# Solved: Please Help: Trojandownloader.xs



## KidRaven (Oct 8, 2007)

I'm really lost when it comes to computers and was hoping someone could help me.

I think I'm suppose to paste this here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:58 PM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nusrmgr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\9129837.exe
C:\WINDOWS\bdir\sdflkj7.exe
C:\WINDOWS\47681728.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\MDM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rwipx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,crptics.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Her - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - C:\WINDOWS\System32\tcprp.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINDOWS\System32\oembios32.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE} - C:\WINDOWS\System32\ci.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [soft2] C:\WINDOWS\2454703.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe] C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe
O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [qasf] C:\WINDOWS\System32\qasf.exe
O4 - HKCU\..\Run: [mzqz] C:\PROGRA~1\COMMON~1\mzqz\mzqzm.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe"
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [strkjhk] C:\WINDOWS\bdir\sdflkj7.exe
O4 - HKCU\..\Run: [tlz] C:\WINDOWS\47681728.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.cup.edu/lib/cup/support/plugins/ebraryRdr.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/spsp29953.01noopt/spyspottercabinstall.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8451 bytes


----------



## MFDnNC (Sep 7, 2004)

Welcome to TSG!

You've got a mess so this will take a while

Is you Norton AV up to date

Do ALL of the following and then post the logs

*NOTE: If you have downloaded ComboFix previously please delete that version and download it again!*

Download this file :

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. *Post that log* 

Note: 
Do not mouseclick combofix's window while its running. That may cause it to stall

=====================
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others as they were.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	*Please paste that information here for me regardless of what it finds with a new HijackThis log*.

This will take some time!!!!!!!!


----------



## KidRaven (Oct 8, 2007)

the combofix.exe is still running and so far says it has completed Stage_6A. It has been at this point for about 8 minutes now. Is this normal?

Sorry, if this seems tedious to you. I'm really not to sure what I'm doing.

Thanks


----------



## MFDnNC (Sep 7, 2004)

Patience!!!!!!!!! It depends on the number of files you have


----------



## KidRaven (Oct 8, 2007)

Just to make sure it can take this long, I want to mention that I haven't gotten any further than the previous steps I mentioned earlier.

I tried to download superantispyware and it stopped at 66% and wouldn't finish.

Thanks again, and sorry for any inconvenience


----------



## MFDnNC (Sep 7, 2004)

Its prolly your impatience

I said

Do not mouseclick combofix's window while its running. That may cause it to stall


And all of your posting - no wonder things are not working

Start from the beginning, do it all and do NOTHING else on the PC unitl all steps are done

Do one step at a time


----------



## KidRaven (Oct 8, 2007)

--------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/08/2007 at 11:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3321
Trace Rules Database Version: 1322

Scan type : Complete Scan
Total Scan Time : 00:43:41

Memory items scanned : 299
Memory threats detected : 1
Registry items scanned : 4744
Registry threats detected : 57
File items scanned : 33102
File threats detected : 311

Adware.WebNexus
C:\WINDOWS\SYSTEM32\HUQLPFE.DLL
C:\WINDOWS\SYSTEM32\HUQLPFE.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}
HKCR\CLSID\{971D5B7B-F7DF-43EE-B771-6B7FA09975C3}
HKCR\CLSID\{971D5B7B-F7DF-43EE-B771-6B7FA09975C3}
HKCR\CLSID\{971D5B7B-F7DF-43EE-B771-6B7FA09975C3}\InprocServer32
HKCR\CLSID\{971D5B7B-F7DF-43EE-B771-6B7FA09975C3}\InprocServer32#ThreadingModel
HKCR\CLSID\{971D5B7B-F7DF-43EE-B771-6B7FA09975C3}\ProgID
HKCR\CLSID\{971D5B7B-F7DF-43EE-B771-6B7FA09975C3}\TypeLib
C:\WINDOWS\SYSTEM32\TCPRP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}

Adware.AdBreak
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}

411Ferret Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12F02779-6D88-4958-8AD3-83C12D86ADC7}

Adware.AdBlaster
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}

AdBars BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}

Adware.404Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}

Adware.Accoona
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}

Trojan.PBar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}

Trojan.Download-Gen/DSPRPRE
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE}
HKCR\CLSID\{FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE}
HKCR\CLSID\{FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE}\InprocServer32
HKCR\CLSID\{FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\CI.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeff\Cookies\[email protected][1].txt

