Forum Home
Press F1
Thread ID: 72723	2006-09-24 00:03:00	Microsoft Update wont install	wooda2 (4837)	Press F1

Post ID	Timestamp	Content	User
486935	2006-09-29 23:00:00	Hi....here is the combofix log and the hijack log Mark Robinsons - Sat 30/09/2006 9:43:50.68 Service Pack 4 ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Mark Robinsons\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-08-30 to 2006-09-30 )))))))))))))))))))))))))))))))))) 2006-09-10 17:41 40,973 ---hs---- C:\WINNT\system32\qomjjjk.dll 2006-09-09 22:54 40,973 ---hs---- C:\WINNT\system32\tuvwxya.dll 2006-09-09 20:43 40,973 ---hs---- C:\WINNT\system32\tuvwxus.dll 2006-09-09 20:29 40,973 ---hs---- C:\WINNT\system32\pmnolkj.dll 2006-09-09 20:21 40,973 ---hs---- C:\WINNT\system32\cbxwvvw.dll 2006-09-09 19:53 40,973 ---hs---- C:\WINNT\system32\fccdbcd.dll 2006-09-09 19:13 208,896 --a------ C:\WINNT\system32\lame_enc.dll 2006-09-09 18:06 40,973 ---hs---- C:\WINNT\system32\yayaxvv.dll 2006-09-09 17:51 113 --a------ C:\WINNT\system32\xmlpr0v32a.dll 2006-09-09 16:52 40,973 ---hs---- C:\WINNT\system32\yayawww.dll 2006-09-06 10:14 40,973 ---hs---- C:\WINNT\system32\byxwwuv.dll 2006-09-04 10:52 40,973 ---hs---- C:\WINNT\system32\ssqrqnn.dll 2006-09-03 20:42 40,973 ---hs---- C:\WINNT\system32\urqonnm.dll 2006-09-03 19:24 40,973 ---hs---- C:\WINNT\system32\rqrqopm.dll 2006-09-03 18:44 40,973 ---hs---- C:\WINNT\system32\tuvtsro.dll 2006-09-03 17:42 40,973 ---hs---- C:\WINNT\system32\pmnnlkk.dll 2006-09-03 17:10 40,973 ---hs---- C:\WINNT\system32\vtuspon.dll 2006-09-03 15:21 40,973 ---hs---- C:\WINNT\system32\cbxwusr.dll 2006-09-03 12:39 40,973 ---hs---- C:\WINNT\system32\xxyvuut.dll 2006-09-02 17:30 40,973 ---hs---- C:\WINNT\system32\qomnkii.dll 2006-09-02 15:43 40,973 ---hs---- C:\WINNT\system32\ljjhfgd.dll 2006-09-02 15:08 40,973 ---hs---- C:\WINNT\system32\opnkhed.dll 2006-09-02 08:43 40,973 ---hs---- C:\WINNT\system32\vtuvspn.dll 2006-09-01 20:36 40,973 ---hs---- C:\WINNT\system32\opnoopq.dll 2006-09-01 19:26 40,973 ---hs---- C:\WINNT\system32\ssqollk.dll 2006-09-01 17:36 40,973 ---hs---- C:\WINNT\system32\fccbxyx.dll 2006-09-01 16:15 40,973 ---hs---- C:\WINNT\system32\mljihgd.dll 2006-09-01 14:15 40,973 ---hs---- C:\WINNT\system32\hggffef.dll 2006-09-01 07:11 40,973 ---hs---- C:\WINNT\system32\rqrropp.dll 2006-08-31 19:44 40,973 ---hs---- C:\WINNT\system32\efcbxwu.dll 2006-08-31 19:16 40,973 ---hs---- C:\WINNT\system32\opnnnml.dll 2006-08-31 18:52 40,973 ---hs---- C:\WINNT\system32\iifgeed.dll 2006-08-31 18:40 40,973 ---hs---- C:\WINNT\system32\iifcayy.dll 2006-08-31 18:30 40,973 ---hs---- C:\WINNT\system32\khffdda.dll 2006-08-31 17:25 40,973 ---hs---- C:\WINNT\system32\qomjjgh.dll 2006-08-31 07:44 40,973 ---hs---- C:\WINNT\system32\awttuvv.dll 2006-08-31 07:29 40,973 ---hs---- C:\WINNT\system32\hgghfge.dll 2006-08-30 21:00 40,973 ---hs---- C:\WINNT\system32\cbxyayw.dll 2006-08-30 18:06 40,973 ---hs---- C:\WINNT\system32\xxyxvww.dll 2006-08-30 01:27 40,973 ---hs---- C:\WINNT\system32\mljkjgf.