.tt3.tmp.vbs virus removal - assistance needed

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Thursday 6.3.2025 / 08:06

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > .tt3.tmp.vbs virus removal - assistance needed - please help

Browse by topic

Forums

Start a new thread

.tt3.tmp.vbs virus removal - assistance needed - please help

Jump to:

Posted

Message

Page:	1	2	Next >

laynegray

Newbie

24. August 2008 @ 17:31

Link to this message

Hello All-

If anyone can assist me with removing this virus, it would be greatly appreciated. I seem to have the same symptoms as described in this post.

I've copied the basic info from the post here:
It seems i picked up a virus on my PC. AVG alerted me to a trojen and then dealt with it, or so i thought. Now it seems i have lost some of my display properties and screen saver etc. I have run 2 full AVG scan and it says i'm clean, but when i reboot i get the file missing warning .tt3.tmp.vbs My custom wallpaper is missing and it seems they have loaded a screen saver which looks like a fatal error blue screen which appears to be re-booting my PC, but its not, because if i hit the ESC it goes and i get a desktop again.

I've followed the instructions from this post:
(1.) Please download ATF Cleaner by Atribune & save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.

? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.

? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

? Click Exit on the Main menu to close the program.

I use both IE and FireFox. I ran ATF-Cleaner for each.

(2.) Please download Malwarebytes' Anti-Malware to your desktop.

? Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Be sure that everything is checked, and click Remove Selected.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
? Please post contents of that file in your next reply.

I did this. See log below:

Here's my log:
Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 3

2:44:22 PM 8/24/2008
mbam-log-08-24-2008 (14-44-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172575
Time elapsed: 1 hour(s), 35 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\blphcrw6j0e151.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcrw6j0e151 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-4156857669-923499974-4265891711-1003\Dc4.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000017.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcrw6j0e151.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\lphcrw6j0e151.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\phcrw6j0e151.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\.tt15.tmp (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\.ttF.tmp (Trojan.Downloader) -> Delete on reboot.

Here is my ComboFix Log:

ComboFix 08-08-23.01 - Owner 2008-08-24 11:54:14.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 11:45 . 2008-08-24 11:45 61,440 --a------ C:\WINDOWS\system32\drivers\nsgrtj.sys
2008-08-24 11:32 . 2008-08-24 11:32 90,112 --a------ C:\WINDOWS\system32\ajcjsxst.exe
2008-08-24 11:13 . 2008-08-24 11:13 90,112 --a------ C:\WINDOWS\system32\ylmnuvwb.exe
2008-08-24 09:33 . 2008-08-24 09:33 195,584 --a------ C:\WINDOWS\system32\tydwjodg.exe
2008-08-24 09:33 . 2008-08-24 09:33 90,112 --a------ C:\WINDOWS\system32\bgvkdcfo.exe
2008-08-24 08:33 . 2008-08-24 08:33 195,584 --a------ C:\WINDOWS\system32\twzunozg.exe
2008-08-24 08:33 . 2008-08-24 08:33 94,208 --a------ C:\WINDOWS\system32\fcpwvkne.exe
2008-08-24 08:03 . 2008-08-24 08:03 94,208 --a------ C:\WINDOWS\system32\delsrmzy.exe
2008-08-23 21:51 . 2008-08-23 21:51 195,584 --a------ C:\WINDOWS\system32\snodsfwd.exe
2008-08-23 21:51 . 2008-08-23 21:51 86,016 --a------ C:\WINDOWS\system32\gvupcnot.exe
2008-08-23 13:43 . 2008-08-23 13:43 98,304 --a------ C:\WINDOWS\system32\fwxszwvk.exe
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 13:21 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 13:21 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 06:55 . 2008-08-21 06:55 <DIR> d-------- C:\Program Files\vnhzchd
2008-08-21 06:54 . 2008-08-21 06:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yfavwpwb
2008-08-21 06:54 . 2008-08-21 06:54 81,920 --a------ C:\WINDOWS\system32\klqdedqh.exe
2008-08-14 20:44 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 20:40 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-04 09:42 . 2008-08-04 09:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 09:02 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-02 09:01 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-02 09:01 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-02 09:00 . 2008-04-13 19:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-08-02 09:00 . 2008-04-13 19:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-08-02 09:00 . 2008-04-13 19:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-08-02 09:00 . 2008-04-13 19:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-08-02 09:00 . 2008-04-13 19:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-08-02 09:00 . 2008-04-13 19:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-08-02 09:00 . 2008-04-13 19:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-08-02 09:00 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-02 09:00 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-02 08:59 . 2008-04-13 19:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-02 08:59 . 2008-04-13 19:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-08-02 08:59 . 2008-04-13 19:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-08-02 08:59 . 2008-04-13 19:12 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-08-02 08:59 . 2008-04-13 12:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-02 08:59 . 2008-04-13 13:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-08-02 08:59 . 2008-04-13 19:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-08-02 08:57 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-07-28 16:11 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 13:32 --------- d-----w C:\Program Files\Quicken
2008-08-04 17:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-04 14:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-07-28 21:12 --------- d-----w C:\Program Files\Google
2008-07-28 21:11 --------- d-----w C:\Program Files\Java
2008-07-15 13:04 313,856 ----a-w C:\WINDOWS\system32\nsw25E.dll
2008-07-15 12:53 313,856 ----a-w C:\WINDOWS\system32\nsz341.dll
2008-07-15 12:26 313,856 ----a-w C:\WINDOWS\system32\nso43E.dll
2008-07-15 12:04 313,856 ----a-w C:\WINDOWS\system32\nsfD.dll
2008-07-15 11:34 313,856 ----a-w C:\WINDOWS\system32\nsj1A.dll
2008-07-15 11:21 313,856 ----a-w C:\WINDOWS\system32\nsb18.dll
2008-07-15 11:12 313,856 ----a-w C:\WINDOWS\system32\nsf676.dll
2008-07-12 15:57 --------- d-----w C:\Program Files\Computerbrains
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-04 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2004-10-09 01:17 56 --sha-w C:\WINDOWS\system32\4E131A8EE9.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54d1c7af-ee3e-0c79-e96e-87a1ec3ff4ce}]
2008-07-15 08:04 313856 --a------ C:\WINDOWS\system32\nsw25E.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"WebCfgInfo"="C:\WINDOWS\system32\klqdedqh.exe" [2008-08-21 06:54 81920]
"DbDscApl"="C:\WINDOWS\system32\fwxszwvk.exe" [2008-08-23 13:43 98304]
"SysHlpInfo"="C:\WINDOWS\system32\gvupcnot.exe" [2008-08-23 21:51 86016]
"aplmonsmart"="C:\WINDOWS\system32\delsrmzy.exe" [2008-08-24 08:03 94208]
"endsc"="C:\WINDOWS\system32\fcpwvkne.exe" [2008-08-24 08:33 94208]
"AppUiUtil"="C:\WINDOWS\system32\bgvkdcfo.exe" [2008-08-24 09:33 90112]
"WebAdm"="C:\WINDOWS\system32\ylmnuvwb.exe" [2008-08-24 11:13 90112]
"comgen"="C:\WINDOWS\system32\ajcjsxst.exe" [2008-08-24 11:32 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 06:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 06:15 483328]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-27 04:34 172032]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-09-15 03:52 393216]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-18 11:14 180269]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"EPSON Stylus Photo RX600"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE" [2003-09-09 15:00 99840]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-08-17 15:04 1195640]
"VTTimer"="VTTimer.exe" [2004-01-16 06:33 49152 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"hC25nNZALn"="C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe" [2008-08-21 06:54 57344]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-09-18 15:55:26 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 10:02:38 568176]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-01-30 08:30:18 200704]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 07:15:28 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinGenDsc"= {01844C71-753F-8CDD-D64C-0A51BE2DFC3D} - C:\Program Files\vnhzchd\WinGenDsc.dll [2008-08-21 06:55 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2wSysTray]
--a------ 2004-09-15 03:52 393216 C:\Program Files\2Wire\2PortalMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--a------ 2003-07-14 14:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 02:31 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 11:42 69632 c:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 17:19 129536 C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3150:UDP"= 3150:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"3151:UDP"= 3151:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"3152:UDP"= 3152:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 17:21]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 21:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 21:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-16 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-13 19:12]

