Scprot4.exe

beemanbone · December 20, 2007

I have very limited computer knowledge. I'm desperate. Any help would be greatly appreciated. This is my log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:21:43 PM, on 12/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ps2 .exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl .exe

C:\WINDOWS\system32\hkcmd .exe

C:\WINDOWS\system32\regsvr32.exe

C:\WINDOWS\system32\igfxtray .exe

C:\WINDOWS\System32\hphmon05 .exe

C:\Program Files\Common Files\Real\Update_OB\realsched .exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe

C:\Program Files\SecCenter\scprot4 .exe

C:\Program Files\Outerinfo\Outerinfo .exe

C:\WINDOWS\system32\ctfmon .exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

F3 - REG:win.ini: load=C:\WINDOWS\system32\mljjk.exe

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [nkzezsdw] rundll32.exe "C:\Program Files\yvqdgbir\qdsjihqj.dll",Init

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwek.dll,startup

O4 - HKLM\..\Run: [sC2] C:\Program Files\SecCenter\scprot4.exe

O4 - HKLM\..\Run: [pufylujg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pufylujg.dll"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe

O4 - Startup: PowerReg Scheduler V3 .exe

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab

O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174224923609

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/instal...edsolutions.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 10505 bytes

beemanbone · December 20, 2007

Here is this log:

SmitFraudFix v2.274

Scan done at 22:26:10.76, Wed 12/19/2007

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\ps2 .exe

C:\WINDOWS\system32\igfxtray .exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\hkcmd .exe

C:\WINDOWS\System32\hphmon05 .exe

C:\WINDOWS\system32\dla\tfswctrl .exe

C:\Program Files\Common Files\Real\Update_OB\realsched .exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe

C:\WINDOWS\system32\regsvr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SecCenter\scprot4 .exe

C:\Program Files\Outerinfo\Outerinfo .exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\drvwek.dll FOUND !

Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â» C:\Documents and Settings\Owner\Application Data

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

Description: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.cool.gif - Packet Scheduler Miniport

DNS Server Search Order: 65.83.241.181

DNS Server Search Order: 67.32.118.46

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D8410A5-D152-4FC3-9560-8EEE56B5D748}: DhcpNameServer=65.83.241.181 67.32.118.46

HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D8410A5-D152-4FC3-9560-8EEE56B5D748}: DhcpNameServer=65.83.241.181 67.32.118.46

HKLM\SYSTEM\CS3\Services\Tcpip\..\{9D8410A5-D152-4FC3-9560-8EEE56B5D748}: DhcpNameServer=65.83.241.181 67.32.118.46

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.83.241.181 67.32.118.46

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.83.241.181 67.32.118.46

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=65.83.241.181 67.32.118.46

beemanbone · December 20, 2007

here's this log..

ComboFix 07-12-20.1 - Owner 2007-12-19 22:31:37.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.322 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3YBV99Q\ComboFix[1].exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Application Data.\pufylujg.dll

C:\Documents and Settings\Owner\Application Data\inst.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo

C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk

C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk

C:\Program Files\Bcvibqdh

C:\Program Files\Bcvibqdh\ijiobdab.dll

C:\Program Files\outerinfo

C:\Program Files\outerinfo\FF\chrome.manifest

C:\Program Files\outerinfo\FF\components\FF.dll

C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt

C:\Program Files\outerinfo\FF\install.rdf

C:\Program Files\outerinfo\OinUninstall.exe

C:\Program Files\outerinfo\OiUninstaller.exe

C:\Program Files\outerinfo\Outerinfo .exe

C:\Program Files\outerinfo\Outerinfo.exe

C:\Program Files\outerinfo\outerinfo.ico

C:\Program Files\outerinfo\Terms.rtf

C:\Program Files\SecCenter

C:\Program Files\SecCenter\scprot4 .exe

C:\Program Files\SecCenter\scprot4.exe

C:\Program Files\yvqdgbir

C:\Program Files\yvqdgbir\qdsjihqj.dll

C:\WINDOWS\system32\drvwek.dll

C:\WINDOWS\system32\FTPx.dll

C:\WINDOWS\system32\kjjlm.ini

C:\WINDOWS\system32\kjjlm.ini2

C:\WINDOWS\system32\mljjk.dll

C:\WINDOWS\system32\njprckha

C:\WINDOWS\system32\njprckha\bg1.gif

C:\WINDOWS\system32\njprckha\bgtop.gif

C:\WINDOWS\system32\njprckha\bottom1.gif

C:\WINDOWS\system32\njprckha\essentials.gif

C:\WINDOWS\system32\njprckha\icon1.ico

C:\WINDOWS\system32\njprckha\install1.gif

C:\WINDOWS\system32\njprckha\left1.gif

C:\WINDOWS\system32\njprckha\li.gif

C:\WINDOWS\system32\njprckha\logo.gif

C:\WINDOWS\system32\njprckha\main.htm

C:\WINDOWS\system32\njprckha\mainframe.htm

C:\WINDOWS\system32\njprckha\njprckha1.exe

C:\WINDOWS\system32\njprckha\njprckha2.exe

C:\WINDOWS\system32\njprckha\njprckha3.exe

C:\WINDOWS\system32\njprckha\reinstall1.gif

C:\WINDOWS\system32\njprckha\right1.gif

C:\WINDOWS\system32\njprckha\s1.htm

C:\WINDOWS\system32\njprckha\s2.htm

C:\WINDOWS\system32\njprckha\s3.htm

C:\WINDOWS\system32\njprckha\SMTop1.gif

C:\WINDOWS\system32\njprckha\SMTop2.gif

C:\WINDOWS\system32\njprckha\SMTop3.gif

C:\WINDOWS\system32\njprckha\SMTop4.gif

C:\WINDOWS\system32\njprckha\soft1_off.gif

C:\WINDOWS\system32\njprckha\soft1_off_ext.gif

C:\WINDOWS\system32\njprckha\soft1_on.gif

C:\WINDOWS\system32\njprckha\soft1_on_ext.gif

C:\WINDOWS\system32\njprckha\soft2_off.gif

C:\WINDOWS\system32\njprckha\soft2_off_ext.gif

C:\WINDOWS\system32\njprckha\soft2_on.gif

C:\WINDOWS\system32\njprckha\soft2_on_ext.gif

C:\WINDOWS\system32\njprckha\soft3_off.gif

C:\WINDOWS\system32\njprckha\soft3_off_ext.gif

C:\WINDOWS\system32\njprckha\soft3_on.gif

C:\WINDOWS\system32\njprckha\soft3_on_ext.gif

C:\WINDOWS\system32\njprckha\softbottom_off.gif

C:\WINDOWS\system32\njprckha\softbottom_on.gif

C:\WINDOWS\system32\njprckha\softleft_off.gif

C:\WINDOWS\system32\njprckha\softleft_on.gif

C:\WINDOWS\system32\njprckha\top1.gif

C:\WINDOWS\system32\njprckha\top2.gif

C:\WINDOWS\system32\njprckha\turnoff1.gif

C:\WINDOWS\system32\njprckha\turnon1.gif

C:\WINDOWS\system32\winjks32.dll

.

((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))

.

2007-12-19 22:26 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-12-19 22:26 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-12-19 22:26 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2007-12-19 22:26 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-12-19 22:26 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-12-19 22:26 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-12-19 16:13 . 2007-12-19 16:13 <DIR> d-------- C:\Program Files\Lavasoft

2007-12-19 16:13 . 2007-12-19 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-12-19 16:12 . 2007-12-19 16:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-12-19 15:53 . 2007-12-19 15:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert

2007-12-19 15:41 . 2007-12-19 15:41 335,360 --a------ C:\WINDOWS\system32\RCX47.tmp

2007-12-19 15:20 . 2007-12-19 15:20 <DIR> d-------- C:\Program Files\Trend Micro

2007-12-19 14:58 . 2007-12-19 22:48 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

2007-12-19 14:57 . 2007-12-19 22:46 483,328 --a------ C:\WINDOWS\system32\hphmon05 .exe

2007-12-19 14:57 . 2007-12-19 14:57 335,360 --a------ C:\WINDOWS\system32\RCX44.tmp

2007-12-19 14:57 . 2007-12-19 22:46 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe

2007-12-19 14:57 . 2007-12-19 22:46 118,784 --a------ C:\WINDOWS\system32\hkcmd .exe

2007-12-19 14:57 . 2007-12-19 22:46 81,920 --a------ C:\WINDOWS\system32\ps2 .exe

2007-12-19 13:58 . 2007-12-19 13:58 335,360 --a------ C:\WINDOWS\system32\mljjk.exe

2007-12-19 13:49 . 2007-12-19 13:49 39,936 --a------ C:\WINDOWS\system32\rqronno.dll

2007-12-01 08:07 . 2007-12-01 08:09 1,123,481,056 --a------ C:\Pushing Daisies.mpg

2007-11-27 07:48 . 2002-08-29 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-20 04:48 --------- d-----w C:\Program Files\QuickTime

2007-12-20 04:47 352,256 ----a-w C:\WINDOWS\system32\ctfmon.exe

2007-12-20 04:46 331,776 ----a-w C:\WINDOWS\system32\mljjk.dll

2007-12-20 04:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-12-19 21:41 825,344 ----a-w C:\WINDOWS\system32\hphmon05.exe

2007-12-19 21:41 492,032 ----a-w C:\WINDOWS\system32\igfxtray.exe

2007-12-19 21:41 455,168 ----a-w C:\WINDOWS\system32\hkcmd.exe

2007-12-19 21:41 418,304 ----a-w C:\WINDOWS\system32\ps2.exe

2007-12-19 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-16 17:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso

2007-11-26 01:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer

2007-11-16 13:33 --------- d-----w C:\Program Files\Norton Internet Security

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-10 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-27 17:21 --------- d-----w C:\Program Files\WinTV

2007-10-27 13:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ulead Systems

2007-10-27 13:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems

2007-10-27 13:27 --------- d-----w C:\Program Files\Common Files\Ulead Systems

2007-10-27 13:23 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-10-27 13:23 --------- d-----w C:\Program Files\Ulead Systems