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))) 2006-09-30 09:39 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\MailWasher 2006-09-29 18:57 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-29 18:46 -------- d-------- C:\Program Files\HijackThis 2006-09-29 18:10 -------- d-------- C:\Program Files\Change Folder Icon 2006-09-29 18:09 -------- d-------- C:\Program Files\ImageIconConverter 2006-09-29 16:36 909143 ---hs---- C:\WINNT\system32\xbeeg.bak2 2006-09-29 10:33 2680 --a------ C:\WINNT\AUTOLNCH.REG 2006-09-29 09:52 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\U3 2006-09-26 21:25 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys 2006-09-24 10:40 -------- d-------- C:\Program Files\Opera 2006-09-19 21:45 -------- d-------- C:\Program Files\Common Files\SWF Studio 2006-09-17 18:28 -------- d-------- C:\Program Files\LimeWire 2006-09-17 15:01 55016 --a------ C:\Documents and Settings\Mark Robinsons\Application Data\GDIPFONTCACHEV1.DAT 2006-09-10 17:41 175361 --a------ C:\pro3_install.exe 2006-09-10 12:10 -------- d-------- C:\Program Files\IncrediMail 2006-09-09 19:10 -------- d-------- C:\Program Files\GoldWave 2006-09-09 17:21 -------- d-------- C:\Program Files\eMule 2006-09-04 21:39 89600 -r-hs---- C:\WINNT\wdfmgr.exe 2006-08-30 00:27 -------- d-------- C:\Program Files\GetRight 2006-08-29 22:47 40973 ---hs---- C:\WINNT\system32\khfffdd.dll 2006-08-29 21:46 40973 ---hs---- C:\WINNT\system32\ssqnopm.dll 2006-08-29 20:35 -------- d-------- C:\Program Files\CCleaner 2006-08-29 20:20 40973 ---hs---- C:\WINNT\system32\hggdcax.dll 2006-08-29 20:07 40973 ---hs---- C:\WINNT\system32\urqroli.dll 2006-08-29 19:47 40973 ---hs---- C:\WINNT\system32\yayvvuu.dll 2006-08-29 18:27 40973 ---hs---- C:\WINNT\system32\nnnmmmk.dll 2006-08-29 17:48 40973 ---hs---- C:\WINNT\system32\wvusqrs.dll 2006-08-29 07:51 40973 ---hs---- C:\WINNT\system32\khfcaxu.dll 2006-08-28 21:29 40973 ---hs---- C:\WINNT\system32\ljjgdcb.dll 2006-08-28 21:02 40973 ---hs---- C:\WINNT\system32\qomjhgd.dll 2006-08-28 17:22 -------- d-------- C:\Program Files\Digitalmax 2006-08-27 18:59 40973 ---hs---- C:\WINNT\system32\pmnkjgg.dll 2006-08-27 17:59 40973 ---hs---- C:\WINNT\system32\pmnmnll.dll 2006-08-27 17:48 40973 ---hs---- C:\WINNT\system32\iifgdcy.dll 2006-08-27 15:16 40973 ---hs---- C:\WINNT\system32\qomkjgd.dll 2006-08-27 10:55 40973 ---hs---- C:\WINNT\system32\ssqrsqp.dll 2006-08-27 10:01 40973 ---hs---- C:\WINNT\system32\awttqol.dll 2006-08-27 09:42 40973 ---hs---- C:\WINNT\system32\rqrqqpo.dll 2006-08-27 08:44 40973 ---hs---- C:\WINNT\system32\fccddax.dll 2006-08-26 10:56 -------- d-------- C:\Program Files\Alcohol Soft 2006-08-26 10:37 40973 ---hs---- C:\WINNT\system32\qomjiji.dll 2006-08-25 12:14 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared 2006-08-25 12:14 -------- d-------- C:\Program Files\Windows Defender 2006-08-25 11:56 40973 ---hs---- C:\WINNT\system32\yayawxy.dll 2006-08-25 11:53 -------- d-------- C:\Program Files\NoAdware4 2006-08-25 11:48 40973 ---hs---- C:\WINNT\system32\gebyxyv.dll 2006-08-23 19:11 -------- d-a------ C:\Program Files\iolo 2006-08-23 18:55 40973 ---hs---- C:\WINNT\system32\nnnkhff.dll 2006-08-23 09:49 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-08-23 09:49 -------- d-------- C:\Program Files\Google 2006-08-23 09:49 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\Google 2006-08-22 20:42 40973 ---hs---- C:\WINNT\system32\gebxuts.dll 2006-08-22 20:23 40973 ---hs---- C:\WINNT\system32\opnliii.dll 2006-08-22 15:35 40973 ---hs---- C:\WINNT\system32\cbxuust.dll 2006-08-22 14:25 622436 ---hs---- C:\WINNT\system32\xbeeg.bak1 2006-08-22 14:25 573492 ---hs---- C:\WINNT\system32\geebx.dll 2006-08-22 14:25 13844 --a------ C:\WINNT\system32\sogaplkd.exe 2006-08-22 13:56 573492 ---hs---- C:\WINNT\system32\ddabc.dll 2006-08-22 13:31 40973 ---hs---- C:\WINNT\system32\qomnool.dll 2006-08-22 13:31 -------- d-------- C:\Program Files\Zone Labs 2006-08-22 13:13 32226 --a------ C:\WINNT\system32\webhitsd.dll 2006-08-22 12:45 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\Sun 2006-08-20 21:28 -------- d-------- C:\Program Files\Picasa2 2006-08-20 19:16 -------- d---s---- C:\Documents and Settings\Mark Robinsons\Application Data\Microsoft 2006-08-14 20:55 -------- d-------- C:\Program Files\FavOrg 2006-08-13 20:41 -------- d-------- C:\Program Files\DVDFab Decrypter 2006-08-13 19:43 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys 2006-08-13 19:43 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys 2006-08-13 19:43 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\CyberLink 2006-08-13 19:33 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\Mozilla 2006-08-13 19:30 -------- d-------- C:\Program Files\MailWasher 2006-08-13 19:17 -------- d-------- C:\Program Files\Microsoft Money 2006-08-13 19:13 -------- d-a------ C:\Program Files\Common Files 2006-08-13 19:13 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2006-08-13 18:46 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\Ahead 2006-08-13 17:41 -------- d-------- C:\Program Files\DVD Shrink 2006-08-11 23:23 -------- d-------- C:\Program Files\CyberLink 2006-08-11 23:21 -------- d-------- C:\Program Files\Ahead 2006-08-11 23:19 -------- d-------- C:\Program Files\Common Files\Nero 2006-08-11 23:18 -------- d-------- C:\Program Files\Windows Media Player 2006-08-11 23:17 -------- d-------- C:\Program Files\Common Files\Ahead 2006-08-10 22:36 -------- d-------- C:\Program Files\Java 2006-08-10 22:34 -------- d-------- C:\Program Files\Common Files\Java 2006-08-10 22:34 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-08-10 22:26 -------- d-------- C:\Program Files\Microsoft Office 2006-08-10 22:22 -------- d-------- C:\Program Files\GStat Pro 4.0 2006-08-06 16:51 -------- d-------- C:\Program Files\Trillian 2006-08-06 16:50 -------- d-------- C:\Program Files\Canon 2006-08-06 16:49 -------- d-------- C:\Program Files\a2 free 2006-08-06 16:27 -------- d-------- C:\Program Files\WinZip 2006-07-30 14:56 -------- d-------- C:\Documents and Settings\Mark Robinsons\Application Data\Creative 2006-07-25 17:08 840976 --a------ C:\WINNT\system32\mmcndmgr.dll 2006-07-22 03:08 72704 --a------ C:\WINNT\system32\hlink.dll 2006-07-06 23:45 96528 --a------ C:\WINNT\system32\dnsrslvr.dll 2006-07-06 11:52 613648 --a------ C:\WINNT\system32\mmc.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SoundMan"="SOUNDMAN.EXE" "SiS KHooker"="C:\\WINNT\\System32\\khooker.