - C:\WINDOWS\netwz.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7FE1050C-5EEB-467C-88BD-5BEA2DD290BF} - C:\WINDOWS\System32\awvwx.dll (file missing)
O2 - BHO: Class - {8A4878A1-2428-847B-7D80-D1F2596F5212} - C:\WINDOWS\addpd32.dll (file missing)
O2 - BHO: Class - {AB8477A9-6521-5711-E5B4-DF3AC41BCC8E} - C:\WINDOWS\system32\sysrn.dll (file missing)
O2 - BHO: Class - {AE845430-3B50-352F-A6D3-21174EDCA037} - C:\WINDOWS\system32\javaix.dll (file missing)
O2 - BHO: Class - {B6348908-B9F9-A371-27D6-0E557FF4AA38} - C:\WINDOWS\system32\mfcih.dll (file missing)
O2 - BHO: Class - {DC944D17-0461-1EDC-5D81-91490871C12D} - C:\WINDOWS\ipbj.dll (file missing)
O2 - BHO: Class - {E6729088-50CA-1D40-3B9D-AA2D52D24BF7} - C:\WINDOWS\system32\ipxf32.dll (file missing)
O2 - BHO: Class - {EDA6A49E-38D2-631A-3178-70DCC8D0380F} - C:\WINDOWS\apiij32.dll (file missing)
O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\ntia.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: Class - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\addrb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug ... porter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/11fb410deb7 ... xIE601.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcams.mtu.edu/webcam8/AxisCamControl.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/fi ... tup145.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c0071437.dat
O20 - Winlogon Notify: xxyawtq - xxyawtq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

--
End of file - 9228 bytes

by **amateur** » October 18th, 2007, 4:08 pm

Hi,

You'll need to disable teatimer so that it will not interfere with the fixes.

While both Tea timer and SpyBot are closed
Download ResetTeaTimer.bat to your desktop.

http://downloads.subratam.org/ResetTeaTimer.bat

Run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat.

Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

==================================
If you're using a paid version of Adaware and has the AdWatch, you'll need to disable that too.
==================================

I noticed that you have Weatherbug installed on your computer â€“ This is very much an ad-enabled application which can also draw unwanted ads and popups to your computer. I would recommend that you remove it via Start>Control Panel>Add or Remove Programs

In order to avoid future problems with Weatherbug, make sure the program is not running before uninstalling it. If there is a WeatherBug icon in the system tray (in the lower right hand corner of the screen) you'll need to right-click on it and choose "Exit WeatherBug" or "Terminate Weatherbug".

This is optional of course, but please be aware that if you decide to continue using Weatherbug, your computer will be at an increased risk of infection from malware. I'll include the associated entries in the HijackThis fix in purple. If you wish to keep it, please exclude those from the fix.

========================================

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Class - {0A644696-8F0D-3061-6A0B-EB8E60093173} - C:\WINDOWS\system32\javaov32.dll (file missing)
O2 - BHO: Class - {0DCB855C-7AF4-46FC-F0C0-27DCB8195678} - C:\WINDOWS\system32\d3lk.dll (file missing)
O2 - BHO: Class - {18EA7FE0-8BD6-2D3D-4A77-6732EFEC2B2C} - C:\WINDOWS\ntwm.dll (file missing)
O2 - BHO: Class - {42B625C4-F206-ADFA-4FA4-AC97FDC73591} - C:\WINDOWS\d3hs.dll (file missing)
O2 - BHO: Class - {6F8DB982-F820-7376-2AB9-CA0E147B64BE} - C:\WINDOWS\ntcw.dll (file missing)
O2 - BHO: Class - {6F9B4B7B-3DF9-DBFD-32CB-C97C202BF5F0} - C:\WINDOWS\netwz.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7FE1050C-5EEB-467C-88BD-5BEA2DD290BF} - C:\WINDOWS\System32\awvwx.dll (file missing)
O2 - BHO: Class - {8A4878A1-2428-847B-7D80-D1F2596F5212} - C:\WINDOWS\addpd32.dll (file missing)
O2 - BHO: Class - {AB8477A9-6521-5711-E5B4-DF3AC41BCC8E} - C:\WINDOWS\system32\sysrn.dll (file missing)
O2 - BHO: Class - {AE845430-3B50-352F-A6D3-21174EDCA037} - C:\WINDOWS\system32\javaix.dll (file missing)
O2 - BHO: Class - {B6348908-B9F9-A371-27D6-0E557FF4AA38} - C:\WINDOWS\system32\mfcih.dll (file missing)
O2 - BHO: Class - {DC944D17-0461-1EDC-5D81-91490871C12D} - C:\WINDOWS\ipbj.dll (file missing)
O2 - BHO: Class - {E6729088-50CA-1D40-3B9D-AA2D52D24BF7} - C:\WINDOWS\system32\ipxf32.dll (file missing)
O2 - BHO: Class - {EDA6A49E-38D2-631A-3178-70DCC8D0380F} - C:\WINDOWS\apiij32.dll (file missing)
O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\ntia.dll (file missing)
O2 - BHO: Class - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\addrb.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug ... porter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/11fb410deb7 ... xIE601.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab

Close all browser/windows other than HijackThis and click on "fix checked".

======================================

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.

Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply and a fresh HijackThis log please.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

=======================================
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Click Start>Run, type in appwiz.cpl and press Enter.
Remove all entries of Runtime Environment (J2SE or JRE) that are listed.
Now reboot your computer.
Download the latest version of Java Runtime Environment, and install it to your computer.

=======================================
Post back the combofix.txt and a fresh HijackThis log please.

by **motoman765** » October 18th, 2007, 4:52 pm

OK I ran the ResetTeaTimer, then tried to uninstall Weather bug, but it won't let me. Says a file is missing and won't uninstall. It is turned off. Do I continue with the HijackThis fix? Or do I need to get the weather bug uninstalled first?

by **amateur** » October 18th, 2007, 5:17 pm

Please continue.