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Trojan.NewDotNet
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-18\Software\New.net
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL6_38.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL6_98.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL7_14.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL7_22.EXE.VIR

Registry Cleaner Trial
HKU\S-1-5-21-1715567821-1078145449-839522115-1003\Software\Registry Cleaner
HKU\S-1-5-21-1715567821-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run#Registry Cleaner [ "C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe" ]
C:\Documents and Settings\Jeff\Application Data\Registry Cleaner\RegClean.ini
C:\Documents and Settings\Jeff\Application Data\Registry Cleaner

Malware.DriveCleaner
HKCR\Interface\{2B9584C5-F3EC-4256-AA96-6202BA27FE99}
HKCR\Interface\{2B9584C5-F3EC-4256-AA96-6202BA27FE99}\ProxyStubClsid
HKCR\Interface\{2B9584C5-F3EC-4256-AA96-6202BA27FE99}\ProxyStubClsid32
HKCR\Interface\{2B9584C5-F3EC-4256-AA96-6202BA27FE99}\TypeLib
HKCR\Interface\{2B9584C5-F3EC-4256-AA96-6202BA27FE99}\TypeLib#Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#Inno Setup: Setup Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#Inno Setup: App Path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#Inno Setup: Icon Group
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#Inno Setup: User
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#Inno Setup: Selected Tasks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#Inno Setup: Deselected Tasks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#QuietUninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#URLUpdateInfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC_install_is1#InstallDate
C:\Program Files\DriveCleaner Freeware\Activate.dat
C:\Program Files\DriveCleaner Freeware\Appbase\AE_CD_Cr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\AReadr4.dat
C:\Program Files\DriveCleaner Freeware\Appbase\AReadr5.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ASDSEEpv.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ASPack.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Babylon.dat
C:\Program Files\DriveCleaner Freeware\Appbase\BDelphi5.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CatchUp.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CBuildr5.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CCGA.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CManager.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CuteFTP4.dat
C:\Program Files\DriveCleaner Freeware\Appbase\CuteHTML.dat
C:\Program Files\DriveCleaner Freeware\Appbase\DAcceler.dat
C:\Program Files\DriveCleaner Freeware\Appbase\DiscJug.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ECDCreat4.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Far.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FFTsks.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FlashFXP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FrntPage.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FrontPEx.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FtpEXP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\FtpVoya.dat
C:\Program Files\DriveCleaner Freeware\Appbase\GetRight.dat
C:\Program Files\DriveCleaner Freeware\Appbase\GoZilla.dat
C:\Program Files\DriveCleaner Freeware\Appbase\GravMRU.dat
C:\Program Files\DriveCleaner Freeware\Appbase\HomeSite.dat
C:\Program Files\DriveCleaner Freeware\Appbase\HotDogPr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\H_TxtPad.dat
C:\Program Files\DriveCleaner Freeware\Appbase\IconExtr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\iMesh.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ImgReady3.dat
C:\Program Files\DriveCleaner Freeware\Appbase\InsShExp.dat
C:\Program Files\DriveCleaner Freeware\Appbase\JASC_P_P.dat
C:\Program Files\DriveCleaner Freeware\Appbase\KaZaA.dat