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe" "InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe" "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\"" "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" "NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000004 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run] "internat.exe"="internat.exe" "SSS5"="\"C:\\Program Files\\Steganos Security Suite 5\\steganos5.exe\" /booting" "SSS5SAFE"="\"C:\\Program Files\\Steganos Security Suite 5\\safe.exe\" /booting" "SSS5SPM"="\"C:\\Program Files\\Steganos Security Suite 5\\spm.exe\" /booting" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Runonce] "^SetupICWDesktop"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer] "NoDriveTypeAutoRun"=hex:95,00,00,00 "CDRAutoRun"=dword:00000000 "NoStartBanner"=hex:00,00,00,00 "NoRecentDocsMenu"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuust HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebx HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrqnn HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINNT\tasks\MP Scheduled Scan.job Completion time: Sat 2006-09-30 9:44:16.10 ComboFix.txt I don't seem to be able to save a log from hijack this so hopefully the previous one will do	wooda2 (4837)
486936	2006-09-30 02:18:00	Ok . You have a lot of nasty rubbish to dispose of . . . . Please download The Avenger ( . geekstogo . com/avenger . zip" target="_blank">swandog46 . geekstogo . com) to your Desktop and unzip it . Copy all the text contained in the code box below ( including the words "files to delete" ) by highlighting it and right clicking and selecting "Copy" Files to delete: C:\WINNT\system32\qomjjjk . dll C:\WINNT\system32\tuvwxya . dll C:\WINNT\system32\tuvwxus . dll C:\WINNT\system32\pmnolkj . dll C:\WINNT\system32\fccdbcd . dll C:\WINNT\system32\lame_enc . dll C:\WINNT\system32\yayaxvv . dll C:\WINNT\system32\xmlpr0v32a . dll C:\WINNT\system32\yayawww . dll C:\WINNT\system32\byxwwuv . dll C:\WINNT\system32\ssqrqnn . dll C:\WINNT\system32\urqonnm . dll C:\WINNT\system32\rqrqopm . dll C:\WINNT\system32\tuvtsro . dll C:\WINNT\system32\pmnnlkk . dll C:\WINNT\system32\vtuspon . dll C:\WINNT\system32\cbxwusr . dll C:\WINNT\system32\xxyvuut . dll C:\WINNT\system32\qomnkii . dll C:\WINNT\system32\ljjhfgd . dll C:\WINNT\system32\opnkhed . dll C:\WINNT\system32\vtuvspn . dll C:\WINNT\system32\opnoopq . dll C:\WINNT\system32\ssqollk . dll C:\WINNT\system32\fccbxyx . dll C:\WINNT\system32\mljihgd . dll C:\WINNT\system32\hggffef . dll C:\WINNT\system32\rqrropp . dll C:\WINNT\system32\efcbxwu . dll C:\WINNT\system32\xbeeg . bak2 C:\WINNT\system32\khfffdd . dll C:\WINNT\system32\ssqnopm . dll C:\WINNT\system32\hggdcax . dll C:\WINNT\system32\urqroli . dll C:\WINNT\system32\yayvvuu . dll C:\WINNT\system32\nnnmmmk . dll C:\WINNT\system32\wvusqrs . dll C:\WINNT\system32\khfcaxu . dll C:\WINNT\system32\ljjgdcb . dll C:\WINNT\system32\qomjhgd . dll C:\WINNT\system32\pmnkjgg . dll C:\WINNT\system32\pmnmnll . dll C:\WINNT\system32\iifgdcy . dll C:\WINNT\system32\qomkjgd . dll C:\WINNT\system32\ssqrsqp . dll C:\WINNT\system32\awttqol . dll C:\WINNT\system32\rqrqqpo . dll C:\WINNT\system32\fccddax . dll C:\WINNT\system32\opnnnml . dll C:\WINNT\system32\iifgeed . dll C:\WINNT\system32\iifcayy . dll C:\WINNT\system32\khffdda . dll C:\WINNT\system32\qomjjgh . dll C:\WINNT\system32\awttuvv . dll C:\WINNT\system32\hgghfge . dll C:\WINNT\system32\cbxyayw . dll C:\WINNT\system32\xxyxvww . dll C:\WINNT\system32\mljkjgf . dll C:\WINNT\system32\qomjiji . dll C:\WINNT\system32\yayawxy . dll C:\WINNT\system32\gebyxyv . dll C:\WINNT\system32\nnnkhff . dll C:\WINNT\system32\gebxuts . dll C:\WINNT\system32\opnliii . dll C:\WINNT\system32\cbxuust . dll C:\WINNT\system32\xbeeg . bak1 C:\WINNT\system32\geebx . dll C:\WINNT\system32\sogaplkd . exe C:\WINNT\system32\ddabc . dll C:\WINNT\system32\qomnool . dll C:\WINNT\system32\webhitsd . dll C:\WINNT\system32\mmcndmgr . dll Now, start The Avenger program by clicking on its icon on your desktop . Look under "Script file to execute" and click on "Input Script Manually" . Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script" . Position your mouse inside the box, rightclick and choose Paste . All the text above in the code box should now appear there . Click Done and click on the Green Light to begin execution of the script . Answer "Yes" twice when prompted . The Avenger will restart your computer . (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice . ) When you have rebooted, a black command window briefly opens on your desktop, this is normal . A logfile will be created that records all actions that The Avenger performed . This log file is saved to C:\avenger . txt . The deleted files will be backed up and saved to C:\avenger\backup . zip . Once your computer has rebooted, please post back the contents of C:\avenger . txt, a new Hijack This log .	Pancake (6359)
486937	2006-10-01 08:19:00	hi...the hijak log Logfile of HijackThis v1.99.1 Scan saved at 21:12:17, on 1/10/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\system32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\SLEE401.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\WINNT\System32\khooker.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Hijakthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {17BAA3BE-BAE6-4324-A34A-D7E5B48991A2} - C:\WINNT\system32\geebx.dll (file missing) O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\cbxuust.dll (file missing) O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\nwjuamxx.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://E:\SuperCD\IntraLaunch.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{B2C61C59-22D1-42DD-AA20-573CF4910CC4}: NameServer = 203.96.152.4,203.96.152.12 O20 - Winlogon Notify: cbxuust - cbxuust.dll (file missing) O20 - Winlogon Notify: geebx - C:\WINNT\system32\geebx.dll (file missing) O20 - Winlogon Notify: ssqrqnn - ssqrqnn.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - C:\WINNT\system32\SLEE401.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe O23 - Service: Microsoft Language Service (Windows Language Service) - Unknown owner - C:\WINNT\alg.exe (file missing) and the avenger log Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Service s\cxplyaen ******************* Script file located at: \??\C:\Program Files\jxuidkxr.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINNT\system32\qomjjjk.dll deleted successfully. File C:\WINNT\system32\tuvwxya.dll deleted successfully. File C:\WINNT\system32\tuvwxus.dll deleted successfully. File C:\WINNT\system32\pmnolkj.dll deleted successfully. File C:\WINNT\system32\fccdbcd.dll deleted successfully. File C:\WINNT\system32\lame_enc.dll deleted successfully. File C:\WINNT\system32\yayaxvv.dll deleted successfully. File C:\WINNT\system32\xmlpr0v32a.dll deleted successfully. File C:\WINNT\system32\yayawww.dll deleted successfully. File C:\WINNT\system32\byxwwuv.dll deleted successfully. File