2008-08-24 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vtpphjho.Default User2\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 11:58:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-08-24 12:01:11
ComboFix-quarantined-files.txt 2008-08-24 17:00:54
ComboFix2.txt 2008-08-24 13:08:12

Pre-Run: 124,807,090,176 bytes free
Post-Run: 124,787,707,904 bytes free

218 --- E O F --- 2008-08-15 22:58:57

Here is my HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:24:59 PM, on 8/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\klqdedqh.exe
C:\WINDOWS\system32\mnavclaz.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: dcads - {54d1c7af-ee3e-0c79-e96e-87a1ec3ff4ce} - C:\WINDOWS\system32\nsw25E.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [lphcrw6j0e151] C:\WINDOWS\system32\lphcrw6j0e151.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebCfgInfo] C:\WINDOWS\system32\klqdedqh.exe
O4 - HKCU\..\Run: [DbDscApl] C:\WINDOWS\system32\fwxszwvk.exe
O4 - HKCU\..\Run: [SysHlpInfo] C:\WINDOWS\system32\gvupcnot.exe
O4 - HKCU\..\Run: [aplmonsmart] C:\WINDOWS\system32\delsrmzy.exe
O4 - HKCU\..\Run: [endsc] C:\WINDOWS\system32\fcpwvkne.exe
O4 - HKCU\..\Run: [AppUiUtil] C:\WINDOWS\system32\bgvkdcfo.exe
O4 - HKCU\..\Run: [WebAdm] C:\WINDOWS\system32\ylmnuvwb.exe
O4 - HKCU\..\Run: [comgen] C:\WINDOWS\system32\ajcjsxst.exe
O4 - HKCU\..\Run: [ChkWebCmd] C:\WINDOWS\system32\efybqvkz.exe
O4 - HKCU\..\Run: [DbSet] C:\WINDOWS\system32\pgdctkfw.exe
O4 - HKCU\..\Run: [SmartDscProc] C:\WINDOWS\system32\ylydypmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [hC25nNZALn] C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1173294070000
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O21 - SSODL: WinGenDsc - {01844C71-753F-8CDD-D64C-0A51BE2DFC3D} - C:\Program Files\vnhzchd\WinGenDsc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe

--
End of file - 10074 bytes


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.