C:\Program Files\DriveCleaner Freeware\Appbase\LView.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MacDir.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MacDrWea.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MicAng.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MicDes.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MMUnDisk.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MM_CON.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Morpheus.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MPaint.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MPicPub.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MPImaGal.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSExplorer.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSoffice.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSRegEdit.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSWMP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\MSWordPad.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Nero.dat
C:\Program Files\DriveCleaner Freeware\Appbase\NetShow.dat
C:\Program Files\DriveCleaner Freeware\Appbase\NTBackup.dat
C:\Program Files\DriveCleaner Freeware\Appbase\pfilelst.xda
C:\Program Files\DriveCleaner Freeware\Appbase\PhotShel.dat
C:\Program Files\DriveCleaner Freeware\Appbase\PHPCoder.dat
C:\Program Files\DriveCleaner Freeware\Appbase\PowerZIP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\RapidBr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\RealAuPl.dat
C:\Program Files\DriveCleaner Freeware\Appbase\RealDown.dat
C:\Program Files\DriveCleaner Freeware\Appbase\SecurCRT.dat
C:\Program Files\DriveCleaner Freeware\Appbase\SL_BlWin.dat
C:\Program Files\DriveCleaner Freeware\Appbase\SmartClr.dat
C:\Program Files\DriveCleaner Freeware\Appbase\Sonique.dat
C:\Program Files\DriveCleaner Freeware\Appbase\StuffIt.dat
C:\Program Files\DriveCleaner Freeware\Appbase\TelepPro.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UGifAnim.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UltraEd.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UMedStud.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UPhImpV.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UPhotoEx.dat
C:\Program Files\DriveCleaner Freeware\Appbase\UVidStud.dat
C:\Program Files\DriveCleaner Freeware\Appbase\VNC.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WebFeret.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WebReap.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinACE.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinGate.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinRAR.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WinZIP.dat
C:\Program Files\DriveCleaner Freeware\Appbase\WiseInst.dat
C:\Program Files\DriveCleaner Freeware\Appbase\wordslst.xda
C:\Program Files\DriveCleaner Freeware\Appbase\YahooPl.dat
C:\Program Files\DriveCleaner Freeware\Appbase\ZipMagic.dat
C:\Program Files\DriveCleaner Freeware\Appbase
C:\Program Files\DriveCleaner Freeware\atl71.dll
C:\Program Files\DriveCleaner Freeware\AV.dat
C:\Program Files\DriveCleaner Freeware\bnlink.dat
C:\Program Files\DriveCleaner Freeware\err.log
C:\Program Files\DriveCleaner Freeware\img\button.gif
C:\Program Files\DriveCleaner Freeware\img\button2.gif
C:\Program Files\DriveCleaner Freeware\img\header.gif
C:\Program Files\DriveCleaner Freeware\img\logo.gif
C:\Program Files\DriveCleaner Freeware\img\spacer.gif
C:\Program Files\DriveCleaner Freeware\img\top1.jpg
C:\Program Files\DriveCleaner Freeware\img\top2.jpg
C:\Program Files\DriveCleaner Freeware\img\top_line.gif
C:\Program Files\DriveCleaner Freeware\img
C:\Program Files\DriveCleaner Freeware\lapv.dat
C:\Program Files\DriveCleaner Freeware\license.rtf
C:\Program Files\DriveCleaner Freeware\manual.url
C:\Program Files\DriveCleaner Freeware\mfc71.dll
C:\Program Files\DriveCleaner Freeware\msvcp71.dll
C:\Program Files\DriveCleaner Freeware\msvcr71.dll
C:\Program Files\DriveCleaner Freeware\pv.dat
C:\Program Files\DriveCleaner Freeware\readme.rtf
C:\Program Files\DriveCleaner Freeware\remnag.dat
C:\Program Files\DriveCleaner Freeware\ScanReport.dat
C:\Program Files\DriveCleaner Freeware\Schedule.dat
C:\Program Files\DriveCleaner Freeware\sr.log
C:\Program Files\DriveCleaner Freeware\support.url
C:\Program Files\DriveCleaner Freeware\UDC.xml
C:\Program Files\DriveCleaner Freeware\UDC6.url
C:\Program Files\DriveCleaner Freeware\unins000.dat
C:\Program Files\DriveCleaner Freeware\unins000.exe
C:\Program Files\DriveCleaner Freeware\uninstall.ico
C:\Program Files\DriveCleaner Freeware\UninstallPage.html
C:\Program Files\DriveCleaner Freeware\up.dat
C:\Program Files\DriveCleaner Freeware\updater.dat
C:\Program Files\DriveCleaner Freeware\vbpv.dat
C:\Program Files\DriveCleaner Freeware