C:\WINNT\system32\ssqrqnn.dll deleted successfully. File C:\WINNT\system32\urqonnm.dll deleted successfully. File C:\WINNT\system32\rqrqopm.dll deleted successfully. File C:\WINNT\system32\tuvtsro.dll deleted successfully. File C:\WINNT\system32\pmnnlkk.dll deleted successfully. File C:\WINNT\system32\vtuspon.dll deleted successfully. File C:\WINNT\system32\cbxwusr.dll deleted successfully. File C:\WINNT\system32\xxyvuut.dll deleted successfully. File C:\WINNT\system32\qomnkii.dll deleted successfully. File C:\WINNT\system32\ljjhfgd.dll deleted successfully. File C:\WINNT\system32\opnkhed.dll deleted successfully. File C:\WINNT\system32\vtuvspn.dll deleted successfully. File C:\WINNT\system32\opnoopq.dll deleted successfully. File C:\WINNT\system32\ssqollk.dll deleted successfully. File C:\WINNT\system32\fccbxyx.dll deleted successfully. File C:\WINNT\system32\mljihgd.dll deleted successfully. File C:\WINNT\system32\hggffef.dll deleted successfully. File C:\WINNT\system32\rqrropp.dll deleted successfully. File C:\WINNT\system32\efcbxwu.dll deleted successfully. File C:\WINNT\system32\xbeeg.bak2 deleted successfully. File C:\WINNT\system32\khfffdd.dll deleted successfully. File C:\WINNT\system32\ssqnopm.dll deleted successfully. File C:\WINNT\system32\hggdcax.dll deleted successfully. File C:\WINNT\system32\urqroli.dll deleted successfully. File C:\WINNT\system32\yayvvuu.dll deleted successfully. File C:\WINNT\system32\nnnmmmk.dll deleted successfully. File C:\WINNT\system32\wvusqrs.dll deleted successfully. File C:\WINNT\system32\khfcaxu.dll deleted successfully. File C:\WINNT\system32\ljjgdcb.dll deleted successfully. File C:\WINNT\system32\qomjhgd.dll deleted successfully. File C:\WINNT\system32\pmnkjgg.dll deleted successfully. File C:\WINNT\system32\pmnmnll.dll deleted successfully. File C:\WINNT\system32\iifgdcy.dll deleted successfully. File C:\WINNT\system32\qomkjgd.dll deleted successfully. File C:\WINNT\system32\ssqrsqp.dll deleted successfully. File C:\WINNT\system32\awttqol.dll deleted successfully. File C:\WINNT\system32\rqrqqpo.dll deleted successfully. File C:\WINNT\system32\fccddax.dll deleted successfully. File C:\WINNT\system32\opnnnml.dll deleted successfully. File C:\WINNT\system32\iifgeed.dll deleted successfully. File C:\WINNT\system32\iifcayy.dll deleted successfully. File C:\WINNT\system32\khffdda.dll deleted successfully. File C:\WINNT\system32\qomjjgh.dll deleted successfully. File C:\WINNT\system32\awttuvv.dll deleted successfully. File C:\WINNT\system32\hgghfge.dll deleted successfully. File C:\WINNT\system32\cbxyayw.dll deleted successfully. File C:\WINNT\system32\xxyxvww.dll deleted successfully. File C:\WINNT\system32\mljkjgf.dll deleted successfully. File C:\WINNT\system32\qomjiji.dll deleted successfully. File C:\WINNT\system32\yayawxy.dll deleted successfully. File C:\WINNT\system32\gebyxyv.dll deleted successfully. File C:\WINNT\system32\nnnkhff.dll deleted successfully. File C:\WINNT\system32\gebxuts.dll deleted successfully. File C:\WINNT\system32\opnliii.dll deleted successfully. File C:\WINNT\system32\cbxuust.dll deleted successfully. File C:\WINNT\system32\xbeeg.bak1 deleted successfully. File C:\WINNT\system32\geebx.dll deleted successfully. File C:\WINNT\system32\sogaplkd.exe deleted successfully. File C:\WINNT\system32\ddabc.dll deleted successfully. File C:\WINNT\system32\qomnool.dll deleted successfully. File C:\WINNT\system32\webhitsd.dll deleted successfully. File C:\WINNT\system32\mmcndmgr.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. Thanks	wooda2 (4837)