by **motoman765** » October 18th, 2007, 5:36 pm

Combo fix log

ComboFix 07-10-19.1 - Auto 2007-10-18 17:22:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.175 [GMT -4:00]
Running from: C:\Documents and Settings\Auto\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data.\salesmonitor
C:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\avtasks.dat
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\avtasks.dat
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\Logs\av.log
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\Logs\av.log
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\Logs\ga6Support.log
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\Logs\ga6Support.log
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\Logs\update.log
C:\Documents and Settings\Auto\Application Data\BestsellerAntivirus\Logs\update.log
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\bcnqxinp.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\gseeuncm.exe
C:\WINDOWS\system32\njnvfrxw.exe
C:\WINDOWS\system32\qwkretad.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\system32\Z9
C:\WINDOWS\TISKY009.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-18 17:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 15:42 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-18 15:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 11:07 <DIR> d-------- C:\VundoFix Backups
2007-10-16 16:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-10-16 15:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 15:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-10-16 15:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-16 10:02 <DIR> d-------- C:\Documents and Settings\Auto\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-10-15 14:20 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-10-15 13:08 389,184 --a------ C:\WINDOWS\system32\ogfygxul.exe
2007-10-09 07:16 407,647 --ahs---- C:\WINDOWS\system32\xwvwa.bak2
2007-10-05 08:23 6,465 --ahs---- C:\WINDOWS\system32\xwvwa.bak1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 21:00 --------- d-----w C:\Program Files\SBC Yahoo!
2007-10-17 20:59 --------- d-----w C:\Program Files\Yahoo!
2007-10-17 20:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2007-10-17 20:57 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-16 21:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-10-15 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-10 11:21 --------- d-----w C:\Program Files\Apple Software Update
2007-10-05 12:18 --------- d-----w C:\Documents and Settings\Auto\Application Data\WeatherBug
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A644696-8F0D-3061-6A0B-EB8E60093173}]
C:\WINDOWS\system32\javaov32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DCB855C-7AF4-46FC-F0C0-27DCB8195678}]
C:\WINDOWS\system32\d3lk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18EA7FE0-8BD6-2D3D-4A77-6732EFEC2B2C}]
C:\WINDOWS\ntwm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42B625C4-F206-ADFA-4FA4-AC97FDC73591}]
C:\WINDOWS\d3hs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F8DB982-F820-7376-2AB9-CA0E147B64BE}]
C:\WINDOWS\ntcw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F9B4B7B-3DF9-DBFD-32CB-C97C202BF5F0}]
C:\WINDOWS\netwz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FE1050C-5EEB-467C-88BD-5BEA2DD290BF}]
C:\WINDOWS\System32\awvwx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4878A1-2428-847B-7D80-D1F2596F5212}]
C:\WINDOWS\addpd32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB8477A9-6521-5711-E5B4-DF3AC41BCC8E}]
C:\WINDOWS\system32\sysrn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE845430-3B50-352F-A6D3-21174EDCA037}]
C:\WINDOWS\system32\javaix.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6348908-B9F9-A371-27D6-0E557FF4AA38}]
C:\WINDOWS\system32\mfcih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC944D17-0461-1EDC-5D81-91490871C12D}]
C:\WINDOWS\ipbj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6729088-50CA-1D40-3B9D-AA2D52D24BF7}]
C:\WINDOWS\system32\ipxf32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDA6A49E-38D2-631A-3178-70DCC8D0380F}]
C:\WINDOWS\apiij32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFC4F699-F19A-6D2A-3A0D-DA6A6848205C}]
C:\WINDOWS\ntia.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD28144A-BE74-ABB6-5C2B-E60BF82588B7}]
C:\WINDOWS\addrb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001-08-23 08:00]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 08:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 08:00]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"HP Network Registry Agent"="C:\WINDOWS\System32\hpnra.exe" [2000-10-26 17:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-16 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 08:00]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 12:01]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2004-11-08 18:13]
"Spyware Begone"="c:\freescan\freescan.exe" []
"iIWiper"="C:\Program Files\iISystem Wiper\SystemWiper.exe" [2004-08-28 22:11]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyawtq]
xxyawtq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\__c0071437.dat

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 17:24:51
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
iIWiper = C:\Program Files\iISystem Wiper\SystemWiper.exe m???????????????????????????????????????_????w????B?_????x?? .?s????dx?????s8??????????s`x??8???_????x??s??s8????????????y?????s???????????????????????????????????s????8W2??x???=??????-A?w?????_?wc_?w????8W2????

scanning hidden files ...

C:\WINDOWS\_default.pif:uwnrul 35310 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-10-19 17:25:52
.
--- E O F ---

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:21 PM, on 10/19/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0A644696-8F0D-3061-6A0B-EB8E60093173} - C:\WINDOWS\system32\javaov32.dll (file missing)
O2 - BHO: Class - {0DCB855C-7AF4-46FC-F0C0-27DCB8195678} - C:\WINDOWS\system32\d3lk.dll (file missing)
O2 - BHO: Class - {18EA7FE0-8BD6-2D3D-4A77-6732EFEC2B2C} - C:\WINDOWS\ntwm.dll (file missing)
O2 - BHO: Class - {42B625C4-F206-ADFA-4FA4-AC97FDC73591} - C:\WINDOWS\d3hs.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Class - {6F8DB982-F820-7376-2AB9-CA0E147B64BE} - C:\WINDOWS\ntcw.dll (file missing)
O2 - BHO: Class - {6F9B4B7B-3DF9-DBFD-32CB-C97C202BF5F0} - C:\WINDOWS\netwz.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7FE1050C-5EEB-467C-88BD-5BEA2DD290BF} - C:\WINDOWS\System32\awvwx.dll (file missing)
O2 - BHO: Class - {8A4878A1-2428-847B-7D80-D1F2596F5212} - C:\WINDOWS\addpd32.dll (file missing)
O2 - BHO: Class - {AB8477A9-6521-5711-E5B4-DF3AC41BCC8E} - C:\WINDOWS\system32\sysrn.dll (file missing)
O2 - BHO: Class - {AE845430-3B50-352F-A6D3-21174EDCA037} - C:\WINDOWS\system32\javaix.dll (file missing)
O2 - BHO: Class - {B6348908-B9F9-A371-27D6-0E557FF4AA38} - C:\WINDOWS\system32\mfcih.dll (file missing)
O2 - BHO: Class - {DC944D17-0461-1EDC-5D81-91490871C12D} - C:\WINDOWS\ipbj.dll (file missing)
O2 - BHO: Class - {E6729088-50CA-1D40-3B9D-AA2D52D24BF7} - C:\WINDOWS\system32\ipxf32.dll (file missing)
O2 - BHO: Class - {EDA6A49E-38D2-631A-3178-70DCC8D0380F} - C:\WINDOWS\apiij32.dll (file missing)
O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\ntia.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: Class - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\addrb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcams.mtu.edu/webcam8/AxisCamControl.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/fi ... tup145.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c0071437.dat
O20 - Winlogon Notify: xxyawtq - xxyawtq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

--
End of file - 7916 bytes

And I updated the Java as suggested.

by **amateur** » October 18th, 2007, 6:51 pm

Hi,

I am afraid disabling teatimer was not enough. Please go to Start>Control Panel>Add or Remove Programs and remove both the Spybot S & D and the Adaware. You can reinstall them when we are done.
=============================================

Restart the computer.

=============================================

Scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Class - {0A644696-8F0D-3061-6A0B-EB8E60093173} - C:\WINDOWS\system32\javaov32.dll (file missing)
O2 - BHO: Class - {0DCB855C-7AF4-46FC-F0C0-27DCB8195678} - C:\WINDOWS\system32\d3lk.dll (file missing)
O2 - BHO: Class - {18EA7FE0-8BD6-2D3D-4A77-6732EFEC2B2C} - C:\WINDOWS\ntwm.dll (file missing)
O2 - BHO: Class - {42B625C4-F206-ADFA-4FA4-AC97FDC73591} - C:\WINDOWS\d3hs.dll (file missing)
O2 - BHO: Class - {6F8DB982-F820-7376-2AB9-CA0E147B64BE} - C:\WINDOWS\ntcw.dll (file missing)
O2 - BHO: Class - {6F9B4B7B-3DF9-DBFD-32CB-C97C202BF5F0} - C:\WINDOWS\netwz.dll (file missing)
O2 - BHO: (no name) - {7FE1050C-5EEB-467C-88BD-5BEA2DD290BF} - C:\WINDOWS\System32\awvwx.dll (file missing)
O2 - BHO: Class - {8A4878A1-2428-847B-7D80-D1F2596F5212} - C:\WINDOWS\addpd32.dll (file missing)
O2 - BHO: Class - {AB8477A9-6521-5711-E5B4-DF3AC41BCC8E} - C:\WINDOWS\system32\sysrn.dll (file missing)
O2 - BHO: Class - {AE845430-3B50-352F-A6D3-21174EDCA037} - C:\WINDOWS\system32\javaix.dll (file missing)
O2 - BHO: Class - {B6348908-B9F9-A371-27D6-0E557FF4AA38} - C:\WINDOWS\system32\mfcih.dll (file missing)
O2 - BHO: Class - {DC944D17-0461-1EDC-5D81-91490871C12D} - C:\WINDOWS\ipbj.dll (file missing)
O2 - BHO: Class - {E6729088-50CA-1D40-3B9D-AA2D52D24BF7} - C:\WINDOWS\system32\ipxf32.dll (file missing)
O2 - BHO: Class - {EDA6A49E-38D2-631A-3178-70DCC8D0380F} - C:\WINDOWS\apiij32.dll (file missing)
O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\ntia.dll (file missing)
O2 - BHO: Class - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\addrb.dll (file missing)
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F93AF644-E7EF-4ABC-A768-512B02497FB5} - (no file) (HKCU)
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c0071437.dat
O20 - Winlogon Notify: xxyawtq - xxyawtq.dll (file missing)

Close all browsers/windows except HijackThis and click on "fix checked".