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ADSLD.DLL.VIR
C:\WINDOWS\SYSTEM32\ACCTRE.DLL
C:\WINDOWS\SYSTEM32\ACL.DLL
C:\WINDOWS\SYSTEM32\ACLH.DLL
C:\WINDOWS\SYSTEM32\ACTXPRX.DLL
C:\WINDOWS\SYSTEM32\ADMPAR.DLL
C:\WINDOWS\SYSTEM32\ADMPARO.DLL
C:\WINDOWS\SYSTEM32\ADMPARSG.DLL
C:\WINDOWS\SYSTEM32\ADMPARSQ.DLL
C:\WINDOWS\SYSTEM32\ADMPARSU.DLL
C:\WINDOWS\SYSTEM32\ADS.DLL
C:\WINDOWS\SYSTEM32\ADSLDPCF.DLL
C:\WINDOWS\SYSTEM32\ADSMSEX.DLL
C:\WINDOWS\SYSTEM32\ADSN.DLL
C:\WINDOWS\SYSTEM32\ADVAPI3.DLL
C:\WINDOWS\SYSTEM32\ADVPAC.DLL
C:\WINDOWS\SYSTEM32\AMSTREA.DLL
C:\WINDOWS\SYSTEM32\APCU.DLL
C:\WINDOWS\SYSTEM32\APCUP.DLL
C:\WINDOWS\SYSTEM32\APPHELV.DLL
C:\WINDOWS\SYSTEM32\APPMGMT.DLL
C:\WINDOWS\SYSTEM32\APPMGMTI.DLL
C:\WINDOWS\SYSTEM32\ASFERR.DLL
C:\WINDOWS\SYSTEM32\ASFERRO.DLL
C:\WINDOWS\SYSTEM32\ASFERRV.DLL
C:\WINDOWS\SYSTEM32\ASYCFIL.DLL
C:\WINDOWS\SYSTEM32\AT.DLL
C:\WINDOWS\SYSTEM32\ATI2DVAF.DLL
C:\WINDOWS\SYSTEM32\ATI2DVAGP.DLL
C:\WINDOWS\SYSTEM32\ATI2DVAR.DLL
C:\WINDOWS\SYSTEM32\ATI2DVARE.DLL
C:\WINDOWS\SYSTEM32\ATI3D1A.DLL
C:\WINDOWS\SYSTEM32\ATKCTRC.DLL
C:\WINDOWS\SYSTEM32\ATKCTREI.DLL
C:\WINDOWS\SYSTEM32\ATL7.DLL
C:\WINDOWS\SYSTEM32\ATMPVCN.DLL
C:\WINDOWS\SYSTEM32\ATRACR.DLL
C:\WINDOWS\SYSTEM32\AUDIOSRC.DLL
C:\WINDOWS\SYSTEM32\AUDIOSRI.DLL
C:\WINDOWS\SYSTEM32\AUDIOSRQ.DLL
C:\WINDOWS\SYSTEM32\AUTODIS.DLL
C:\WINDOWS\SYSTEM32\AUTODIST.DLL
C:\WINDOWS\SYSTEM32\AVICAP3.DLL
C:\WINDOWS\SYSTEM32\AVMETEO.DLL
C:\WINDOWS\SYSTEM32\BATMETE.DLL
C:\WINDOWS\SYSTEM32\BIDIS.DLL
C:\WINDOWS\SYSTEM32\BIDISP.DLL
C:\WINDOWS\SYSTEM32\BOOTVI.DLL
C:\WINDOWS\SYSTEM32\BROWSE.DLL
C:\WINDOWS\SYSTEM32\BROWSEI.DLL
C:\WINDOWS\SYSTEM32\BROWSEL.DLL
C:\WINDOWS\SYSTEM32\BROWSEU.DLL
C:\WINDOWS\SYSTEM32\CABVIE.DLL
C:\WINDOWS\SYSTEM32\CAMOC.DLL
C:\WINDOWS\SYSTEM32\CATSR.DLL
C:\WINDOWS\SYSTEM32\CATSRD.DLL
C:\WINDOWS\SYSTEM32\CATSRVP.DLL
C:\WINDOWS\SYSTEM32\CDDBCONTROLROXIJ.DLL
C:\WINDOWS\SYSTEM32\CDFV.DLL
C:\WINDOWS\SYSTEM32\CDFVI.DLL
C:\WINDOWS\SYSTEM32\CDOSY.DLL
C:\WINDOWS\SYSTEM32\CFGBKENF.DLL
C:\WINDOWS\SYSTEM32\CFGMGR3.DLL
C:\WINDOWS\SYSTEM32\CIA.DLL
C:\WINDOWS\SYSTEM32\CIADMI.DLL
C:\WINDOWS\SYSTEM32\CIP.DLL
C:\WINDOWS\SYSTEM32\CMDIAL.DLL
C:\WINDOWS\SYSTEM32\CMDIAL3.DLL
C:\WINDOWS\SYSTEM32\CMPROPJ.DLL
C:\WINDOWS\SYSTEM32\CMU.DLL
C:\WINDOWS\SYSTEM32\CMUT.DLL
C:\WINDOWS\SYSTEM32\CMUTO.DLL
C:\WINDOWS\SYSTEM32\CNBJMO.DLL
C:\WINDOWS\SYSTEM32\CNBJMOL.DLL
C:\WINDOWS\SYSTEM32\CNBJMOR.DLL
C:\WINDOWS\SYSTEM32\CNBJMOW.DLL
C:\WINDOWS\SYSTEM32\CNVFA.DLL
C:\WINDOWS\SYSTEM32\COLBAC.DLL
C:\WINDOWS\SYSTEM32\COM.DLL
C:\WINDOWS\SYSTEM32\COMADDI.DLL
C:\WINDOWS\SYSTEM32\COMADDIM.DLL
C:\WINDOWS\SYSTEM32\COMC.DLL
C:\WINDOWS\SYSTEM32\COMCA.DLL
C:\WINDOWS\SYSTEM32\COMDLG3.DLL
C:\WINDOWS\SYSTEM32\COMPATU.DLL
C:\WINDOWS\SYSTEM32\COMPSTU.DLL
C:\WINDOWS\SYSTEM32\COMR.DLL
C:\WINDOWS\SYSTEM32\CONSOL.DLL
C:\WINDOWS\SYSTEM32\CRLDS.DLL
C:\WINDOWS\SYSTEM32\CRYPT3.DLL
C:\WINDOWS\SYSTEM32\CRYPTEX.DLL
C:\WINDOWS\SYSTEM32\CRYPTEXE.DLL
C:\WINDOWS\SYSTEM32\CRYPTEXM.DLL
C:\WINDOWS\SYSTEM32\CRYPTEXV.DLL
C:\WINDOWS\SYSTEM32\CRYPTN.DLL
C:\WINDOWS\SYSTEM32\CRYPTNE.DLL
C:\WINDOWS\SYSTEM32\CRYPTNEN.DLL
C:\WINDOWS\SYSTEM32\CRYPTSV.DLL
C:\WINDOWS\SYSTEM32\CRYPTU.DLL
C:\WINDOWS\SYSTEM32\CSSEQCH.DLL
C:\WINDOWS\SYSTEM32\CTL3D3.DLL
C:\WINDOWS\SYSTEM32\CTL3D3H.DLL
C:\WINDOWS\SYSTEM32\CTL3DV.DLL
C:\WINDOWS\SYSTEM32\D3D.DLL
C:\WINDOWS\SYSTEM32\D3DI.DLL
C:\WINDOWS\SYSTEM32\D3DS.DLL
C:\WINDOWS\SYSTEM32\DANI.DLL
C:\WINDOWS\SYSTEM32\DBGE.DLL
C:\WINDOWS\SYSTEM32\DBGEN.DLL
C:\WINDOWS\SYSTEM32\DBGHE.DLL
C:\WINDOWS\SYSTEM32\DBGHEL.DLL
C:\WINDOWS\SYSTEM32\DBMSVI.DLL
C:\WINDOWS\SYSTEM32\DBMSVIN.DLL
C:\WINDOWS\SYSTEM32\DCIMAN3.DLL
C:\WINDOWS\SYSTEM32\DCIMAN3C.DLL
C:\WINDOWS\SYSTEM32\DCIMAN3U.DLL
C:\WINDOWS\SYSTEM32\DDRAWE.DLL
C:\WINDOWS\SYSTEM32\DESKPER.DLL
C:\WINDOWS\SYSTEM32\DESKPERL.DLL
C:\WINDOWS\SYSTEM32\DESKPERM.DLL
C:\WINDOWS\SYSTEM32\DESKPERO.DLL
C:\WINDOWS\SYSTEM32\DEVM.DLL
C:\WINDOWS\SYSTEM32\DFRGRE.DLL
C:\WINDOWS\SYSTEM32\DFRGU.DLL
C:\WINDOWS\SYSTEM32\DGRPSE.DLL
C:\WINDOWS\SYSTEM32\DGRPSET.DLL
C:\WINDOWS\SYSTEM32\DHCPSAP.DLL
C:\WINDOWS\SYSTEM32\DIACTF.DLL
C:\WINDOWS\SYSTEM32\DISKCOP.DLL
C:\WINDOWS\SYSTEM32\DMBAM.DLL
C:\WINDOWS\SYSTEM32\DMLOAD.DLL
C:\WINDOWS\SYSTEM32\DMLOADE.DLL
C:\WINDOWS\SYSTEM32\DPMODEM.DLL
C:\WINDOWS\SYSTEM32\DPNE.DLL
C:\WINDOWS\SYSTEM32\DPNHUPN.DLL
C:\WINDOWS\SYSTEM32\DPNHUPNT.DLL
C:\WINDOWS\SYSTEM32\DPWSOC.DLL
C:\WINDOWS\SYSTEM32\DSAUT.DLL
C:\WINDOWS\SYSTEM32\DSDM.DLL

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OEMBIOS32.DLL.VIR

Trojan.Downloader-Gen/Win
C:\WINDOWS\9129837.EXE

Trojan.WinSoftware/WinFixer
C:\WINDOWS\SYSTEM32\196_150_NI.EXE

Trojan.Downloader-Gen/Burre
C:\WINDOWS\SYSTEM32\SIPOV.DLL
---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:09 AM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MDM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rwipx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,crptics.exe
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE} - C:\WINDOWS\System32\ci.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [soft2] C:\WINDOWS\2454703.exe
O4 - HKLM\..\Run: [C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe] C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe
O4 - HKCU\..\Run: [qasf] C:\WINDOWS\System32\qasf.exe
O4 - HKCU\..\Run: [mzqz] C:\PROGRA~1\COMMON~1\mzqz\mzqzm.exe
O4 - HKCU\..\Run: [strkjhk] C:\WINDOWS\bdir\sdflkj6.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.cup.edu/lib/cup/support/plugins/ebraryRdr.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/spsp29953.01noopt/spyspottercabinstall.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6989 bytes


----------



## KidRaven (Oct 8, 2007)

ComboFix 07-10-08.3 - Jeff 2007-10-09 0:22:35.3 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.104 [GMT -4:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\24322687.exe
C:\WINDOWS\system32\drivers\lnboubth.sys
C:\WINDOWS\system32\huqlpfe.dll
C:\WINDOWS\system32\huqlpfe.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 23:04 d--------	C:\Program Files\SUPERAntiSpyware
2007-10-08 23:04 d--------	C:\Documents and Settings\Jeff\Application Data\SUPERAntiSpyware.com
2007-10-08 23:04 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-08 23:03 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 18:10	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-08 17:42 d--------	C:\Program Files\Trend Micro
2007-10-08 16:48	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-08 16:42 d--------	C:\Documents and Settings\Jeff\.housecall6.6
2007-10-08 16:04 d--------	C:\Program Files\Advanced Registry Optimizer
2007-10-08 16:04 d--------	C:\Documents and Settings\Jeff\Application Data\Sammsoft
2007-10-07 14:24	4	--a------	C:\WINDOWS\system32\stfv.bin
2007-10-07 14:18 d--------	C:\WINDOWS\system32\acespy
2007-10-07 14:18	16,896	--a------	C:\WINDOWS\system32\ace16win.dll
2007-10-05 17:44	17,664 C:\WINDOWS\system32\drivers\lnboubth.dat
2007-10-05 17:44	5,120 C:\WINDOWS\system32\drivers\plvlwhhz.dat
2007-09-26 22:41	57,344	--a------	C:\WINDOWS\system32\crlds3.dll
2007-09-26 22:21	57,344	--a------	C:\WINDOWS\system32\ati2dva.dll
2007-09-26 22:01	57,344	--a------	C:\WINDOWS\system32\ciod.dll
2007-09-26 21:40	57,344	--a------	C:\WINDOWS\system32\ds16g.dll
2007-09-26 21:20	57,344	--a------	C:\WINDOWS\system32\atkctre.dll
2007-09-26 21:00	57,344	--a------	C:\WINDOWS\system32\devmg.dll
2007-09-26 20:40	57,344	--a------	C:\WINDOWS\system32\cmuti.dll
2007-09-26 20:20	57,344	--a------	C:\WINDOWS\system32\dmba.dll
2007-09-26 20:01	57,344	--a------	C:\WINDOWS\system32\dx7v.dll
2007-09-26 07:27	57,344	--a------	C:\WINDOWS\system32\cabine.dll
2007-09-25 22:54	57,344	--a------	C:\WINDOWS\system32\atkctr.dll
2007-09-25 22:34	57,344	--a------	C:\WINDOWS\system32\appmg.dll
2007-09-25 22:14	57,344	--a------	C:\WINDOWS\system32\dswavp.dll
2007-09-25 21:54	57,344	--a------	C:\WINDOWS\system32\devenu.dll
2007-09-25 21:34	57,344	--a------	C:\WINDOWS\system32\avmete.dll
2007-09-25 21:14	57,344	--a------	C:\WINDOWS\system32\CDDBControlRoxi.dll
2007-09-25 20:54	57,344	--a------	C:\WINDOWS\system32\audiosr.dll
2007-09-25 20:34	57,344	--a------	C:\WINDOWS\system32\dmoc.dll
2007-09-25 20:14	57,344	--a------	C:\WINDOWS\system32\dsound3a.dll
2007-09-25 19:54	57,344	--a------	C:\WINDOWS\system32\admpars.dll
2007-09-25 19:34	57,344	--a------	C:\WINDOWS\system32\CDFVIE.dll
2007-09-25 19:14	57,344	--a------	C:\WINDOWS\system32\drmsto.dll
2007-09-25 17:53	57,344	--a------	C:\WINDOWS\system32\dmban.dll
2007-09-25 17:33	57,344	--a------	C:\WINDOWS\system32\dsound3.dll
2007-09-25 17:13	57,344	--a------	C:\WINDOWS\system32\diactfr.dll
2007-09-25 16:54	57,344	--a------	C:\WINDOWS\system32\cmprop.dll
2007-09-20 16:00	104,283	--a------	C:\WINDOWS\system32\ci.dll
2007-09-20 15:59	57,344	--a------	C:\WINDOWS\system32\aclu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 16:34	---------	d--------	C:\Program Files\Microsoft AntiSpyware
2007-10-07 15:57	---------	d--------	C:\Program Files\Musicmatch
2007-09-23 13:02	---------	d--------	C:\Program Files\LimeWire
2007-08-30 18:15	---------	d--------	C:\Documents and Settings\Jeff\Application Data\AdobeUM
2007-07-12 16:54	3072	--a------	C:\Documents and Settings\Jeff\keylog.dll
2005-07-27 00:14	80742	--a------	C:\Documents and Settings\Jeff\xWHWLCNXFKE.exe
.

