HiJack This Log Please

An error box come up that have 2 different messages and they are;

C:\WINDOWS\system32\ping.com is not a valid Win32 application


C:\WINDOWS\system32\regedit.com is not a valid Win32 application

If I keep pressing OK I get these results;


HAXFIX logfile - by Marckie
______________
version 4.22
18/10/2006 19:19:14.75

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
no matching services found

checking for matching safeboot services....
no matching safeboot services found

checking for other haxdoorfiles....


Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....
vmmdiag32.exe found
wmdconf32.dll found


Finished

 

OK, second part of the fix:


Option 2: Autofix

• Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

• Close all open windows except the red dos window from haxfix and then press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of that logfile along with a new HijackThis log.

 

I get a windows error box that says;

C:\WINDOWS\system32\ping.com is not a valid Win32 application

When I press OK, the red DOS window says access denied

 

Apologies for not getting here sooner, but had to read thru the 10 page fix thread to be sure this was the way to proceed.

We need to try the manual fix.

• Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 3. Run manual fix by typing 3 and then pressing Enter

This message will appear:

• Type the following: vmmdiag
  When this is a valid choice, the key will be added to delete.
• There is the possibility to add a new key: Yes (type Y) or No (type N).
  Followed by this message:
  
• (if necessary press Y and insert the next one:wmdconf )
• Type N for No and press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of the logfile together with a new HijackThis log.

 

When ever I type in the new haxdoorkey and press Enter I'm getting the same error boxes and it says access denied on the red DOS screen. After I press OK in the error boxes, it says the key has not been added.

 

So you're unable to even enter one and have it work??

I'll have to look into this to see what could be going on.

 

After conferring with a malware expert we need to run a couple of tools to clean up some other infections which I did not notice were present.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Reboot two times before proceeding onto the next step.

First, update your Ewido\AVG Anti-Spy.

Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next "
• In the box to choose where to extract the files to, click "Browse "
• Click on the + sign next to "My Computer "
• Click on "Local Disk (C: ) or whatever your primary drive is
• Click "Make New Folder "
• Type in BFU
• Click "Next ", and Uncheck the "Show Extracted Files" box and then click "Finish ".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As ") in order to download Alcan worm remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

5. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Next to the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot the system.

Now run the first step from the HaxFix a previously instructed.

Once that is done, post all logs:

• Ewido(Please edit out any cookie, Recyler and System Volume Information Folder references)
• ComboFix
• BFU log
• HaxFix
• HJT

 

HAXFIX logfile - by Marckie
______________
version 4.22
21/10/2006 11:07:38.25

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
ASPI32
CmBatt
tmcomm

checking for matching safeboot services....
no matching safeboot services found

checking for other haxdoorfiles....


Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....
vmmdiag32.exe found
wmdconf32.dll found


Finished

 

Logfile of HijackThis v1.99.1
Scan saved at 11:10:04 AM, on 21/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Antispyware\HijackThis-1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin....com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Gary\MYDOCU~1\WNSXS~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [Jlftntmm] C:\Documents and Settings\Gary\My Documents\??curity\msdtc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128033660437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h20179.www2.hp.com/psgna/caller/SysQuery.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

Gary - 06-10-21 8:40:24.26 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Gary\Desktop "

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{8A52E579-524E-4952-87DE-050ADA19A49B}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{8A52E579-524E-4952-87DE-050ADA19A49B}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\clsid\{8A52E579-524E-4952-87DE-050ADA19A49B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{8A52E579-524E-4952-87DE-050ADA19A49B}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

[HKEY_CLASSES_ROOT\clsid\{1DF87CF8-724D-4EC6-B965-600F30A4B8F7}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{1DF87CF8-724D-4EC6-B965-600F30A4B8F7}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\clsid\{1DF87CF8-724D-4EC6-B965-600F30A4B8F7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{1DF87CF8-724D-4EC6-B965-600F30A4B8F7}\InprocServer32]
@= "C:\\WINDOWS\\system32\\szrwvdrv.dll "
"ThreadingModel "= "Apartment "

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\k8pmli7118.dll
C:\WINDOWS\system32\n0n6la5s1d.dll
C:\WINDOWS\system32\p0n80a5ued.dll
C:\WINDOWS\system32\szrwvdrv.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Gary\Application Data\Dxcknwrd.dll
C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\dxclib303562752.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\dfndrff_e33.exe
C:\kybrdff_e33.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\winlog.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Common Files\misc002
C:\Program Files\Deskbar
C:\Program Files\Inetget2
C:\Program Files\Common Files\{3842D646-031D-1033-0224-041204030002}
C:\Program Files\outlook
C:\Program Files\PrintView
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{F842D646-031D-1033-0224-041204030002}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Gary\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\CURITY~1\msdtc.exe
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\WNSXS~1\arpa.exe
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\WNSXS~1\W?nSxS
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\WINDOWS\MCROSO~1
C:\QooBox\Purity\WINDOWS\YMANTE~1
C:\QooBox\Purity\WINDOWS\system32\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\MBOLS~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SKS~1
C:\QooBox\Purity\WINDOWS\system32\STEM32~1
C:\QooBox\Purity\WINDOWS\system32\STEM~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-21 to 2006-10-21 ))))))))))))))))))))))))))))))))))


2006-10-21 08:45 23,552 --a------ C:\WINDOWS\system32\wmimgr32.dll
2006-10-21 08:36 90,112 --a------ C:\WINDOWS\system32\win18892.dll
2006-10-20 08:11 90,112 --a------ C:\WINDOWS\system32\win22017.dll
2006-10-19 20:34 90,112 --a------ C:\WINDOWS\system32\win23906.dll
2006-10-19 08:27 131,072 --a------ C:\WINDOWS\system32\ruytx.dll
2006-10-19 08:16 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-10-19 08:09 96,768 --------- C:\WINDOWS\system32\dxclib303562752.dll
2006-10-18 19:16 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-10-18 19:16 7,483 --a------ C:\clean.bat
2006-10-18 19:16 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-10-18 19:16 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-10-18 17:22 90,112 --a------ C:\WINDOWS\system32\win12142.dll
2006-10-18 04:02 90,112 --a------ C:\WINDOWS\system32\win16845.dll
2006-10-18 00:00 90,112 --a------ C:\WINDOWS\system32\win61197.dll
2006-10-17 20:04 90,112 --a------ C:\WINDOWS\system32\win27738.dll
2006-10-17 16:50 90,112 --a------ C:\WINDOWS\system32\win29423.dll
2006-10-17 04:03 90,112 --a------ C:\WINDOWS\system32\win54750.dll
2006-10-17 00:01 90,112 --a------ C:\WINDOWS\system32\win35581.dll
2006-10-16 23:07 42,736 --a------ C:\WINDOWS\icont.exe
2006-10-16 22:53 90,112 --a------ C:\WINDOWS\system32\win23735.dll
2006-10-15 22:07 90,112 --a------ C:\WINDOWS\system32\win35611.dll
2006-10-15 18:00 90,112 --a------ C:\WINDOWS\system32\win30856.dll
2006-10-15 15:04 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-15 12:14 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-15 12:14 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-15 12:14 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-15 12:14 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-15 00:04 90,112 --a------ C:\WINDOWS\system32\win11981.dll
2006-10-14 22:05 90,112 --a------ C:\WINDOWS\system32\win3265.dll
2006-10-14 18:03 90,112 --a------ C:\WINDOWS\system32\win8350.dll
2006-10-14 14:07 90,112 --a------ C:\WINDOWS\system32\win41413.dll
2006-10-14 13:58 5,649 --a------ C:\WINDOWS\system32\vmmdiag32.exe
2006-10-14 10:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-14 10:26 90,112 --------- C:\WINDOWS\system32\win48284.dll
2006-10-14 10:26 81,920 --a------ C:\WINDOWS\system32\wmdconf32.dll
2006-10-14 10:21 0 --a------ C:\WINDOWS\system32\taskkill.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-21 08:45 -------- d-------- C:\Program Files\Common Files
2006-10-21 08:37 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-19 08:17 -------- d--h----- C:\Program Files\Common Files\cloader
2006-10-19 08:09 -------- d-------- C:\Program Files\DeluxeCommunications
2006-10-18 19:20 -------- d-------- C:\Program Files\HaxFix
2006-10-15 15:04 -------- d-------- C:\Program Files\Grisoft
2006-10-12 21:52 -------- d-------- C:\Program Files\iTunes
2006-10-12 21:52 -------- d-------- C:\Program Files\iPod
2006-10-12 21:50 -------- d-------- C:\Program Files\QuickTime
2006-10-12 21:48 -------- d-------- C:\Program Files\Apple Software Update
2006-10-11 17:26 -------- d-------- C:\Program Files\Windows Defender
2006-10-11 17:26 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-11 17:23 -------- d-------- C:\Documents and Settings\Gary\Application Data\Lavasoft
2006-10-11 17:22 -------- d-------- C:\Program Files\Lavasoft
2006-10-11 17:21 -------- d-------- C:\Program Files\MyGlobalSearch
2006-10-09 12:31 -------- d-------- C:\Program Files\Internet Explorer
2006-09-16 14:25 -------- d-------- C:\Program Files\Seekmo Programs
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 03:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 07:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 02:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow! "=" "
"NVIEW "= "rundll32.exe nview.dll,nViewLoadHook "
"cprocsvc "= "C:\\WINDOWS\\system32\\crunner\\cproc.exe "
"Aaou "= "\ "C:\\DOCUME~1\\Gary\\MYDOCU~1\\WNSXS~1\\arpa.exe\" -vt yazb "
"Jlftntmm "= "C:\\Documents and Settings\\Gary\\My Documents\\??curity\\msdtc.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdateManager "= "\ "C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r "
"Apoint "= "C:\\Program Files\\Apoint2K\\Apoint.exe "
"AGRSMMSG "= "AGRSMMSG.exe "
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"Cpqset "= "C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe "
"eabconfg.cpl "= "C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start "
"IntelliPoint "= "\ "C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\" "
"MMTray "= "\ "C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\" "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "
"MimBoot "= "C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe "
"HP Software Update "= "\ "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\" "
"HP Component Manager "= "\ "C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\" "
"dvd43 "= "C:\\Program Files\\dvd43\\dvd43_tray.exe "
"MULTIMEDIA KEYBOARD "= "C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
"Symantec NetDriver Warning "= "C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall "=" "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
"Symantec NetDriver Warning "= "C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall "=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-21 8:45:53.92
C:\ComboFix.txt ... 06-10-21 08:45

 

Well, we certainly got rid of lots of junk didn't we?

Ok, now the second part of HaxFix, should work, seeing as we removed the other infections,which were hampering its use.

• Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

• Close all open windows except the red dos window from haxfix and then press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of that logfile.

After this reboot, please do the following:

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
vmmdiag32.exe
C:\WINDOWS\system32\wmimgr32.dll
C:\WINDOWS\system32\win18892.dll
C:\WINDOWS\system32\win22017.dll
C:\WINDOWS\system32\win23906.dll
C:\WINDOWS\system32\ruytx.dll
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\system32\dxclib303562752.dll
C:\WINDOWS\system32\moveex.exe
C:\WINDOWS\system32\win12142.dll
C:\WINDOWS\system32\win16845.dll
C:\WINDOWS\system32\win61197.dll
C:\WINDOWS\system32\win27738.dll
C:\WINDOWS\system32\win29423.dll
C:\WINDOWS\system32\win54750.dll
C:\WINDOWS\system32\win35581.dll
C:\WINDOWS\icont.exe
C:\WINDOWS\system32\win23735.dll
C:\WINDOWS\system32\win35611.dll
C:\WINDOWS\system32\win30856.dll
C:\WINDOWS\system32\win11981.dll
C:\WINDOWS\system32\win3265.dll
C:\WINDOWS\system32\win8350.dll
C:\WINDOWS\system32\win41413.dll
C:\WINDOWS\system32\vmmdiag32.exe
C:\WINDOWS\system32\win48284.dll
C:\WINDOWS\system32\wmdconf32.dll
C:\Program Files\DeluxeCommunications
C:\Program Files\Seekmo Programs


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Do not reboot yet.

Go to Add/Remove, and if found, uninstall the following:
Viewpoint
Deluxe Communications


Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...r=6&ar=msnhome

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU
B_PVER}&ar=home

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe

O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll


O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Gary\MYDOCU~1\WNSXS~1\arpa.exe" -vt yazb

O4 - HKCU\..\Run: [Jlftntmm] C:\Documents and Settings\Gary\My Documents\??curity\msdtc.exe

O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe


O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML


O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

Reboot and run ComboFix first, then HJT and post both logs back into this thread along with the HaxFix log.

 

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:53:56 PM 21/10/2006

+ Scan result:


C:\Program Files\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\Dxc.exe -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\DxcBho.dll -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\DxcCore.dll -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1417001333-2139871995-839522115-1004\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1417001333-2139871995-839522115-1004\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1417001333-2139871995-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.

***Edited by TeMerc: System Volume Information Folders not relevent***

 

C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[200] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[248] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[260] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[416] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[484] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[528] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[608] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[812] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
***Edited by TeMerc: SystemVolume Information & cookies not relevent***

 

Where do I find the BFU log?

 

HAXFIX logfile - by Marckie
--------------
version 4.22
21/10/2006 16:06:13.62

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:
vmmdiag32.exe
wmdconf32.dll

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

not needed


searching for services

not needed


searching for safeboot services

not needed


searching for files

vmmdiag32.exe exists
deleting vmmdiag32.exe
vmmdiag32.exe has been deleted

wmdconf32.dll exists
deleting wmdconf32.dll
wmdconf32.dll has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished

 

You were instructed to save it:

Did you not save it there? Do a search for it if you remember what you called it.

