0

hello, I have followed suit with everyone else and downloaded hijackthis, here is my log file, any help on this situation would be greatly appreciated


Nicholas

Logfile of HijackThis v1.99.1
Scan saved at 7:51:35 PM, on 8/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\qwerty12.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\ISM\ISMModule.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\PROGRA~1\HP\DIGITA~1\PRODUC~1\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\HPWTTBX.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: {CF746002-94FB-101B-8C12-02608C454BFF} - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPWT myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\aryowyvi.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Navigator\Program\PLUGINS\npdsplay.dll
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164679651325
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8D1079-F84A-4E76-9FB4-3FB49E37A2D1}: NameServer = 207.178.128.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{80B72C95-9469-44CD-BD40-BDD4E0BAC4C5}: NameServer = 207.178.128.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{886EC3F7-6DAD-4062-A80D-4DAA001EB882}: NameServer = 207.178.128.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E8D1079-F84A-4E76-9FB4-3FB49E37A2D1}: NameServer = 207.178.128.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E8D1079-F84A-4E76-9FB4-3FB49E37A2D1}: NameServer = 207.178.128.20
O21 - SSODL: vpEkvGc - {C4393263-6E93-98C9-2A52-1B36ABB29C03} - (no file)
O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

3
Contributors
9
Replies
10
Views
10 Years
Discussion Span
Last Post by gerbil
0

Nicolas,

When you say there's a virus ruining your computer, what do you mean? It would helpful to know what sort of symptoms are being exhibited in order to narrow the search.

I have to tell you, the O17 entries and the O16 entry that references c:\nores.mht! look very suspicious to me. Of course I have no idea what you're running on your computer, but I've never encountered those entires before. I looked the file nores.mht! up in the bleepingcomputer.com database and it found no entries. Also, do you recognize the IP address (207.178.128.20) listed in your O17s?

If someone out there has more more experience with this type of entry and knows it to be kosher, please post. Otherwise that's where I'd start looking.

0

hey thanks for the reply...mcafee keeps telling me that the new win32 virus is on my computer...every 2 min I get a popup from mcafee that tells me this...it is causing my computer to be hosed and it gets so slow that the internet locks up or crashes, sometimes the whole computer crashes...i'm running xp of course, and nothing else out of the ordinary, mcafee tells me that the virus is coming from the content.ie5 folder...I delete them, the they pop right back up...I hope this helps...
and thank you for your help as well...by the way, i found that address to belong to

Internet Specialties West ISWEST-BLK-1 (NET-207-178-128-0-1)
207.178.128.0 - 207.178.255.255
Internet Specialties West, Inc. ISWT-207-178-128-0 (NET-207-178-128-0-2)
207.178.128.0 - 207.178.131.255
does that mean anything to you?

Nicholas

0

Greentree, almost wasting my time here, fixing this, cos you are running a naked XP there, with no SP2 - how you have survived this long is wondrous.
Do these things.. see what happens:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

R3 - URLSearchHook: {CF746002-94FB-101B-8C12-02608C454BFF} - - (no file)
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\aryowyvi.dll",forkonce
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreloa d.ocx

Delete these files:
C:\Program Files\ISM\ISMModule.exe -and that folder ISM.
C:\WINDOWS\System32\aryowyvi.dll

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Rename hijackthis.exe to imabunny.exe. In fact, if you wish, cos that is a slightly old version, you could dl the new one from http://www.majorgeeks.com/download5554.html , replacing yours, and then rename that new one.
Okay, please run HT again and repost with the fixwareout and combofix logs.

0

ok, here are the fixwareout, combo, and hijackthis logs...I couldn't find the file aryowyvi.dll to delete it...and the computer won't let me delete the ism folder..says it is being used by another program...thanks for all your help...I did all the things you told me to in order...talk to you soon...
Green

ComboFix 07-08-04.3 - "winxp" 2007-08-05 23:53:55.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional  5.1.2600.0.1252.1.1033.18.True
* Created a new restore point



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))