((((((((((((((((((((((((((((( [email protected]_22.48.46.78 )))))))))))))))))))))))))))))))))))))))))
.
----a-r 29,696 2007-10-09 03:04:18 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
----a-r 18,944 2007-10-09 03:04:18 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
----a-r 65,024 2007-10-09 03:04:18 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE}]
2001-08-23 08:00	104283	--a------	C:\WINDOWS\System32\ci.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 08:42]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 15:25]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-30 20:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-07-01 18:24]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59]
"WinTools"="C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" []
"soft2"="C:\WINDOWS\2454703.exe" []
"C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe"="C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe" []
"aevdxu"="C:\WINDOWS\System32\bnrlxw.exe" [2006-03-08 15:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"qasf"="C:\WINDOWS\System32\qasf.exe" []
"mzqz"="C:\PROGRA~1\COMMON~1\mzqz\mzqzm.exe" []
"Aim6"="" []
"strkjhk"="C:\WINDOWS\bdir\sdflkj6.exe" []
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\aro.exe" [2007-07-23 09:34]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"wbdey"="C:\WINDOWS\System32\bnrlxw.exe" [2006-03-08 15:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe, C:\WINDOWS\System32\rwipx.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,crptics.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvListnr]
C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\6f5418be-7690-4bfd-93b1-fdadce533f08]
C:\WINDOWS\System32\rrcmqmq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\6f5418be-7690-4bfd-93b1-fdadce533f08]
C:\WINDOWS\System32\rrcmqmq.exe
.
Contents of the 'Scheduled Tasks' folder
"2006-06-05 11:19:07 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3600#TH394150DG6B.job"
"2007-10-09 02:39:22 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 00:29:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\bnrlxw.exe [1188] 0xFF92C510
C:\WINDOWS\system32\rwipx.exe [1224] 0xFF9EAA20
C:\WINDOWS\system32\rwipx.exe [1264] 0x811B4270
C:\WINDOWS\system32\rwipx.exe [1272] 0xFFBDBDA8
scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\yixrp.dll
C:\WINDOWS\system32\bnrlxw.exe
C:\WINDOWS\system32\rwipx.exe
C:\WINDOWS\system32\wamfk.dll
C:\WINDOWS\system32\crptics.exe