==============================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the codebox below into it:

Code: Select all


File::
C:\WINDOWS\system32\ogfygxul.exe
C:\WINDOWS\system32\xwvwa.bak2
C:\WINDOWS\system32\xwvwa.bak1

Folder::
C:\Documents and Settings\Auto\Application Data\WeatherBug


ADS::
C:\WINDOWS\_default.pif

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply and a fresh HijackThis log please.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

by **motoman765** » October 18th, 2007, 7:22 pm

OK here is the new combo log

ComboFix 07-10-19.1 - Auto 2007-10-19 19:14:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.138 [GMT -4:00]
Running from: C:\Documents and Settings\Auto\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Auto\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ogfygxul.exe
C:\WINDOWS\system32\xwvwa.bak1
C:\WINDOWS\system32\xwvwa.bak2
.
ADS - _default.pif: deleted 940358 bytes in 87 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Auto\Application Data\WeatherBug
C:\Documents and Settings\Auto\Application Data\WeatherBug\0107_Winter.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\0107_Winter_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\06_Winter_BUBBLE_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\06_Winter_BUBBLE_Mask_updated.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\06_Winter_Bubble_Wrap.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\06_Winter_Bubble_Wrap_updated.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_ActiveStorms.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_Disney.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_Disney_2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_Disney_3.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_Hurricane_09252007.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_Hurricane_Dean.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_HurricaneCommandCenter.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_HurricaneCommandCenterWithFlag.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_NST_3-22-07.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_NWF.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_Unicef2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96_VZW.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96BlowoutSale.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96BlowoutSalev2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96DisneyQuestforGold.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96FarmersAlmanacOutlookTile.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96FOG_Lightning.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96FreeTrial.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96HurricaneNameVideo_Plus_Mobile.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96HurricaneVideo.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96LiveTrafficCameras.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96Mobile2_0507.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96New_Disney.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96New_Disney_2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96PlusNVerizon.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96Professional.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96SponsorTileMobileVideo.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96Verizon.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96video.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96video1_mobile2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96vidgallery.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96vidgallery2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless10.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless12.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless13.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless18.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless20.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless21.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless22.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless24.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\102x96wireless27.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\4th_of_July_0707.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\4th_of_July_0707_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\505.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_blueyellow.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_blueyellow_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_blueyellow_nav_traffic.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brand_delta_approved.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brand_delta_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brand_holidayinn_approved1.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brand_holidayinn_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brand_sony_approved.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brand_sony_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_APPROVED.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_cherryb_approved.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_cherryb_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_mobile.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_mobile_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_Mobile_MASK_bubble.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_MobileAPPROVED.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_plus.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_PLUS_AP_Holiday.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_plus_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_PLUS_MASK_Holiday.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_pws.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_pws_mask_new.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_spring2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_spring2_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_valAPPROVED.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_valMASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_winter_PLUS.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_brandwrap_winter_Plus_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Default_Fall_1007.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Default_Fall_1007_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Default_Spring_Mobile_BG_0506.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Default_Spring_Mobile_MASK_0506.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_default_winter_0106_Background.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_default_winter_0106_bg_updated.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_default_winter_0106_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_fall_mobile1_new.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_fall_mobile2_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_fallbrandwrap_mobile1.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_fallbrandwrap_mobile2B.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_fallbrandwrap_plus.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_fallbrandwrap_plus_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Fixed_BRWP_valMASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_FixedBRWP_valAPPROVED.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic_Forecast_BG_0206.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic_Forecast_MASK_0206.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic_Photo_Approved.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic_Photo_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_generic_summerAPPROVED.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_generic_summerMASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic_Sun_0306_Final.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic_Sun_0306_Final.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2005_Final.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2005_Final.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2006_Fall_091406.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2006_Fall_091406.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2007_Summe_0807r.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2007_Summer.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2007_Summer_070507.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2007_Summer_070507_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2007_Summer_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Generic2007_Summer_Mask_0807.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_GenericPLUS_approved.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_GenericPLUS_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_GenericPLUS_Summer_082906.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_GenericPLUS_Summer_082906.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_GenericRadarMaps_Final.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_GenericRadarMaps_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_nav_dark_round_1105.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_nav_light_round_0706.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_nav_light_square_0206.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_nav_light_square_0706.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Protonix_Approved2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Protonix_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Shamrock-mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Shamrock.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Share_alert_tab2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Share_alert_tab2_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Spring_Bubble_0507.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Spring_Bubble_Mask_0507.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Tornado_Spring_0607.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60_Tornado_Spring_0607_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60brandwrap.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60brandwrap_plus.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Default-mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Default.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60fall_mobiletile.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60nav_dark_round.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60nav_Generic2005.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60nav_Generic2005_1.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60nav_light_square.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-ACE-2-083007.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-ACE-2-083007.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-AmericanExpress-mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-AmericanExpress.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-BlockBuster-mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-BlockBuster.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Bose.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Bose_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Campbells-mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Campbells.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-CastrolSPnew.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-CastrolSPnew_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-GoRving-mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-GoRving.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Netflix-mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Netflix.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-OralB.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-OralB_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Tamiflu.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Tamiflu_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-Toshiba.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-ToshibaMASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-trane2_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales-trane3_shell.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Ace_Hardware.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Clinique_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_clinique_shell.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Delsym_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Delsym_shell.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Orlando_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_OrlandoNEW.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Stovetop_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Stovetop_shell.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Toshiba_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_Toshiba_SHELL.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_united_0707_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\60Sales_united_0707_SKIN.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\60SalesAce_Hardware_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Adderall_BRWP_Final.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Adderall_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Allstate.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Allstate_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Cortaid.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Cortaid.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\disney_wrap.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\disney_wrap_background.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Fall-VZWbubble_APPROVED.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Fall-VZWbubble_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Fall.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Fall_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Fox_Theatrical_approved.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Fox_Theatrical_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\GoldTopNav_Wireless_Round.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\GoldTopNav_Wireless_sq.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\HBO_Sopranos_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\HBO_Sopranos_shell.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\katrina.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\KatrinaRelief.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\leftnav_605Generic.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Memorial_Generic_07.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Memorial_Generic_07_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_07182007.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_alt2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_Generic_Forecast_0206.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_Generic_Photos_0206.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_Generic_Radar_0206.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_Generic2005_0106.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_Generic2005_032907.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_Generic2006.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_Generic2006_0706.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_square_traffic.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\nav_square2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\New_Spring_Bubble_052007.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\New_Spring_Bubble_052007_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\newkatrina.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\NghtAtTheMus_back.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\NghtAtTheMus_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\pwstile.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\rita.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Rita_Relief.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Sears_Generic.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Sears_Generic_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Sears_Mobile.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Sears_Mobile_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\SponsorFreeTrial.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\SponsorTile28b.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\sponsortile34.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\SponsorTile37.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\SponsorTile38.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\SponsorTile39.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\SponsorTile40.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\SponsorTile42.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Spring_2007.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Spring_2007_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Summer_Hurricane_Bubble_071707.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Summer_Hurricane_Bubble_071707_Mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\SurveyAIMTile.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Tamiflu.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Tamiflu_mask.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\TopNav_Free_Round_Green.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\TopNav_Free_Sq_Green.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_Generic2005.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_Generic2005_121505.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_Generic2007.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_round.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_round_121505.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_square.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_square_121505.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_stations_generic.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_stations_round.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\topnav_stations_square.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\TopNav_Wireless_round.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\VerizonWrap_Approved.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\VerizonWrap_MASK.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Video21_60_nav_dark_square.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Visa_Mask_revised.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Visa_revised.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\wilma.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Winter_BUBBLE2.bmp
C:\Documents and Settings\Auto\Application Data\WeatherBug\Winter_BUBBLE2.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Zaditor.jpg
C:\Documents and Settings\Auto\Application Data\WeatherBug\Zaditor_Mask.bmp
C:\WINDOWS\system32\ogfygxul.exe
C:\WINDOWS\system32\xwvwa.bak1
C:\WINDOWS\system32\xwvwa.bak2

.
((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-19 17:33 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-18 17:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 15:42 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-18 15:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 11:07 <DIR> d-------- C:\VundoFix Backups
2007-10-16 16:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-10-16 10:02 <DIR> d-------- C:\Documents and Settings\Auto\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-10-15 14:20 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 22:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-10-19 21:33 --------- d-----w C:\Program Files\Java
2007-10-17 21:00 --------- d-----w C:\Program Files\SBC Yahoo!
2007-10-17 20:59 --------- d-----w C:\Program Files\Yahoo!
2007-10-17 20:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2007-10-17 20:57 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-15 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-10 11:21 --------- d-----w C:\Program Files\Apple Software Update
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-19_17.24.58.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-18 21:22:16 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-19 23:14:20 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2005-11-10 16:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 16:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 18:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001-08-23 08:00]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 08:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 08:00]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"HP Network Registry Agent"="C:\WINDOWS\System32\hpnra.exe" [2000-10-26 17:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-16 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 08:00]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 12:01]
"Spyware Begone"="c:\freescan\freescan.exe" []
"iIWiper"="C:\Program Files\iISystem Wiper\SystemWiper.exe" [2004-08-28 22:11]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21]

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 19:16:29
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
iIWiper = C:\Program Files\iISystem Wiper\SystemWiper.exe m???????????????????????????????????????_????w????B?_????x?? .?s????dx?????s8??????????s`x??8???_????x??s??s8????????????y?????s???????????????????????????????????s????8W2??x???=??????-A?w?????_?wc_?w????8W2????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-19 19:17:13
C:\ComboFix2.txt ... 2007-10-19 17:25
.
--- E O F ---

And here is the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:56 PM, on 10/19/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcams.mtu.edu/webcam8/AxisCamControl.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/fi ... tup145.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

--
End of file - 4983 bytes

Will not be back to this trouble computer till morning going home for the night.

by **amateur** » October 18th, 2007, 7:36 pm

Hi,

It doesn't look much troubled any more. You can do these tomorrow then:

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

======================

Perform an online scan using Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. Please ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click and post back the contents please.

========================

Please post the Panda online scan results and let me know how the computer is running now.

'

by **motoman765** » October 19th, 2007, 10:28 am

This is what Panda says:

Incident Status Location

Adware:adware/searchaid Not disinfected c:\windows\system32\sdkkt32.exe
Adware:adware/sidestep Not disinfected c:\windows\downloaded program files\SbCIe02a.dll
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\MySearchToolBar.ToolbarPlugin
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Auto\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Auto\Desktop\ComboFix.exe[nircmd.cfexe]
Virus:Generic Malware Disinfected C:\Program Files\Eyetide Media\Eyetide Viewer\s4Setp.exe
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bcnqxinp.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\gseeuncm.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\njnvfrxw.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ogfygxul.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\qwkretad.exe.vir
Adware:Adware/Zenosearch Not disinfected C:\qoobox\Quarantine\C\WINDOWS\TISKY009.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

by **amateur** » October 19th, 2007, 11:17 am

Hi,

Please go to Start>Control Panel>Add or Remove Programs and remove Eyetide Media, which is classified as an adware/adware bundler. See here: http://www.emsisoft.com/en/malware/?Adw ... 32.Eyetide

Then using Windows Explorer (right click on Start, click on Explore), locate and delete its folder, if still present:

C:\Program Files\Eyetide Media

===============================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it, starting from File....:

Code: Select all


File::
c:\windows\system32\sdkkt32.exe 
c:\windows\downloaded program files\SbCIe02a.dll

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Download Registry Search. http://www.bleepingcomputer.com/files/regsearch.php

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

Myway

- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply along with the Combofix txt . Please let me know how the computer is running.

by **motoman765** » October 19th, 2007, 12:21 pm

Eyetide Media would not uninstall from the control program. It says "Could not open INSTALL.LOG file". I did delete the file through windows explorer as you said though.

Combo fix log:

ComboFix 07-10-19.1 - Auto 2007-10-20 11:40:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.133 [GMT -4:00]
Running from: C:\Documents and Settings\Auto\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Auto\Desktop\CFScript.txt
* Created a new restore point

FILE::
c:\windows\downloaded program files\SbCIe02a.dll
c:\windows\system32\sdkkt32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\downloaded program files\SbCIe02a.dll
c:\windows\system32\sdkkt32.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-20 09:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-19 17:33 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-18 17:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 15:42 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-18 15:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 11:07 <DIR> d-------- C:\VundoFix Backups
2007-10-16 16:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-10-16 10:02 <DIR> d-------- C:\Documents and Settings\Auto\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-10-16 10:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-10-15 14:20 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 13:49 --------- d-----w C:\Program Files\iISystem Wiper
2007-10-19 22:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-10-19 21:33 --------- d-----w C:\Program Files\Java
2007-10-17 21:00 --------- d-----w C:\Program Files\SBC Yahoo!
2007-10-17 20:59 --------- d-----w C:\Program Files\Yahoo!
2007-10-17 20:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2007-10-17 20:57 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-15 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-10 11:21 --------- d-----w C:\Program Files\Apple Software Update
.

((((((((((((((((((((((((((((( snapshot@2007-10-19_17.24.58.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 12:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-03-29 13:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 20:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 18:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 15:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 17:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 22:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 22:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 19:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 17:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 14:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 17:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 22:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 20:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 18:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 18:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 17:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 17:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 15:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 15:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 12:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 18:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 14:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 14:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 20:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 13:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 14:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 18:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 18:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 17:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 12:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 12:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 21:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 18:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 10:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 21:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 16:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2007-10-18 21:22:16 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-20 15:40:33 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2005-11-10 16:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 16:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 18:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2003-03-25 22:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001-08-23 08:00]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 08:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 08:00]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"HP Network Registry Agent"="C:\WINDOWS\System32\hpnra.exe" [2000-10-26 17:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-16 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 08:00]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 12:01]
"Spyware Begone"="c:\freescan\freescan.exe" []
"iIWiper"="C:\Program Files\iISystem Wiper\SystemWiper.exe" [2004-08-28 22:11]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21]

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 12:08:01
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-20 12:09:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-19 19:17
C:\ComboFix3.txt ... 2007-10-19 17:25
.
--- E O F ---

Regsearch results:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman Â© 2005
; Version: 2.0.5.0

; Results at 10/20/2007 12:15:29 PM for strings:
; 'myway'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

; End Of The Log...

by **amateur** » October 19th, 2007, 9:09 pm

Hi,

How is the computer running now?

by **motoman765** » October 20th, 2007, 12:57 am

It seemed to be running OK when I left work today. I left it up and running and hooked up to the internet. I'll see how it looks and runs after the weekend when I return to work. Then hopefully I can get the mechanics at the shop to stop getting their computer all plugged up with viruses and malware.

Is there anything you suggest I should run or do and let you know the results when I get back to work on Monday?

Free Malware Removal Forum

Got a stubborn trojan I can't get rid of. Need help

Got a stubborn trojan I can't get rid of. Need help

Who is online