C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\winxp\APPLIC~1.\asembl~1
C:\DOCUME~1\winxp\APPLIC~1.\asks~1
C:\DOCUME~1\winxp\APPLIC~1.\macromedia\Flash Player\#SharedObjects\JBPQ29T5\www.broadcaster.com
C:\DOCUME~1\winxp\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\winxp\APPLIC~1\Microsoft\2236.dat
C:\DOCUME~1\winxp\MYDOCU~1.\icroso~1.net
C:\DOCUME~1\winxp\MYDOCU~1.\scurit~1
C:\DOCUME~1\winxp\MYDOCU~1.\sstem~1
C:\DOCUME~1\winxp\MYDOCU~1.\ymbols~1
C:\DOCUME~1\winxp\MYDOCU~1.\ystem~1
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\fnts~1
C:\Program Files\icroso~1
C:\Program Files\inetget2
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\appatc~1
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\DOWNLO~1.\xpreload.ocx
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\gs32.txt
C:\WINDOWS\ppatch~1
C:\WINDOWS\s32.txt
C:\WINDOWS\smante~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dsuiexq.dll
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\qtutv.bak2
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\qtutv.tmp
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\sptwjhgy.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wqfgjmmb.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\trace
C:\WINDOWS\trace\trace.txt
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\ws386.ini



(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))



-------\LEGACY_ASPI113210
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\DomainService



(((((((((((((((((((((((((   Files Created from 2007-07-06 to 2007-08-06  )))))))))))))))))))))))))))))))



2007-08-05 23:52    51,200  --a------   C:\WINDOWS\nircmd.exe
2007-08-05 09:11    125,504 --a------   C:\WINDOWS\system32\ftncgelf.dll
2007-08-03 15:39    125,504 --a------   C:\WINDOWS\system32\siujoaak.dll
2007-08-03 15:13    125,504 --a------   C:\WINDOWS\system32\ndjrqfvd.dll
2007-08-03 14:04    7,768   --a--c---   C:\dnsbak.reg
2007-08-02 18:47    <DIR>    d--------   C:\Program Files\Enigma Software Group
2007-08-02 16:22    125,504 --a------   C:\WINDOWS\system32\mqnohasa.dll
2007-08-02 16:17    125,504 --a------   C:\WINDOWS\system32\peuhjfhi.dll
2007-08-02 00:12    125,504 --a------   C:\WINDOWS\system32\charoopk.dll
2007-08-01 21:14    125,504 --a------   C:\WINDOWS\system32\rxjuxuev.dll
2007-08-01 20:45    79,165  --a------   C:\WINDOWS\system32\drivers\MpFirewall.sys
2007-08-01 20:45    20,480  --a------   C:\WINDOWS\system32\MpfApi.dll
2007-08-01 19:53    7,469   --a--c---   C:\syscekv.exe
2007-08-01 19:26    <DIR>    d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-08-01 19:22    <DIR>    d--------   C:\DOCUME~1\winxp\APPLIC~1\McAfee.com Personal Firewall
2007-08-01 19:19    23,296  --a------   C:\WINDOWS\system32\drivers\NaiFiltr.sys
2007-08-01 19:18    <DIR>    d--------   C:\Program Files\McAfee
2007-08-01 19:18    <DIR>    d--------   C:\DOCUME~1\winxp\APPLIC~1\McAfee
2007-08-01 19:17    <DIR>    d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-08-01 19:16    348,160 --a------   C:\WINDOWS\system32\mcinsctl.dll
2007-08-01 19:16    270,336 --a------   C:\WINDOWS\system32\mcgdmgr.dll
2007-08-01 19:16    <DIR>    d--------   C:\Program Files\McAfee.com
2007-08-01 18:33    <DIR>    d--------   C:\Program Files\Eusing Free Registry Cleaner
2007-08-01 12:58    <DIR>    d--------   C:\DOCUME~1\winxp\APPLIC~1\Uniblue
2007-07-31 23:01    125,504 --a------   C:\WINDOWS\system32\denwdnxy.dll
2007-07-25 21:10    77,312  --a------   C:\WINDOWS\ua2.dll
2007-07-22 12:24    <DIR>    d--------   C:\Program Files\ISM
2007-07-18 12:11    38,567  --a------   C:\WINDOWS\system32\pcpbios.exe
2007-07-15 19:03    <DIR>    d--------   C:\WINDOWS\Google Toolbar
2007-07-09 18:27    <DIR>    d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia



((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-08-01 19:27    57344   --a------   C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-08-01 19:25    ---------   d--------   C:\Program Files\Google
2007-07-24 15:57    ---------   d--------   C:\Program Files\NStorm
2007-07-23 20:15    ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-15 19:07    ---------   d--------   C:\DOCUME~1\winxp\APPLIC~1\Google
2007-07-15 19:05    ---------   d--------   C:\Program Files\Symantec
2007-07-15 19:01    ---------   d--------   C:\Program Files\Creative
2007-07-11 03:39    ---------   d--------   C:\Program Files\Norton Security Scan
2007-06-21 16:08    ---------   d--------   C:\Program Files\Common Files\rmzu
2007-06-21 15:38    1760    --a------   C:\WINDOWS\system32\comsatac.dll
2007-06-21 14:59    187 --a------   C:\WINDOWS\system32\qviexio3.dat
2007-06-20 12:27    15891   --a------   C:\WINDOWS\system32\msratnit.dll
2007-06-16 15:37    ---------   d--------   C:\Program Files\Windows NT
2007-06-15 23:37    ---------   d--------   C:\Program Files\MySpace
2007-06-11 18:34    ---------   d--------   C:\Program Files\MFInstall
2007-06-08 14:04    ---------   d--------   C:\DOCUME~1\winxp\APPLIC~1\MSN6
2007-05-11 13:54    524288  --a------   C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37    823296  --a------   C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37    823296  --a------   C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37    802816  --a------   C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37    740442  --a------   C:\WINDOWS\system32\DivX.dll
2006-03-31 19:08    17  --a------   C:\Program Files\stng260.opt
2005-02-16 11:06    218112  --a------   C:\Program Files\HijackThis.exe
1998-12-08 22:53    99840   --a--c---   C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 22:53    70144   --a--c---   C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 22:53    48640   --a--c---   C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 22:53    31744   --a--c---   C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 22:53    186368  --a--c---   C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 22:53    17920   --a--c---   C:\Program Files\Common Files\IRASRIAL.DLL
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\SkVTU0NJQSBTV0VFVCBQRUE\m4pnoXhLkm1npXpIpF1kloH.vbs



(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D869297-5FF8-4C78-BDAB-3B1296DFE157}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
2007-07-11 16:02    192512  --a------   C:\Program Files\ISM\BndDrive.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B259868D-C0B3-4E76-841F-D61577945E06}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"HPWT myPrintMileage Agent"="C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-27 21:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2003-09-02 15:41]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2003-08-21 18:10]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-09-02 14:00]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"Tesco Insert Detect"="C:\Program Files\Tesco\Picture Suite\InsDetect.exe" [2003-02-17 13:45]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE [2005-04-26 09:53:40]
Event Planner Reminder.lnk - C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-08-30 18:18:30]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
Quicken Startup.lnk - C:\Program Files\QUICKENW\QWDLLS.EXE [2005-04-26 09:53:59]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 17:51:54]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkhif]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrsrr]
ssqrsrr.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutq]


R1 MPFIREWL;MPFIREWL;C:\WINDOWS\System32\Drivers\MpFirewall.sys
R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe"
R3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\System32\DRIVERS\rt2500usb.sys
S0 szkg;szkg;C:\WINDOWS\System32\DRIVERS\szkg.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys


*Newly Created Service* - GTNDIS5


Contents of the 'Scheduled Tasks' folder
2007-08-03 11:24:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-06 04:00:00 C:\WINDOWS\Tasks\At1.job
2007-08-05 13:00:00 C:\WINDOWS\Tasks\At10.job
2007-08-05 14:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-05 15:00:00 C:\WINDOWS\Tasks\At12.job
2007-08-05 16:00:00 C:\WINDOWS\Tasks\At13.job
2007-08-05 17:00:00 C:\WINDOWS\Tasks\At14.job
2007-08-05 18:00:00 C:\WINDOWS\Tasks\At15.job
2007-08-05 19:00:00 C:\WINDOWS\Tasks\At16.job
2007-08-05 20:00:00 C:\WINDOWS\Tasks\At17.job
2007-08-05 21:00:00 C:\WINDOWS\Tasks\At18.job
2007-08-05 22:00:00 C:\WINDOWS\Tasks\At19.job
2007-08-05 05:00:00 C:\WINDOWS\Tasks\At2.job
2007-08-05 23:00:00 C:\WINDOWS\Tasks\At20.job
2007-08-06 00:00:00 C:\WINDOWS\Tasks\At21.job
2007-08-06 01:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System32\k2y127e1.exe
2007-08-06 02:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-06 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System32\k2y127e1.exe
2007-08-05 06:00:00 C:\WINDOWS\Tasks\At3.job
2007-08-05 07:00:00 C:\WINDOWS\Tasks\At4.job
2007-08-05 08:00:00 C:\WINDOWS\Tasks\At5.job
2007-08-05 09:00:00 C:\WINDOWS\Tasks\At6.job
2007-08-05 09:59:59 C:\WINDOWS\Tasks\At7.job
2007-08-05 11:00:00 C:\WINDOWS\Tasks\At8.job
2007-08-05 12:00:00 C:\WINDOWS\Tasks\At9.job
2007-08-06 03:29:50 C:\WINDOWS\Tasks\McAfee.com Update Check (SC-winxp).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-03 19:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe


**************************************************************************


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 00:02:49
Windows 5.1.2600  NTFS


scanning hidden processes ...


scanning hidden registry entries ...


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000008c


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************


Completion time: 2007-08-06  0:19:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 00:19


--- E O F ---



Username "winxp" - 08/03/2007 14:04:02 [Fixwareout edited 2007/07/05]


»»»»»Prerun check


Successfully flushed the DNS Resolver Cache.



System was rebooted successfully.


»»»»» Postrun check
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....


»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"HPWT myPrintMileage Agent"="C:\\Program Files\\Hewlett-Packard\\HP Business Inkjet 1000\\Toolbox\\mpm.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"McRegWiz"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"SystemOptimizer"="rundll32.exe \"C:\\WINDOWS\\System32\\aryowyvi.dll\",forkonce"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Tesco Insert Detect"="C:\\Program Files\\Tesco\\Picture Suite\\InsDetect.exe"
"ISMModule"="\"C:\\Program Files\\ISM\\ISMModule.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:32 AM, on 8/6/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\HP\DIGITA~1\PRODUC~1\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\winxp\Desktop\Imabunny.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D869297-5FF8-4C78-BDAB-3B1296DFE157} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: (no name) - {B259868D-C0B3-4E76-841F-D61577945E06} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPWT myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Navigator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164679651325
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80B72C95-9469-44CD-BD40-BDD4E0BAC4C5}: NameServer = 207.178.128.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{886EC3F7-6DAD-4062-A80D-4DAA001EB882}: NameServer = 207.178.128.20
O20 - Winlogon Notify: ljjkhif - C:\WINDOWS\
O20 - Winlogon Notify: ssqrsrr - ssqrsrr.dll (file missing)
O20 - Winlogon Notify: vtutq - C:\WINDOWS\
O21 - SSODL: vpEkvGc - {C4393263-6E93-98C9-2A52-1B36ABB29C03} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe


--
End of file - 7698 bytes

Edited by happygeek: fixed formatting

0

Hi, Green, get this pgm, Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, uncheck the updater and assistant boxes.. It runs from the rclick context menu, and that is cool.

Use hijackthis to fix these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0D869297-5FF8-4C78-BDAB-3B1296DFE157} - (no file)
O2 - BHO: (no name) - {B259868D-C0B3-4E76-841F-D61577945E06} - (no file)
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O20 - Winlogon Notify: ljjkhif - C:\WINDOWS\
O20 - Winlogon Notify: ssqrsrr - ssqrsrr.dll (file missing)
O20 - Winlogon Notify: vtutq - C:\WINDOWS\
O21 - SSODL: vpEkvGc - {C4393263-6E93-98C9-2A52-1B36ABB29C03} - (no file)

Good. Now browse to C:\Program Files\ISM and delete every file in that folder, with Unlocker if necessary, and then delete the folder ISM.
Post another hijackthis log with your comments, pls.

0

Thanks man, I did all that and heres the hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:17 PM, on 8/6/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\HPWTTBX.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Documents and Settings\winxp\Desktop\Imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPWT myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Navigator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164679651325
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80B72C95-9469-44CD-BD40-BDD4E0BAC4C5}: NameServer = 207.178.128.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{886EC3F7-6DAD-4062-A80D-4DAA001EB882}: NameServer = 207.178.128.20
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6923 bytes


Thanks for all your help

Green

0

First, a note.... in my first post to you i asked for this to be fixed and the file deleted, but you responded that you could not find the file - that's because it changes name witha sys restart! Not to worry though, ComboFix removed it [but does not say that it has, which I find annoying.. it just does it; the clue is in the logs].
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\aryowyvi.dll",forkonce
Moving on..
Looks good now. Btw, that O17 entry, Internet Specialties West ISWEST-BLK-1 (NET-207-178-128-0-1) 207.178.128.0
...is your webhoster.. you have a webpage up.
Cheers.

0

Thanks a ton man, computer is running much faster now...the guy that gave me the computer didn't tell me it had a pirated version of windows xp...so getting the sp2 has been impossible..anyways, thanks man...
Green

0

Ah, I don't have a solution for the pirate bit, but I think they exist.... you won't get one in this forum tho. Did you get an "XP" CD with your sys?
I don't know if you get blocked if u dl the KB version of SP2 below and try to install it in safe mode, instead of via Windows Updates. Or if you slipstream it onto your CD [if you have one..]
http://www.microsoft.com/downloads/details.aspx?familyid=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
and...
http://www.winsupersite.com/showcase/windowsxp_sp2_slipstream.asp
Heck, M$ should be happy for you to have it... cuts down bug dispersal to others.
Cheers.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.