scan completed successfully 
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\DOCUME~1\\Jeff\\LOCALS~1\\Temp\\update.exe"="C:\\DOCUME~1\\Jeff\\LOCALS~1\\Temp\\update.exe"
.
Completion time: 2007-10-09 0:39:21 - machine was rebooted 
C:\ComboFix-quarantined-files.txt ... 2007-10-09 00:39
C:\ComboFix2.txt ... 2007-10-08 22:58
.
--- E O F ---


----------



## MFDnNC (Sep 7, 2004)

Before we go any further why do you not have SP2

Is this a legal copy of XP


----------



## KidRaven (Oct 8, 2007)

As far as I know it is. I bought this computer a while back.


----------



## MFDnNC (Sep 7, 2004)

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis  mark them, close IE, click fix checked

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rwipx.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,crptics.exe

O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)

O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)

O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)

O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)

O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)

O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)

O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)

O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)

O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)

O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)

O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

O2 - BHO: (no name) - {FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE} - C:\WINDOWS\System32\ci.dll

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [soft2] C:\WINDOWS\2454703.exe

O4 - HKLM\..\Run: [C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe] C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe

O4 - HKCU\..\Run: [qasf] C:\WINDOWS\System32\qasf.exe

O4 - HKCU\..\Run: [mzqz] C:\PROGRA~1\COMMON~1\mzqz\mzqzm.exe

O4 - HKCU\..\Run: [strkjhk] C:\WINDOWS\bdir\sdflkj6.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following line(s) one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box. 
* Make sure you get these exact file names *

C:\WINDOWS\System32\ci.dll
C:\PROGRA~1\COMMON~1\WinTools
C:\WINDOWS\2454703.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\update.exe
C:\WINDOWS\System32\qasf.exe
C:\PROGRA~1\COMMON~1\mzqz
C:\WINDOWS\bdir
C:\WINDOWS\System32\rwipx.exe
C:\WINDOWS\system32\crptics.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

How are things on the PC???????????


----------



## KidRaven (Oct 8, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:02 PM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MDM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rwipx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,crptics.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE} - C:\WINDOWS\System32\ci.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.cup.edu/lib/cup/support/plugins/ebraryRdr.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/spsp29953.01noopt/spyspottercabinstall.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5663 bytes


----------



## MFDnNC (Sep 7, 2004)

Exit SuperAnti

Fix these

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rwipx.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,crptics.exe

O2 - BHO: (no name) - {FC3FC079-DFE3-490C-9BBD-D7B8CBDB32EE} - C:\WINDOWS\System32\ci.dll


----------



## KidRaven (Oct 8, 2007)

I keep getting a message where it tells me to close all internet explorer windows to have a greater chance of success.

I don't have anything else open at the time, but it doesn't seem to be doing anything.


----------



## MFDnNC (Sep 7, 2004)

Try in safe mode


----------



## KidRaven (Oct 8, 2007)

I'm seem to be having the same problem in safe mode. 

I will say that my mozilla firefox seems to be moving a little faster. My desktop still has the black screen with the message: "Warning spyware threat has been detected on your PC"

"Your computer has severa fatal errors due to spyware activity"


----------



## MFDnNC (Sep 7, 2004)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a *folder* named *SmitfraudFix*) to your Desktop.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## KidRaven (Oct 8, 2007)

SmitFraudFix v2.239

Scan done at 19:06:04.01, Tue 10/09/2007
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found. 
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## KidRaven (Oct 8, 2007)

My desktop still has the black screen with the message: "Warning spyware threat has been detected on your PC"

"Your computer has severa fatal errors due to spyware activity"

This problem has been fixed now.

Thank you very much!


----------



## MFDnNC (Sep 7, 2004)

I don't understand your reply - is it fixed or the desktop is still hosed


----------



## KidRaven (Oct 8, 2007)

Sorry,

The problem is fixed with the desktop. It has returned to how it was before. Everything else seems to be working fine also.

Thank you again!


----------



## MFDnNC (Sep 7, 2004)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Clear restore points  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

You will turn them off  boot  turn them on

This clears infected restore points and sets a new, clean one.


----------

