IE BHO problem [HJT log]

Viper62 · 2008/01/13

I have been working on a family members pc who let someone get on it and he went everywhere and picked up lots of spyware / malware and other junk. I have cleaned most of it off but there seems to be a BHO still hijacking IE. I have installed Firefox so she can have some sanity. Here is the hijackthis output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:03 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareRemover\SpywareRemover.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {067F9B47-2591-4F44-B9CB-F9A8ACED6D12} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06FFCD1D-C3F8-4A2E-882D-0519BB1A1817} - (no file)
O2 - BHO: (no name) - {0DF9076C-F74C-403F-A670-2DBF353207A9} - (no file)
O2 - BHO: (no name) - {187C570F-B31B-4737-B0D3-D47F5209AF70} - (no file)
O2 - BHO: (no name) - {2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B} - C:\WINDOWS\system32\byxyaww.dll (file missing)
O2 - BHO: (no name) - {49052B15-FA24-4697-9D71-F9177BE6F1FB} - (no file)
O2 - BHO: (no name) - {4F73AF21-A9CD-416E-A8B1-F9E4A1A542B7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5b43ae5a-54e9-4e78-99ae-74b91e0ce22f} - C:\WINDOWS\system32\gqdwcmyr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {60E0FC40-1F00-4473-B54F-7108345FE41D} - (no file)
O2 - BHO: (no name) - {633888FF-654A-49B5-897E-90E5F4C91DAF} - (no file)
O2 - BHO: (no name) - {637f2f6f-dfb5-4d47-90db-748149e1ca4c} - C:\WINDOWS\system32\lyyasyy.dll
O2 - BHO: (no name) - {6471090E-57A4-413B-912F-9CB56710F57A} - (no file)
O2 - BHO: (no name) - {66407D93-C912-406C-8D5B-077D59C2051C} - (no file)
O2 - BHO: (no name) - {6EFC5DA3-EDA6-4C1C-94CC-F9AD03A360E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7F772C86-C328-47A0-B235-F8CAF9162D16} - (no file)
O2 - BHO: (no name) - {80213B7C-DEC6-446F-831E-10A5DA12C015} - (no file)
O2 - BHO: (no name) - {82AE2B72-DC5A-4F7A-A226-2B9E4DC57C96} - (no file)
O2 - BHO: (no name) - {83730E6A-A7BD-4CD1-A7BD-8396B9D0DDA8} - (no file)
O2 - BHO: (no name) - {890C44A4-4DA0-4DB4-B069-3170A9BBE241} - (no file)
O2 - BHO: (no name) - {89B04BB4-E739-44D9-81ED-2DFCF03E6BCA} - (no file)
O2 - BHO: (no name) - {89B2A841-CEC7-45ED-9E77-A1F3B7A2E7D7} - (no file)
O2 - BHO: (no name) - {8C0C38A6-65EF-44B6-A705-A66DC4B82DB3} - (no file)
O2 - BHO: (no name) - {8D09823C-998F-4199-A5A4-6DE4D3A31620} - (no file)
O2 - BHO: (no name) - {B2ABB87E-89F0-4281-91BF-43EE272966A8} - (no file)
O2 - BHO: (no name) - {B93AB153-84CA-4075-A604-A22D0997AC64} - (no file)
O2 - BHO: (no name) - {C721BD19-255A-4DC9-ACFB-9C9CCC0AA437} - (no file)
O2 - BHO: (no name) - {C7425F92-1E7D-4628-B3F8-385AFCE87DEB} - (no file)
O2 - BHO: (no name) - {C83D279E-46FA-4FB0-8498-AB75CF019DC9} - (no file)
O2 - BHO: (no name) - {CD7B3569-BFA1-4801-A526-BDA1757C2AF4} - C:\Program Files\MSN Gaming Zone\nipybaloC:\WINDOWS\system32\j2\ejup83122.exe.dll (file missing)
O2 - BHO: (no name) - {DE92434B-80E6-4D88-8A76-C77E5AF93C3B} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {ED9C319B-7D6F-4950-8927-BA53CC2F6B72} - (no file)
O2 - BHO: (no name) - {EF12D925-EC24-4465-8D43-E5430E202185} - (no file)
O2 - BHO: (no name) - {F3046B2D-A0D5-4C42-8ED6-277DA3724A6E} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.reciperewards.com/bundles/reciperewards.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195605572078
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byxyaww - byxyaww.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 10509 bytes

Any help would be greatly appreciated

noahdfear · 2008/01/14

Welcome to WindowsBBS Viper62

You'll need to disable Spybot's TeaTimer until we get this machine clean, as it can prevent the necessary changes.