I see all the Ewido\AVG items were set to ignore, did you save the log then change the action to quarentine?

If not, re-scan with Ewido making sure that the action applied is 'quarentine'.

 

Logfile of HijackThis v1.99.1
Scan saved at 16:28, on 06-10-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gary\Desktop\combofix.exe
C:\WINDOWS\system32\cmd.exe
C:\My Antispyware\HijackThis-1.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128033660437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h20179.www2.hp.com/psgna/caller/SysQuery.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

Gary - 06-10-21 16:27:24.79 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Gary\Desktop "

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Gary\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Gary\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\CURITY~1\msdtc.exe
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\WNSXS~1\arpa.exe
C:\QooBox\Purity\Documents and Settings\Gary\My Documents\WNSXS~1\W?nSxS
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\WINDOWS\MCROSO~1
C:\QooBox\Purity\WINDOWS\YMANTE~1
C:\QooBox\Purity\WINDOWS\system32\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\MBOLS~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SKS~1
C:\QooBox\Purity\WINDOWS\system32\STEM32~1
C:\QooBox\Purity\WINDOWS\system32\STEM~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-21 to 2006-10-21 ))))))))))))))))))))))))))))))))))


2006-10-21 16:32 23,552 --a------ C:\WINDOWS\system32\wmimgr32.dll
2006-10-21 15:58 90,112 --a------ C:\WINDOWS\system32\win15188.dll
2006-10-18 19:16 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-10-18 19:16 7,483 --a------ C:\clean.bat
2006-10-18 19:16 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-10-15 15:04 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-15 12:14 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-15 12:14 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-15 12:14 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-15 12:14 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-14 10:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-14 10:21 0 --a------ C:\WINDOWS\system32\taskkill.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-21 16:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-21 16:15 -------- d-------- C:\Program Files\Viewpoint
2006-10-21 16:06 -------- d-------- C:\Program Files\HaxFix
2006-10-21 11:15 -------- d-------- C:\Program Files\Alibre Design
2006-10-21 08:45 -------- d-------- C:\Program Files\Common Files
2006-10-15 15:04 -------- d-------- C:\Program Files\Grisoft
2006-10-12 21:52 -------- d-------- C:\Program Files\iTunes
2006-10-12 21:52 -------- d-------- C:\Program Files\iPod
2006-10-12 21:50 -------- d-------- C:\Program Files\QuickTime
2006-10-12 21:48 -------- d-------- C:\Program Files\Apple Software Update
2006-10-11 17:26 -------- d-------- C:\Program Files\Windows Defender
2006-10-11 17:26 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-11 17:23 -------- d-------- C:\Documents and Settings\Gary\Application Data\Lavasoft
2006-10-11 17:22 -------- d-------- C:\Program Files\Lavasoft
2006-10-11 17:21 -------- d-------- C:\Program Files\MyGlobalSearch
2006-10-09 12:31 -------- d-------- C:\Program Files\Internet Explorer
2006-09-16 14:25 -------- d-------- C:\Program Files\Seekmo Programs
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 03:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 07:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 02:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow! "=" "
"NVIEW "= "rundll32.exe nview.dll,nViewLoadHook "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdateManager "= "\ "C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r "
"Apoint "= "C:\\Program Files\\Apoint2K\\Apoint.exe "
"AGRSMMSG "= "AGRSMMSG.exe "
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"Cpqset "= "C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe "
"eabconfg.cpl "= "C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start "
"IntelliPoint "= "\ "C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\" "
"MMTray "= "\ "C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\" "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"MimBoot "= "C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe "
"HP Software Update "= "\ "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\" "
"HP Component Manager "= "\ "C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\" "
"dvd43 "= "C:\\Program Files\\dvd43\\dvd43_tray.exe "
"MULTIMEDIA KEYBOARD "= "C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
"Symantec NetDriver Warning "= "C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall "=" "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
"Symantec NetDriver Warning "= "C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall "=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-21 16:32:39.37
C:\ComboFix.txt ... 06-10-21 16:32
C:\ComboFix2.txt ... 06-10-21 16:20
C:\ComboFix3.txt ... 06-10-21 08:45

 

I musn't have saved the BFU log. Do I re-do BFU?

Also, I forgot to set the Ewido stuff to quarentine again When I re-scan with Ewido, do I have to do it in Safe Mode?

 

At this point with the logs looking ok, don't bother with BFU again.

But as for the Ewido scan, yes that needs to be redone and in safe mode, so as to get the few malwares which may be remaining. Many malwares, the lessor of the nasties, don't load in safe mode, se we can get them.