486938	2006-10-01 08:29:00	It looks a bit better. Run Hijackthis again tick these entries and tick fix checked O2 - BHO: (no name) - {17BAA3BE-BAE6-4324-A34A-D7E5B48991A2} - C:\WINNT\system32\geebx.dll (file missing) O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\cbxuust.dll (file missing) O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O20 - Winlogon Notify: cbxuust - cbxuust.dll (file missing) O20 - Winlogon Notify: geebx - C:\WINNT\system32\geebx.dll (file missing) Close browser/s first, then reboot. Then see if u get on the Windowsupdate site. Or if you can update.	Speedy Gonzales (78)
486939	2006-10-01 08:49:00	Hi Speedy......updates d/load but don't install This is the latest hj log Logfile of HijackThis v1.99.1 Scan saved at 21:40:46, on 1/10/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\system32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\SLEE401.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\WINNT\System32\khooker.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINNT\system32\svchost.exe C:\Program Files\Hijakthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://E:\SuperCD\IntraLaunch.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{B2C61C59-22D1-42DD-AA20-573CF4910CC4}: NameServer = 203.96.152.4,203.96.152.12 O20 - Winlogon Notify: ssqrqnn - ssqrqnn.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - C:\WINNT\system32\SLEE401.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe O23 - Service: Microsoft Language Service (Windows Language Service) - Unknown owner - C:\WINNT\alg.exe (file missing) Many thanks	wooda2 (4837)
486940	2006-10-01 08:52:00	Just talked to a mate who's got 2k, and this doesnt belong in Windows 2k either. O23 - Service: Microsoft Language Service (Windows Language Service) - Unknown owner - C:\WINNT\alg.exe (file missing) Tick this entry and tick fixed checked (as before) and close browser/s. Then reboot then try updating again. What error is it giving u when u try and update?? Any? I see you've got TweakUI. Its not a setting in this somewhere you've unticked is it?	Speedy Gonzales (78)
486941	2006-10-01 09:22:00	This can come out of the log as well........... O20 - Winlogon Notify: ssqrqnn - ssqrqnn.dll (file missing) Also kill this service... Go to Start > Run and type cmd and OK. Type the below commands and hit "Enter" after each line sc stop Windows Language Service sc delete Windows Language Service Type Exit to close.	Pancake (6359)
486942	2006-10-01 09:38:00	sc stop Windows Language Service do I type it in like this? it says no such batch file exists or something like that	wooda2 (4837)
486943	2006-10-01 10:01:00	Yes .copy and paste each line as is and hit enter after each one.	Pancake (6359)
486944	2006-10-01 23:39:00	When I type in this command I get c:\docs and settings\.......>sc stop Windows Language Service 'sc' is not recognised as an internal or external command,operable program or batch file. The command window c:\winnt\system32\cmd.exe is a black background. I cant cut paste etc in it	wooda2 (4837)
1 2 3