2007-10-27 12:50 --------- d-----w C:\Program Files\nanoPEG for WinTV

2007-10-27 12:49 --------- d-----w C:\Program Files\Common Files\IviSDK

2007-10-26 19:51 --------- d-----w C:\Program Files\Ericsson

2007-10-26 19:49 --------- d-----w C:\Program Files\BitTorrent

2007-09-01 12:55 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys

2004-08-04 01:16 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48A09CF5-2FC9-4867-9697-A954294A6909}]

2007-12-19 22:46 331776 --a------ C:\WINDOWS\system32\mljjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]

2007-12-19 13:49 39936 --a------ C:\WINDOWS\system32\rqronno.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RecordNow!"="" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2007-12-19 22:47]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-19 22:47]

"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2007-12-19 22:47]

"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2007-12-19 22:47]

"PS2"="C:\WINDOWS\system32\ps2.exe" [2007-12-19 22:47]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 19:22]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 22:48]

"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2007-12-19 22:48]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 22:48]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-12-19 22:48]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 01:04]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-19 22:48]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-19 22:48]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2007-12-19 22:48]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32]

"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 06:00]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 21:31]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-02 17:36]

"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{B9E85D85-F6EE-4655-A639-E33983612A6E}"= C:\WINDOWS\system32\rqronno.dll [2007-12-19 13:49 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronno]

rqronno.dll 2007-12-19 13:49 39936 C:\WINDOWS\system32\rqronno.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=C:\WINDOWS\system32\mljjk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljjk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2007-12-19 22:48 422400 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]

2004-08-16 16:45 45056 --a------ C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]

2004-09-22 13:08 987136 --a------ C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

2003-08-21 05:23 49152 --a------ c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-07 18:04 52736 --a------ c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2005-06-24 14:16 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2003-02-11 21:02 61440 --a------ C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2005-05-28 21:48 155648 --------- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]

2005-04-02 22:08 98304 --a------ C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2006-11-09 15:07 49263 --a------ C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]

2003-03-31 19:28 155648 --a------ C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Viewpoint Manager Service"=2 (0x2)

"StarWindService"=2 (0x2)

"Pml Driver HPZ12"=3 (0x3)

"ose"=3 (0x3)

"MDM"=2 (0x2)

"LiveUpdate"=3 (0x3)

"iPodService"=3 (0x3)

"IDriverT"=3 (0x3)

"comHost"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Automatic LiveUpdate Scheduler"=2 (0x2)

"Adobe LM Service"=3 (0x3)

R2 CdaD10BA;CdaD10BA;C:\WINDOWS\system32\drivers\CdaD10BA.SYS [2006-11-01 21:24]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2004-09-02 21:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f31d8fe-21d6-11d9-928a-000c76ff2271}]

\Shell\AutoRun\command - H:\setupSNK.exe

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2007-12-19 21:53:35 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"

- C:\Program Files\AdwareAlert\AdwareAlert.ex

- C:\Program Files\AdwareAlert

"2007-12-06 23:50:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"

- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16

"2007-12-15 02:01:35 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"

- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-19 22:46:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\rqronno.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]

-> C:\WINDOWS\system32\rqronno.dll

-> C:\WINDOWS\system32\mljjk.dll

.

Completion time: 2007-12-19 22:52:56 - machine was rebooted

.

2007-12-19 14:52:07 --- E O F ---

sarahw · December 20, 2007

Hi,

Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

sarahw · December 20, 2007

Hi,

Your computer is very infected.

Please uninstall:

Outerinfo

Morpheus Toolbar

AdwareAlert

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\SMINST\HPCD.sys
C:\WINDOWS\system32\rqronno.dll
C:\WINDOWS\system32\RCX47.tmp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48A09CF5-2FC9-4867-9697-A954294A6909}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronno]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Let me know of any problems you have.

Edited December 20, 2007 by sarahw

beemanbone · December 20, 2007

Thank you for your response. I am currently away from my computer, but I will do it as soon as I get home in 3 hours. Talk to you soon.

sarahw · December 20, 2007

Sure.

beemanbone · December 20, 2007

Ok here is a new log...

ComboFix 07-12-20.1 - Owner 2007-12-20 7:31:11.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.333 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

FILE

C:\WINDOWS\SMINST\HPCD.sys

C:\WINDOWS\system32\mljjk.dll

C:\WINDOWS\system32\RCX47.tmp

C:\WINDOWS\system32\rqronno.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\SMINST\HPCD.sys

C:\WINDOWS\system32\kjjlm.ini

C:\WINDOWS\system32\kjjlm.ini2

C:\WINDOWS\system32\mljjk.dll

C:\WINDOWS\system32\RCX47.tmp

C:\WINDOWS\system32\rqronno.dll

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))

.

2007-12-20 07:14 . 2007-12-20 07:14 335,360 --a------ C:\WINDOWS\system32\RCX48.tmp

2007-12-19 22:47 . 2007-12-19 22:47 352,256 --a------ C:\WINDOWS\system32\ctfmon.exe.tmp

2007-12-19 22:47 . 2004-08-03 23:56 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe

2007-12-19 22:47 . 2004-08-03 23:56 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe