need help with log

Unknown · June 2007

have taken all steps as posted in the sticky and i still have spyware. but I only get popups and such when i search from my google toolbar in IE

. at least thats all that I have noticed, I have tried reinstalling but that did not help.

here is my log from hijack this and it does not look like there is anything else I can remove. maybe I am wrong. Please let me know, TIA!!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\pwnstar max\Desktop\hijackthis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176003607440
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

peku006 · June 2007

Hi ariadecline and welcome to Icrontic Spyware & Virus Removal I'm checking your log, so please be patient.

ariadecline · June 2007

thank you

peku006 · June 2007

Hi ariadecline
I don't see any indication of a Firewall in your HijackThis log.
What Firewall you use?

Please do the following...

step 1
You currently are running HijackThis from here:
C:\Documents and Settings\pwnstar max\Desktop\hijackthis\HijackThis.exe
Please make a folder here:
c:\HJT
place HijackThis in that folder and
rename hijackthis.exe to scanner.exe

step 2

Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):

SpywareBot

step 3
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\SpywareBot
step 4

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\ -boot
Close all open windows and browsers
Click on the "Fix Checked" button
When completed, close the application.

step 5
Run HijackThis
Click on the. Choose the 'Do a system scan and save a logfile'

Now post your HijackThis log into this topic.

ariadecline · June 2007

Logfile of HijackThis v1.99.1
Scan saved at 12:28:30 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\HJT\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176003607440
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\venexqbl.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

peku006 · June 2007

Hi ariadecline

It seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Step 1: Rename HijackThis
There is probably an infection which is hiding part of the HijackThis log because it's called hijackthis.exe.
Please rename hijackthis.exe to scanner.exe

1. Right click on the HijackThis icon.

2. Select Rename.

3. Now type the following scanner.exe <<< NOTE: make sure to put period before exe when typing.
Hit the enter key on keyboard.

Step 2: Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\venexqbl.exe (file missing)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Step 3: Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop DomainService
sc delete DomainService
exit

Double click FixServices.bat. A window will open and close. This is normal.

Step 4: Download and run Deckard’s System Scanner
Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Finally, please post, Dss.main.txt and Dss.extra,txt

ariadecline · June 2007

-MAIN TEXT-
Deckard's System Scanner v20070611.50
Run by pwnstar max on 2007-06-28 at 10:14:21
Computer is in Normal Mode.

-- System Restore

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
59: 2007-06-28 16:14:34 UTC - RP219 - Deckard's System Scanner Restore Point
58: 2007-06-28 15:42:05 UTC - RP218 - Windows Defender Checkpoint
57: 2007-06-28 15:22:48 UTC - RP217 - Software Distribution Service 3.0
56: 2007-06-28 06:33:29 UTC - RP216 - Windows Defender Checkpoint
55: 2007-06-27 23:22:03 UTC - RP215 - Windows Defender Checkpoint

-- First Restore Point --
1: 2007-10-13 17:54:55 UTC - RP161 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as pwnstar max.exe)

Logfile of HijackThis v1.99.1
Scan saved at 10:15:44 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\pwnstar max\Desktop\dss.exe
C:\HJT\HIJACK~1\pwnstar max.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07E8208E-EFA1-F186-C068-0BBAB006765C} - (no file)
O2 - BHO: (no name) - {3D0108E3-9B69-F7E3-F62E-0389291786BD} - (no file)
O2 - BHO: (no name) - {47826DDA-44A2-4A35-848C-BEE99D61F698} - C:\WINDOWS\system32\otupsnsa.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\qseoowto.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {8C58CD80-822F-4FD5-9C62-AB36CD3AF865} - C:\WINDOWS\system32\awvwx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176003607440
O20 - Winlogon Notify: awvwx - C:\WINDOWS\system32\awvwx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

-- HijackThis Fixed Entries (C:\HJT\HIJACK~1\backups\)

backup-20070612-231348-505 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
backup-20070612-231348-746 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
backup-20070612-231348-839 O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
backup-20070612-231348-991 O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

-- Scheduled Tasks

2007-06-28 09:36:14 330 --ah

C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-06-20 03:00:01 500 --a

C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
2007-06-10 09:43:20 284 --a

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-05-27 21:25:03 362 --a

C:\WINDOWS\Tasks\McDefragTask.job
2007-05-27 21:25:00 364 --a

C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2007-05-28 and 2007-06-28

2007-10-15 17:07:29 0 d

C:\Documents and Settings\pwnstar max\Application Data\?ystem32
2007-06-28 00:26:25 0 d

C:\HJT
2007-06-26 07:18:55 0 --a

C:\WINDOWS\system32\fprvtufg.exe
2007-06-13 23:14:47 62516 --a

C:\WINDOWS\system32\qseoowto.dll
2007-06-12 21:32:37 0 d

C:\Program Files\Lavasoft
2007-06-12 21:32:30 0 d

C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-06-12 21:31:14 0 d

C:\Program Files\Common Files\Wise Installation Wizard
2007-06-12 21:22:26 0 d

C:\Documents and Settings\pwnstar max\Application Data\SpywareBot
2007-06-12 20:29:24 0 dr-h

C:\Documents and Settings\pwnstar max\Recent
2007-06-10 14:11:47 125460 --a

C:\WINDOWS\system32\otupsnsa.dll
2007-06-10 10:08:41 125460 --a

C:\WINDOWS\system32\lijmrnbs.dll
2007-06-07 20:35:43 58420 --a

C:\WINDOWS\system32\xcyqsges.dll
2007-06-06 20:33:38 1851721 ---hs---- C:\WINDOWS\system32\xwvwa.bak2
2007-06-06 18:12:41 1851240 ---hs---- C:\WINDOWS\system32\xwvwa.ini2
2007-06-05 22:12:04 0 d

C:\VundoFix Backups
2007-06-05 21:48:50 0 d

C:\WINDOWS\pss
2007-06-04 15:18:48 9344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
2007-06-04 15:17:02 8320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
2007-06-04 15:14:56 6272 --a

C:\WINDOWS\system32\drivers\AWRTPD.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
2007-06-03 17:53:48 0 d

C:\Documents and Settings\pwnstar max\Application Data\Atari

-- Find3M Report

2007-10-17 17:42:59 0 d

C:\Program Files\Common Files\qmfr
2007-06-28 10:02:48 664 --a

C:\WINDOWS\system32\d3d9caps.dat
2007-06-28 09:16:12 0 d

C:\Program Files\McAfee
2007-06-28 00:38:01 0 d

C:\Program Files\Trillian
2007-06-26 18:51:58 0 d

C:\Program Files\Common Files\Adobe
2007-06-26 18:51:57 0 d

C:\Documents and Settings\pwnstar max\Application Data\Adobe
2007-06-03 18:20:53 0 d

C:\Documents and Settings\pwnstar max\Application Data\uTorrent
2007-05-27 21:27:36 0 d

C:\Program Files\Common Files\McAfee
2007-05-27 21:24:27 0 d

C:\Program Files\McAfee.com
2007-05-10 21:30:29 262708

n--- C:\WINDOWS\system32\awvwx.dll
2007-05-10 18:20:16 1465711 --ahs---- C:\WINDOWS\system32\tsvyb.ini2
2007-05-10 18:03:35 1468735 --ahs---- C:\WINDOWS\system32\tsvyb.bak2
2007-05-02 17:34:36 1368440 --ahs---- C:\WINDOWS\system32\tsvyb.bak1
2007-04-13 15:19:52 7680 --a

C:\WINDOWS\system32\lsdelete.exe
2007-04-07 20:51:40 0 -rahs---- C:\MSDOS.SYS
2007-04-07 20:51:40 0 -rahs---- C:\IO.SYS
2007-04-07 20:51:40 0 --a

C:\CONFIG.SYS
2007-04-07 20:51:40 0 --a

C:\AUTOEXEC.BAT
2007-04-07 20:46:01 21640 --a

C:\WINDOWS\system32\emptyregdb.dat
2007-04-07 13:23:25 62 --ahs---- C:\Documents and Settings\pwnstar max\Application Data\desktop.ini

-- Registry Dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{47826DDA-44A2-4A35-848C-BEE99D61F698} C:\WINDOWS\system32\otupsnsa.dll
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} C:\WINDOWS\system32\qseoowto.dll
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll
{8C58CD80-822F-4FD5-9C62-AB36CD3AF865} C:\WINDOWS\system32\awvwx.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\WINDOWS\\svchost.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvwx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgf32
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^pwnstar max^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\pwnstar max\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ahmcwfc.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ahmcwfc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ahmcwfc.dll,qjuzbo"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="axdmwdag"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\axdmwdag.dll\",realset"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\avp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvhuc"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvhuc.dll,startup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j5291437]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="j5291437"
"hkey"="HKLM"
"command"="rundll32 C:\\WINDOWS\\system32\\j5291437.dll sook"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qmfr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qmfrm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\qmfr\\qmfrm.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="retadpu1000272"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="steam"
"hkey"="HKCU"
"command"="\"c:\\program files\\steam\\steam.exe\" -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v7"
"hkey"="HKLM"
"command"="v7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MPFSERVICE

-- End of Deckard's System Scanner: finished at 2007-06-28 at 10:18:48

-EXTRA TEXT-
Deckard's System Scanner v20070611.50
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 Mobile CPU 1.70GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 1022.8 MiB / 626.91 MiB
Pagefile Memory (total/avail): 2461.5 MiB / 2135.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1976.49 MiB
C: is Fixed (NTFS) - 27.95 GiB total, 20.61 GiB free.
D: is CDROM (No Media)

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\WINDOWS\\TEMP\\win492.tmp.exe"="C:\\WINDOWS\\TEMP\\win492.tmp.exe:*:Enabled:win492.tmp"
"C:\\Documents and Settings\\pwnstar max\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\pwnstar max\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Documents and Settings\\pwnstar max\\Desktop\\Bittorrents\\utorrent.exe"="C:\\Documents and Settings\\pwnstar max\\Desktop\\Bittorrents\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Steam\\SteamApps\\alaskanborder\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\alaskanborder\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\venexqbl.exe"="C:\\WINDOWS\\system32\\ven"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\pwnstar max\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MAX
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\pwnstar max
LOGONSERVER=\\MAX
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\PWNSTA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\PWNSTA~1\LOCALS~1\Temp
USERDOMAIN=MAX
USERNAME=pwnstar max
USERPROFILE=C:\Documents and Settings\pwnstar max
windir=C:\WINDOWS

-- User Profiles

pwnstar max (admin)

-- Add/Remove Programs

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{0E6AB9FC-76C2-431B-9C06-6C1CFFFEA8EB}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 1.99.1 --> C:\DOCUME~1\PWNSTA~1\LOCALS~1\Temp\Rar$EX01.342\HijackThis.exe /uninstall
iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

-- End of Deckard's System Scanner: finished at 2007-06-28 at 10:18:48

peku006 · June 2007

Hi! ariadecline

Good Work!
Do you have problems?

Please do the following...

1: Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {47826DDA-44A2-4A35-848C-BEE99D61F698} - C:\WINDOWS\system32\otupsnsa.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\qseoowto.dll
O2 - BHO: (no name) - {47826DDA-44A2-4A35-848C-BEE99D61F698} - C:\WINDOWS\system32\otupsnsa.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\qseoowto.dll
O2 - BHO: (no name) - {8C58CD80-822F-4FD5-9C62-AB36CD3AF865} - C:\WINDOWS\system32\awvwx.dll
O20 - Winlogon Notify: awvwx - C:\WINDOWS\system32\awvwx.dll
O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Step 2: Download and Run OiUninstaller
Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

3 : Combofix - do
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\fprvtufg.exe
C:\WINDOWS\system32\qseoowto.dll
C:\WINDOWS\system32\otupsnsa.dll
C:\WINDOWS\system32\lijmrnbs.dll
C:\WINDOWS\system32\xcyqsges.dll
C:\WINDOWS\system32\xwvwa.bak2
C:\WINDOWS\system32\xwvwa.ini2
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\awvwx.dll
C:\WINDOWS\system32\tsvyb.ini2
C:\WINDOWS\system32\tsvyb.bak2
C:\WINDOWS\system32\tsvyb.bak1
C:\WINDOWS\ TEMP\win492.tmp.exe

Folder::
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
"{-47826DDA-44A2-4A35-848C-BEE99D61F698}" =-
"{-5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} "=-
"{-8C58CD80-822F-4FD5-9C62-AB36CD3AF865} "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvwx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgf32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ahmcwfc.dll]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j5291437]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qmfr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]

Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

ariadecline · June 2007

Hello, Where do i get "combo fix"

ariadecline · June 2007

nevermind...i found it!

ariadecline · June 2007

-COMBOFIX LOG-

ComboFix 07-06-18.2 - C:\Documents and Settings\pwnstar max\Desktop\ComboFix.exe
"pwnstar max" - 2007-06-28 13:39:35 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\pwnstar max\Desktop\ComboFix-Do.txt

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\lijmrnbs.dll
C:\WINDOWS\system32\otupsnsa.dll
C:\WINDOWS\system32\qseoowto.dll
C:\WINDOWS\system32\upjwbqpg.dll
C:\WINDOWS\system32\xwvwa.bak2
C:\WINDOWS\system32\xwvwa.ini
C:\WINDOWS\system32\xwvwa.ini2
C:\WINDOWS\system32\xwvwa.tmp
C:\WINDOWS\system32\xwvwa.bak2
C:\WINDOWS\system32\xwvwa.ini
C:\WINDOWS\system32\xwvwa.ini2
C:\WINDOWS\system32\xwvwa.tmp
C:\WINDOWS\system32\awvwx.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\PWNSTA~1\APPLIC~1.\racle~1
C:\DOCUME~1\PWNSTA~1\APPLIC~1.\ystem3~1
C:\Program Files\Common Files\{484CA~1
C:\VundoFix Backups
C:\VundoFix Backups\ajavursa.dll.bad
C:\VundoFix Backups\asruvaja.ini.bad
C:\VundoFix Backups\awvwx.dll.bad
C:\VundoFix Backups\axdmwdag.dll.bad
C:\VundoFix Backups\bqccoydg.dll.bad
C:\VundoFix Backups\cbbay.bak1.bad
C:\VundoFix Backups\cbbay.ini.bad
C:\VundoFix Backups\dqcdltqr.dll.bad
C:\VundoFix Backups\gadwmdxa.ini.bad
C:\VundoFix Backups\gdyoccqb.ini.bad
C:\VundoFix Backups\inxdcobk.dll.bad
C:\VundoFix Backups\kaehvmgw.ini.bad
C:\VundoFix Backups\rkgimhkv.dll.bad
C:\VundoFix Backups\rqtldcqd.ini.bad
C:\VundoFix Backups\uaclvlcu.dll.bad
C:\VundoFix Backups\vkhmigkr.ini.bad
C:\VundoFix Backups\wgmvheak.dll.bad
C:\VundoFix Backups\xwvwa.bak1.bad
C:\VundoFix Backups\xwvwa.bak2.bad
C:\VundoFix Backups\xwvwa.ini.bad
C:\VundoFix Backups\xwvwa.ini2.bad
C:\VundoFix Backups\xwvwa.tmp.bad
C:\VundoFix Backups\yabbc.dll.bad
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))

2007-06-28 13:37 49,152 --a

C:\WINDOWS\nircmd.exe
2007-06-28 10:14 <DIR> d

C:\Deckard
2007-06-28 00:26 <DIR> d

C:\HJT
2007-06-12 21:32 <DIR> d

C:\Program Files\Lavasoft
2007-06-12 21:32 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-12 21:31 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-06-12 21:22 <DIR> d

C:\DOCUME~1\PWNSTA~1\APPLIC~1\SpywareBot
2007-06-05 21:48 <DIR> d

C:\WINDOWS\pss
2007-06-04 15:18 9,344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a

C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 19:10 81,768 --a

C:\WINDOWS\system32\xinput1_3.dll
2007-06-03 19:09 62,744 --a

C:\WINDOWS\system32\xinput1_2.dll
2007-06-03 19:09 443,752 --a

C:\WINDOWS\system32\d3dx10_33.dll
2007-06-03 19:09 3,495,784 --a

C:\WINDOWS\system32\d3dx9_33.dll
2007-06-03 19:09 3,426,072 --a

C:\WINDOWS\system32\d3dx9_32.dll
2007-06-03 19:09 261,480 --a

C:\WINDOWS\system32\xactengine2_7.dll
2007-06-03 19:09 255,848 --a

C:\WINDOWS\system32\xactengine2_6.dll
2007-06-03 19:09 251,672 --a

C:\WINDOWS\system32\xactengine2_5.dll
2007-06-03 19:09 237,848 --a

C:\WINDOWS\system32\xactengine2_4.dll
2007-06-03 19:09 236,824 --a

C:\WINDOWS\system32\xactengine2_3.dll
2007-06-03 19:09 2,414,360 --a

C:\WINDOWS\system32\d3dx9_31.dll
2007-06-03 19:09 15,128 --a

C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-03 19:09 1,123,696 --a

C:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-03 19:07 2,297,552 --a

C:\WINDOWS\system32\d3dx9_26.dll
2007-06-03 17:53 <DIR> d

C:\DOCUME~1\PWNSTA~1\APPLIC~1\Atari
2007-05-29 16:09 21,504 --a

C:\WINDOWS\system32\hidserv.dll
2007-05-29 16:07 59,264 --a

C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-05-29 16:06 31,616 --a

C:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-28 21:28 5,632 --a

C:\WINDOWS\system32\ptpusb.dll
2007-05-28 21:28 159,232 --a

C:\WINDOWS\system32\ptpusd.dll
2007-05-28 21:28 15,104 --a

C:\WINDOWS\system32\drivers\usbscan.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-10-17 23:42:59

d

w C:\Program Files\Common Files\qmfr
2007-06-28 19:50:14

d

w C:\Program Files\Trillian
2007-06-28 19:50:08

d

w C:\DOCUME~1\PWNSTA~1\APPLIC~1\uTorrent
2007-06-28 16:02:48 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-06-28 15:16:12

d

w C:\Program Files\McAfee
2007-05-28 03:27:36

d

w C:\Program Files\Common Files\McAfee
2007-05-28 03:24:27

d

w C:\Program Files\McAfee.com
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 00:20:16 1,465,711 --sha-w C:\WINDOWS\system32\tsvyb.ini2
2007-05-11 00:03:35 1,468,735 --sha-w C:\WINDOWS\system32\tsvyb.bak2
2007-05-02 23:34:36 1,368,440 --sha-w C:\WINDOWS\system32\tsvyb.bak1
2007-04-28 03:45:15

d

w C:\DOCUME~1\PWNSTA~1\APPLIC~1\Apple Computer
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-04-08 02:51:40 0 --sha-r C:\MSDOS.SYS
2007-04-08 02:51:40 0 --sha-r C:\IO.SYS
2007-04-08 02:51:40 0 ----a-w C:\CONFIG.SYS
2007-04-08 02:51:40 0 ----a-w C:\AUTOEXEC.BAT
2007-04-08 02:46:01 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 16:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 00:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-20 21:48]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 21:48]
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\RpcSs
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^pwnstar max^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\pwnstar max\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

Contents of the 'Scheduled Tasks' folder
2007-06-10 15:43:20 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-28 03:25:03 C:\WINDOWS\tasks\McDefragTask.job
2007-05-28 03:25:00 C:\WINDOWS\tasks\McQcTask.job
2007-06-28 23:15:28 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-20 09:00:01 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 17:24:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-28 17:26:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-28 17:25
--- E O F ---

-HJT LOG-

Logfile of HijackThis v1.99.1
Scan saved at 5:31:26 PM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07E8208E-EFA1-F186-C068-0BBAB006765C} - (no file)
O2 - BHO: (no name) - {3D0108E3-9B69-F7E3-F62E-0389291786BD} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176003607440
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

peku006 · June 2007

Hi! ariadecline

Please do the following...

1 Download and run SafeBoot Repair tool
Go HERE and download the SafeBoot Repair tool by Subs
Save it to your Desktop. Double click SafebootKeyrepair.exe to run the tool
A log shall be produced at C:\SafeBoot_Repair.txt.

2: Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {07E8208E-EFA1-F186-C068-0BBAB006765C} - (no file)
O2 - BHO: (no name) - {3D0108E3-9B69-F7E3-F62E-0389291786BD} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

3 : Combofix - do
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\tsvyb.ini2
C:\WINDOWS\system32\tsvyb.bak2
C:\WINDOWS\system32\tsvyb.bak1

Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot),

Finally, please post, new HijackThislog , ComboFix-Do.txt and C:\SafeBoot_Repair.txt

need help with log

Comments