Open Spybot Search & Destroy.

In the Mode menu click "Advanced mode" if not already selected.

Choose "Yes" at the Warning prompt.

Expand the "Tools" menu.

Click "Resident ".

Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

In the File menu click "Exit" to exit Spybot Search & Destroy.

Reboot

Now, download ComboFix by sUBs from here, saving the file to your desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Viper62 · 2008/01/15

Thanx for the welcome...

I have first tried to run Combofix on my PC to make sure I know what it does and how it works. I have tried to run it twice and each time it locks up at the point it is generating the log file. I have had to hard reset my system in order to get it to work again. Is there something I can do to get it to finish up so it resets everything back? Tonight I left it on that screen for over 30 min and on the last message posted it said the log should popup in a few seconds. It did generate the combofix.tx file but did not complete the overall process. Any suggestions before I run this on the pc in question? (No I didnt click anything with the mouse )

noahdfear · 2008/01/15

ComboFix is not a tool that should be run on any ol machine just to see what it does. I don't know what is installed on the machine you're trying to run it on and therefore cannot predict what might be causing it to hang. Please download a fresh copy to the PC for which you posted a log above and run it as recommended. ComboFix is updated very frequently and it's best to always use the latest release.

Is there something I can do to get it to finish up so it resets everything back?
Click to expand...

Please explain. Set what back?

Viper62 · 2008/01/16

The software said it made changes that it would set back when finished - the clock is the only thing that it specified but wasnt sure what else it did.

Im a network administrator and deal with all types of issues like this all the time and always am happy to learn new programs and so to get the feel of it I ran it on my personal pc at home and have done lots of things in my 30 years working with computers but as you well know one person cant know everything or I havent met one yet. So where I lack I research and find help like this wonderful site I found and I just want to personally thank you and all those like you who spend your time and effort helping people like myself! Have yourself a great day

Viper62 · 2008/01/19

Ok here we go with the Combo Fix and new Hijackthis:

ComboFix 08-01-20.1 - Carol 2008-01-19 18:38:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT -5:00]
Running from: C:\Documents and Settings\Carol\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Redemption.ECF
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\tn3
C:\WINDOWS\system32\bpgbohqe.dll
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\ctabgaul.dll
C:\WINDOWS\system32\cxmgwptt.dll
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\dfraexhp.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drjiuvub.dll
C:\WINDOWS\system32\ebmfghgn.dll
C:\WINDOWS\system32\enevyqyr.dll
C:\WINDOWS\system32\eputfwga.dll
C:\WINDOWS\SYSTEM32\eqhobgpb.ini
C:\WINDOWS\SYSTEM32\estdswkx.ini
C:\WINDOWS\SYSTEM32\exjkxjkf.ini
C:\WINDOWS\system32\fekkqvbd.dll
C:\WINDOWS\system32\fkjxkjxe.dll
C:\WINDOWS\system32\gskavqcn.dll
C:\WINDOWS\system32\gtqupyap.dll
C:\WINDOWS\system32\h2
C:\WINDOWS\system32\hfbgwetw.dll
C:\WINDOWS\SYSTEM32\hjjlm.ini
C:\WINDOWS\SYSTEM32\hjjlm.ini2
C:\WINDOWS\SYSTEM32\isiktivr.ini
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\jcwxfhwy.dll
C:\WINDOWS\SYSTEM32\jpbffjgq.ini
C:\WINDOWS\SYSTEM32\jyiyyggu.ini
C:\WINDOWS\system32\kdpcplgr.dll
C:\WINDOWS\SYSTEM32\luagbatc.ini
C:\WINDOWS\system32\lyyasyy.dll
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\ncqvaksg.ini
C:\WINDOWS\system32\ntsbpfuh.dll
C:\WINDOWS\system32\nyvlunhy.dll
C:\WINDOWS\system32\oeqkekso.dll
C:\WINDOWS\system32\oudcxmwh.dll
C:\WINDOWS\system32\qdpayqhb.dll
C:\WINDOWS\system32\qgjffbpj.dll
C:\WINDOWS\system32\rcmhqwdm.dll
C:\WINDOWS\SYSTEM32\rglpcpdk.ini
C:\WINDOWS\system32\rvitkisi.dll
C:\WINDOWS\SYSTEM32\ttpwgmxc.ini
C:\WINDOWS\system32\uggyyiyj.dll
C:\WINDOWS\system32\xkwsdtse.dll
C:\WINDOWS\SYSTEM32\ywhfxwcj.ini
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- Unknown downloads made by BITS: ----
http://download.simplestar.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-19 18:36 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-25 18:31 . 2007-12-25 18:31 294 --ahs---- C:\WINDOWS\SYSTEM32\mlkukouo.ini
2007-12-24 16:11 . 2007-12-24 16:11 294 --ahs---- C:\WINDOWS\SYSTEM32\pbwmatkd.ini
2007-12-23 16:14 . 2007-12-23 16:14 294 --ahs---- C:\WINDOWS\SYSTEM32\ewysygxb.ini
2007-12-20 13:25 . 2007-12-20 13:25 294 --ahs---- C:\WINDOWS\SYSTEM32\keuepqxg.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 23:48 --------- d-----w C:\Documents and Settings\Carol\Application Data\SpywareRemover
2008-01-20 23:47 1,982,496 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-20 23:46 24,260 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-14 14:23 --------- d-----w C:\Documents and Settings\Carol\Application Data\Road Runner
2007-12-05 23:48 --------- d-----w C:\Program Files\Java
2007-12-05 03:18 --------- d-----w C:\Program Files\CCleaner
2007-12-05 03:16 --------- d-----w C:\Program Files\Yahoo!
2007-12-05 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 03:04 --------- d-----w C:\Program Files\UltraVNC
2007-12-04 02:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-04 01:40 --------- d-----w C:\Program Files\Registry Defender
2007-12-04 01:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-04 01:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-04 01:03 --------- d-----w C:\Program Files\Lavasoft
2007-12-04 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 01:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 16:32 --------- d-----w C:\Program Files\QuickTime
2007-12-01 16:26 --------- d-----w C:\Program Files\PrintMaster Platinum 17
2007-12-01 16:15 --------- d-----w C:\Documents and Settings\Joan\Application Data\SpywareRemover
2007-12-01 16:03 --------- d-----w C:\Documents and Settings\Carol\Application Data\viewpoint
2007-12-01 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\viewpoint
2007-12-01 15:58 --------- d-----w C:\Program Files\SpywareRemover
2007-11-27 15:28 --------- d-----w C:\Program Files\Road Runner
2007-11-21 18:40 --------- d-----w C:\Program Files\Alwil Software
2007-11-21 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-21 18:27 --------- d-----w C:\Documents and Settings\Joan\Application Data\AVG7
2007-11-21 18:27 --------- d-----w C:\Documents and Settings\Faust\Application Data\AVG7
2007-11-21 18:27 --------- d-----w C:\Documents and Settings\Carol\Application Data\AVG7
2005-11-27 01:16 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7B3569-BFA1-4801-A526-BDA1757C2AF4}]
C:\Program Files\MSN Gaming Zone\nipybaloC:\WINDOWS\system32\j2\ejup83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE92434B-80E6-4D88-8A76-C77E5AF93C3B}]
C:\WINDOWS\system32\mljjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Road Runner PhotoShow Media Manager "= "C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-06-22 16:08 357616]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SpywareRemover "= "C:\Program Files\SpywareRemover\SpywareRemover.exe" [2007-08-24 13:26 15492592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SpywareRemover "= "C:\Program Files\SpywareRemover\SpywareRemover.exe" [2007-08-24 13:26 15492592]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"WinVNC "= "C:\Program Files\UltraVNC\winvnc.exe" [2006-06-18 14:56 712704]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminders.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2003-03-12 10:14:10 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyaww]
byxyaww.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMWDInstallFilename]
--a------ 2004-01-12 09:29 102400 C:\PROGRA~1\RRIM\AIMWDI~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 01:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc "=3 (0x3)
"Pml Driver HPZ12 "=3 (0x3)
"ITMRTSVC "=2 (0x2)
"gusvc "=2 (0x2)
"DSBrokerService "=3 (0x3)

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
R3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 13:22]

.
Contents of the 'Scheduled Tasks' folder
"2004-08-27 17:34:09 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065810803.job "
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2003-10-10 00:51:59 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2008-01-20 23:48:05 C:\WINDOWS\Tasks\SpywareRemover Scheduled Scan.job "
- C:\Program Files\SpywareRemover\SpywareRemover.ex
- C:\Program Files\SpywareRemover
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 18:48:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 18:52:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 23:52:24
.
2008-01-10 00:29:56 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:48 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareRemover\SpywareRemover.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CD7B3569-BFA1-4801-A526-BDA1757C2AF4} - C:\Program Files\MSN Gaming Zone\nipybaloC:\WINDOWS\system32\j2\ejup83122.exe.dll (file missing)
O2 - BHO: (no name) - {DE92434B-80E6-4D88-8A76-C77E5AF93C3B} - C:\WINDOWS\system32\mljjh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.reciperewards.com/bundles/reciperewards.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195605572078
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byxyaww - byxyaww.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 7418 bytes

noahdfear · 2008/01/19

SpywareRemover is listed as a rogue antispyware product and I recommend you first uninstall it via Add/Remove programs then reboot and make sure the SpywareRemover folder is gone from C:\Program Files. Check the Scheduled Tasks to make sure it's task was removed as well.

Do you see any reason that computer would have a BITS job downloading something from simplestar.com in the background?

http://www.google.com/search?num=30&hl=en&newwindow=1&safe=off&q=simplestar.com&btnG=Search

If not, lets stop the BITS service for now. Click Start>Run and type the following bolded command then hit enter.

sc stop BITS

It will restart automatically upon reboot, after doing the following.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\SYSTEM32\mlkukouo.ini
C:\WINDOWS\SYSTEM32\pbwmatkd.ini
C:\WINDOWS\SYSTEM32\ewysygxb.ini
C:\WINDOWS\SYSTEM32\keuepqxg.ini
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7B3569-BFA1-4801-A526-BDA1757C2AF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE92434B-80E6-4D88-8A76-C77E5AF93C3B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyaww]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
 "{BA52B914-B692-46c4-B683-905236F6F655} "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Viper62 · 2008/01/26

Ok here is all the information:

ComboFix 08-01-20.1 - Carol 2008-01-27 19:29:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.258 [GMT -5:00]
Running from: C:\Documents and Settings\Carol\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Carol\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- Unknown downloads made by BITS: ----
http://download.simplestar.com

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-22 12:17 . 2006-05-30 17:58 311,296 --a------ C:\WINDOWS\Walgreens PhotoShow.scr
2008-01-22 12:13 . 2008-01-22 12:13 <DIR> d-------- C:\Program Files\Walgreens
2008-01-19 18:36 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 00:32 2,363,424 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-28 00:20 28,532 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-25 23:34 --------- d-----w C:\Documents and Settings\Carol\Application Data\SpywareRemover
2008-01-22 18:15 --------- d-----w C:\Documents and Settings\Carol\Application Data\Walgreens
2008-01-22 18:02 --------- d-----w C:\Documents and Settings\Carol\Application Data\Road Runner
2007-12-05 23:48 --------- d-----w C:\Program Files\Java
2007-12-05 03:18 --------- d-----w C:\Program Files\CCleaner
2007-12-05 03:16 --------- d-----w C:\Program Files\Yahoo!
2007-12-05 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 03:04 --------- d-----w C:\Program Files\UltraVNC
2007-12-04 02:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-04 01:40 --------- d-----w C:\Program Files\Registry Defender
2007-12-04 01:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-04 01:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-04 01:03 --------- d-----w C:\Program Files\Lavasoft
2007-12-04 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 01:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 16:32 --------- d-----w C:\Program Files\QuickTime
2007-12-01 16:26 --------- d-----w C:\Program Files\PrintMaster Platinum 17
2007-12-01 16:15 --------- d-----w C:\Documents and Settings\Joan\Application Data\SpywareRemover
2007-12-01 16:03 --------- d-----w C:\Documents and Settings\Carol\Application Data\viewpoint
2007-12-01 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\viewpoint
2005-11-27 01:16 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_18.51.53.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 23:38:00 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-28 00:28:53 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 23:38:00 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-28 00:28:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 23:38:00 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-28 00:28:53 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 23:38:00 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-28 00:28:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 23:38:01 5,804,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-28 00:28:53 5,804,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 23:38:01 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-28 00:28:53 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-28 00:21:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7B3569-BFA1-4801-A526-BDA1757C2AF4}]
C:\Program Files\MSN Gaming Zone\nipybaloC:\WINDOWS\system32\j2\ejup83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE92434B-80E6-4D88-8A76-C77E5AF93C3B}]
C:\WINDOWS\system32\mljjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Road Runner PhotoShow Media Manager "= "C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-06-22 16:08 357616]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Walgreens PhotoShow Media Manager "= "C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 01:35 237568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SpywareRemover "= "C:\Program Files\SpywareRemover\SpywareRemover.exe" [ ]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"WinVNC "= "C:\Program Files\UltraVNC\winvnc.exe" [2006-06-18 14:56 712704]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminders.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2003-03-12 10:14:10 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyaww]
byxyaww.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMWDInstallFilename]
--a------ 2004-01-12 09:29 102400 C:\PROGRA~1\RRIM\AIMWDI~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 01:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc "=3 (0x3)
"Pml Driver HPZ12 "=3 (0x3)
"ITMRTSVC "=2 (0x2)
"gusvc "=2 (0x2)
"DSBrokerService "=3 (0x3)

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
R3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 13:22]

.
Contents of the 'Scheduled Tasks' folder
"2004-08-27 17:34:09 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065810803.job "
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2003-10-10 00:51:59 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2008-01-27 23:06:16 C:\WINDOWS\Tasks\SpywareRemover Scheduled Scan.job "
- C:\Program Files\SpywareRemover\SpywareRemover.ex
- C:\Program Files\SpywareRemover
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 19:33:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 19:34:01
ComboFix-quarantined-files.txt 2008-01-28 00:33:51
ComboFix2.txt 2008-01-20 23:52:30
.
2008-01-10 00:29:56 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:53 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CD7B3569-BFA1-4801-A526-BDA1757C2AF4} - C:\Program Files\MSN Gaming Zone\nipybaloC:\WINDOWS\system32\j2\ejup83122.exe.dll (file missing)
O2 - BHO: (no name) - {DE92434B-80E6-4D88-8A76-C77E5AF93C3B} - C:\WINDOWS\system32\mljjh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.reciperewards.com/bundles/reciperewards.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195605572078
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byxyaww - byxyaww.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 7437 bytes

noahdfear · 2008/01/29

Hmmm........ it doesn't appear anything changed. Please delete the ComboFix.exe file you cuurently have and download an updated copy from here, then repeat the steps in my last post.

Log in or Sign up

IE BHO problem [HJT log]

Viper62 Inactive Thread Starter

noahdfear Inactive

Viper62 Inactive Thread Starter

noahdfear Inactive

Viper62 Inactive Thread Starter

Viper62 Inactive Thread Starter

noahdfear Inactive

Viper62 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

IE BHO problem [HJT log]

Viper62 Inactive Thread Starter

noahdfear Inactive

Viper62 Inactive Thread Starter

noahdfear Inactive

Viper62 Inactive Thread Starter

Viper62 Inactive Thread Starter

noahdfear Inactive

Viper62 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches