Re: [HJT Log] Slowdown + Can't go on websites in Security Cleanup http://www.dslreports.com/forum/r20329724 en Fri, 05 Dec 2008 03:15:26 EDT Fri, 05 Dec 2008 03:15:26 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20349889 bcastner : Remember to let one (remember -- only one active AV software program installed) of your antivirus programs do a complete scan of your system. You can let it run overnight.

I think we are done now.

Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20349889 Thu, 17 Apr 2008 18:56:34 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20349756 halfHAVOC : YES IT worked i got rundll32 from my other PC and it works fine now.

THANKS SOOOOOOOOOOOOOOO MUCH
YOURE THE MANN!]]> http://www.dslreports.com/forum/remark,20349756 Thu, 17 Apr 2008 18:32:43 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20347858 bcastner : If you ran "IEFix" and did the SFC /Scannow option included with the utility, then it would have properly replaced the Windows file "rundll32.exe". As long as you have missing core Windows files, you are going to have issues. Since you have another computer, if it is the same version of the operating system, same service pack level, copy this file and replace the missing file on your system in the appropriate directory shown in your error message.

If you have not done IEFix, please do so, making sure the option box for using SFC is checked.

Open HijackThis, checkmark these entries, and have HijackThis "fix" them. All have been removed previously, and TeaTimer has been restoring them each time:

O2 - BHO: (no name) - {2589247d-e63b-4401-abd8-8f1a8f07a446} - (no file)
O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - (no file)
O2 - BHO: (no name) - {584E01C2-E9A9-4FB7-A78E-6BEDDE5C2C58} - (no file)
O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - (no file)
O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - (no file)
O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - (no file)
O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - (no file)
O2 - BHO: (no name) - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [dmxvp.exe] C:\WINDOWS\system32\dmxvp.exe
O4 - HKLM\..\Run: [dmotx.exe] C:\WINDOWS\system32\dmotx.exe
O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\rggodyor.dll",b
O4 - HKCU\..\Run: [Rusc] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Gzchx] "C:\Program Files\Common Files\??mantec\??xplore.exe"
O20 - Winlogon Notify: efcccaa - C:\WINDOWS\
O20 - Winlogon Notify: iifefEUl - C:\WINDOWS\
O20 - Winlogon Notify: opnklmk - C:\WINDOWS\
O20 - Winlogon Notify: rqrstqn - C:\WINDOWS\
O20 - Winlogon Notify: ssqrrpo - C:\WINDOWS\
O21 - SSODL: MvpPwwv - {D48E3712-7E24-9DB8-DFA3-50C4B3DD1E5B} - (no file)


Finally, please re-enable at least one of your antivirus programs. Open the program and then manually do an update to its definition files. Configure for as through a scan as the software allows. Then scan the system thoroughly.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20347858 Thu, 17 Apr 2008 07:25:11 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20346622 halfHAVOC : it says windows security alerts becuase it might just be that my virus programs (kaspersky and avast) are both disabled until i can fix this an uninstall one of them. but i think theres a thing where u can just choose "i have my own protection" or something of that nature, but i can't even open it up with that same dos crap. im gonna give the IEfix a try and smithfraud fix.

From 4/17/08
that doesn't show up in the scan

but after the mbam this is the error i get now when i try to right click properties or go to right click my computer prop, or add/remove programs provided in the screeshot.

heres a new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:45 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2589247d-e63b-4401-abd8-8f1a8f07a446} - (no file)
O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - (no file)
O2 - BHO: (no name) - {584E01C2-E9A9-4FB7-A78E-6BEDDE5C2C58} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - (no file)
O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - (no file)
O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - (no file)
O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - (no file)
O2 - BHO: (no name) - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dmxvp.exe] C:\WINDOWS\system32\dmxvp.exe
O4 - HKLM\..\Run: [dmotx.exe] C:\WINDOWS\system32\dmotx.exe
O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\rggodyor.dll",b
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rusc] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Gzchx] "C:\Program Files\Common Files\??mantec\??xplore.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: efcccaa - C:\WINDOWS\
O20 - Winlogon Notify: iifefEUl - C:\WINDOWS\
O20 - Winlogon Notify: opnklmk - C:\WINDOWS\
O20 - Winlogon Notify: rqrstqn - C:\WINDOWS\
O20 - Winlogon Notify: ssqrrpo - C:\WINDOWS\
O21 - SSODL: MvpPwwv - {D48E3712-7E24-9DB8-DFA3-50C4B3DD1E5B} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6440 bytes]]> http://www.dslreports.com/forum/remark,20346622 Wed, 16 Apr 2008 22:32:41 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20346011 bcastner : Disable TeaTimer, it is not helping mattters.

1. Go here, download and run IEFix by MS-MVP Ramesh:
»www.mvps.org/sramesh2k/IEFIX.htm

2. Follow the site instruction as to how to run SmitFraudFix: »Security Cleanup FAQ »Zlob/Smitfraud Removal

3. Follow this with a run with MBAM again.

Are you sure the red shield is not from Windows Update? You also do not show a toolbar entry in any of your logs that matches the CLSIDs being shown by Teatimer. So whatever it is was not on your system previously.

4. Your error message is related to trying to install a protocol for IPX/SPX. Why did you enable this under your TCPIP properties page? Are you in a older Novell network?

5. Many of your complaints have no malware source -- and should be raised in Windows Help as a new Topic.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20346011 Wed, 16 Apr 2008 20:44:43 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20345646 halfHAVOC : igh but i still got that damn error with run dll that quick flash i can't go to add/remove programs and i can't access right clicking on my computer to properties.

oh by the way when i go to dl the new java it says i already have the latest version

im gonna try that malware and spyware program you just posted and see if that helps tho.

so as of right now i can't add/remove programs or set a system restore point. and i still have that little red shield bubble with the X through it in my tray bar.

igh heres the snapshot i took after a few tries of the split second dos pop up

ha look what happend when i used spybot resident/teatimer and turned it back on... btw this screen shot like theres multiple blocks and just keep flashing so i guess its constantly blocking stuff..
Click for full size
 
]]> http://www.dslreports.com/forum/remark,20345646 Wed, 16 Apr 2008 19:35:10 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20344667 bcastner : Your version of Sun Java is not the latest: 1.6.06 Head to the Sun web site and obtain the update.

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)


• Open OTMOVEIT2 once again. Click the CleanuUp! button. It downloads a small script file. It then asks if you want to begin the cleanup. Answer Yes.

• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

Download and Install Windows Defender by Microsoft (free):

Download and install Comodo BOClean (free):

Download, install, and keep updated Spyware Blaster (free):

Download, install, and keep updated SpyBot S&D (free) if you have not yet done so:
Tutorial:

• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20344667 Wed, 16 Apr 2008 16:35:08 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20343925 halfHAVOC : the "Purity" didn't work. it says file/folder cannot be found or it just does it like in 1 second literally and says process complete but all it says in results is log created ____(though i dont see where it could be located?)

so i guess i should jus run mbam again.

edit: YES MY INTERNET IS WORKING AGAIN ON MY COMPTUER WAHOOOOOOO AND ITS GOING FAST!!!

i still can't get the combofix to work tho with the script but i did mbam again.

heres the results:

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 29092
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nkqtkmpa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\apmktqkn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.]]> http://www.dslreports.com/forum/remark,20343925 Wed, 16 Apr 2008 14:24:39 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20341175 bcastner : Please do not stop at any point.
Just keep going and do as much of the steps as you can.

When you finish, please reinstall the drivers for your Motorola USB Modem if you still use this to connect to the internet.

Post the missing reports back to the Forum.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20341175 Tue, 15 Apr 2008 23:40:20 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20340817 halfHAVOC : man i got up to the registry fix part, but same old problem with combofix.

damn. i feel hopeless right now.

(btw i really appreciate you taking your time to help me and having patience :) )

edit: lemme get the avenger log for you alright here it is, it may help i guess?

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Apr 15 22:17:17 2008

22:17:06: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Rusc"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
22:17:08: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Gzchx"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
22:17:10: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dmotx.exe"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
22:17:12: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{E3-37-71-11-DW}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
22:17:13: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|spa_start"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
22:17:14: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|g]eeV\mWhjlnspB"=-"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
»swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\kjjlm.tmp" deleted successfully.
File "C:\WINDOWS\system32\kjjlm.bak1" deleted successfully.
File "C:\WINDOWS\system32\kjjlm.bak2" deleted successfully.
File "C:\WINDOWS\system32\ogvfofdn.tmp" deleted successfully.
File "C:\WINDOWS\system32\geeba.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" not found!
Deletion of file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\scntokdn.exe" not found!
Deletion of file "C:\WINDOWS\system32\scntokdn.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" not found!
Deletion of file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\rwwnw64d.exe" not found!
Deletion of file "c:\windows\system32\rwwnw64d.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk" not found!
Deletion of file "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk" not found!
Deletion of file "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "C:\Program Files\?ymantec\j?vaw.exe"
Deletion of file "C:\Program Files\?ymantec\j?vaw.exe" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Error: file "C:\WINDOWS\system32\qjjofwjh.dll" not found!
Deletion of file "C:\WINDOWS\system32\qjjofwjh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\pbvmnemA.exe" not found!
Deletion of file "C:\WINDOWS\pbvmnemA.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\vrcvjnpm.dll" deleted successfully.
File "C:\WINDOWS\system32\giupqxhj.dll" deleted successfully.
File "C:\WINDOWS\system32\jmtmlbgv.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe" not found!
Deletion of file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe" not found!
Deletion of file "C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\orxvmfos.dll" deleted successfully.
File "C:\WINDOWS\system32\ttcbnthi.dll" deleted successfully.
File "C:\WINDOWS\BMd7bd0422.xml" deleted successfully.
File "C:\WINDOWS\system32\wxoghvke.dll" deleted successfully.
File "C:\WINDOWS\system32\dvfskqyd.dll" deleted successfully.
File "C:\WINDOWS\system32\cmeujpiy.dll" deleted successfully.
File "C:\WINDOWS\system32\cbqoqefk.ini" deleted successfully.
File "C:\WINDOWS\system32\oqbmuvua.dll" deleted successfully.
File "C:\WINDOWS\system32\lafonvhy.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" not found!
Deletion of file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\cpukaqck.ini" deleted successfully.
File "C:\WINDOWS\system32\hgwbxirw.ini" deleted successfully.
File "C:\WINDOWS\system32\vjvkpctk.ini" deleted successfully.
File "C:\WINDOWS\system32\hhuoiwga.ini" deleted successfully.
File "C:\WINDOWS\system32\uggjpiei.ini" deleted successfully.
File "C:\WINDOWS\system32\qcbvelel.ini" deleted successfully.
File "C:\WINDOWS\system32\egjaiwsd.ini" deleted successfully.

Error: file "C:\WINDOWS\system32\geeba.dll" not found!
Deletion of file "C:\WINDOWS\system32\geeba.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\ZoneAlarmIconUS.ico" deleted successfully.
File "C:\WINDOWS\system32\hcvncvih.ini" deleted successfully.
File "C:\WINDOWS\system32\quiswxto.ini" deleted successfully.

Error: file "C:\WINDOWS\uninstall_nmon.vbs" not found!
Deletion of file "C:\WINDOWS\uninstall_nmon.vbs" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\Common Files\Yazzle1281OinAdmin.exe" not found!
Deletion of file "C:\Program Files\Common Files\Yazzle1281OinAdmin.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\Administrator\mqdmmdm.sys" deleted successfully.
File "C:\Documents and Settings\Administrator\mqdmmdfl.sys" deleted successfully.
File "C:\Documents and Settings\Administrator\mqdmserd.sys" deleted successfully.
File "C:\Documents and Settings\Administrator\mqdmbus.sys" deleted successfully.
File "C:\Documents and Settings\Administrator\mqdmcmnt.sys" deleted successfully.
File "C:\Documents and Settings\Administrator\mqdmwhnt.sys" deleted successfully.
File "C:\Documents and Settings\Administrator\mqdmcr.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\kjjlm.bak1" not found!
Deletion of file "C:\WINDOWS\system32\kjjlm.bak1" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\kjjlm.bak2" not found!
Deletion of file "C:\WINDOWS\system32\kjjlm.bak2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\kjjlm.ini2" deleted successfully.
File "C:\WINDOWS\U2FtaXIgQWhtYWQ\oZIQurK0kq1Qsqk.vbs" deleted successfully.
File "C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe" deleted successfully.
File "C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe" deleted successfully.
File "C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe" deleted successfully.
File "C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe" not found!
Deletion of file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" not found!
Deletion of file "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\axV\retmwav3.exe" deleted successfully.
File "C:\WINDOWS\system32\bharebio01\bharebio011065.exe" deleted successfully.
File "C:\WINDOWS\system32\drivers\NSDriver.sys" deleted successfully.
File "C:\WINDOWS\system32\IDE2\mdllcom2.exe" deleted successfully.
File "C:\WINDOWS\system32\iFi\prodll384.exe" deleted successfully.
File "C:\WINDOWS\system32\pinz1\cegmgr76.exe" deleted successfully.
Folder "C:\WINDOWS\U2FtaXIgQWhtYWQ" deleted successfully.
Folder "C:\WINDOWS\system32\pinz1" deleted successfully.
Folder "C:\WINDOWS\system32\iFi" deleted successfully.
Folder "C:\WINDOWS\system32\IDE2" deleted successfully.
Folder "C:\WINDOWS\system32\ExTmp" deleted successfully.
Folder "C:\WINDOWS\system32\bharebio01" deleted successfully.
Folder "C:\WINDOWS\system32\axV" deleted successfully.
Folder "C:\Temp\wdlw14" deleted successfully.

Error: folder "C:\Documents and Settings\All Users\Application Data\Rabio" not found!
Deletion of folder "C:\Documents and Settings\All Users\Application Data\Rabio" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\U2FtaXIgQWhtYWQ" not found!
Deletion of folder "C:\WINDOWS\U2FtaXIgQWhtYWQ" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\system32\axV" not found!
Deletion of folder "C:\WINDOWS\system32\axV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\system32\bharebio01" not found!
Deletion of folder "C:\WINDOWS\system32\bharebio01" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\system32\pinz1" not found!
Deletion of folder "C:\WINDOWS\system32\pinz1" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\system32\iFi" not found!
Deletion of folder "C:\WINDOWS\system32\iFi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\system32\IDE2" not found!
Deletion of folder "C:\WINDOWS\system32\IDE2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E3BE2B4-9688-443D-BACD-DD267AA674AE}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E3BE2B4-9688-443D-BACD-DD267AA674AE}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BED0D7-0938-4700-9060-A436B69EB7BC}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BED0D7-0938-4700-9060-A436B69EB7BC}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3831AF-F271-4DB6-BB2C-DCD46F9BF462}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3831AF-F271-4DB6-BB2C-DCD46F9BF462}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A67DA44A-58A5-4161-B77D-848247B6748C}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A67DA44A-58A5-4161-B77D-848247B6748C}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9457564-1FAB-4C4C-818D-417BA5F56D9C}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9457564-1FAB-4C4C-818D-417BA5F56D9C}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBA5775-1351-4F21-881E-A4ADC9BEAB75}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBA5775-1351-4F21-881E-A4ADC9BEAB75}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed76bfd-a0ff-938f-507d-216c8ab86a74}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed76bfd-a0ff-938f-507d-216c8ab86a74}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccaa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccaa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefEUl" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefEUl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnklmk" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnklmk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrstqn" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrstqn" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrrpo" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrrpo" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bffeeuso" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbvmnemA" deleted successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dmxvp.exe"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dmxvp.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.]]> http://www.dslreports.com/forum/remark,20340817 Tue, 15 Apr 2008 22:29:24 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20340122 bcastner : Download The Avenger by Swandog46 from:

• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox by clicking where it says "Copy to clibpboard".

• In the avenger window, click the Paste Script from Clipboard icon, button.
Click the Execute button.
• You will be asked "Are you sure you want to execute the current script?" Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now? Click Yes.
• Your PC will now be rebooted.

• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at C:\avenger.txt.
• Please save this.

2. Using your mouse, left click once below where it says: "Copy to clipboard":

Open a new Notepad document. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "RegistryFix.REG". Exit Notepad.

Double click your new file and agree to the registry merge when asked. You can then delete this new file.

3. Try Combofix again, with the same script as before.

4. Do the OTMOVEIT2 as instructed. If you would prefer to type the single word "Purity" you are welcome to do so. It is case sensitive.

5. Run MBAM again as instructed.

6. Run HijackThis again as instructed.

Return all the logs requested, as well as the contents of C:\Avenger.txt.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20340122 Tue, 15 Apr 2008 20:14:08 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20339760 halfHAVOC : it gives me that same error garbage when i try to put the script into combofix...some rundll32 dos pops up...arghh ( dont think its gonna work in safemode either because i tried to use add/remove in safemode and the same thing happened)!!
btw all the code says in that code box is purity.]]> http://www.dslreports.com/forum/remark,20339760 Tue, 15 Apr 2008 18:59:54 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20339591 bcastner : Do it last rather than first, then.
Please run the tasks requested and submit the log results.]]> http://www.dslreports.com/forum/remark,20339591 Tue, 15 Apr 2008 18:23:56 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20339498 halfHAVOC : so apparently i get some run dll dos pop up or something and quickly exits itself and it wont load add/remove programs nor can i find the uninstall icon for either of the two programs, is there any other shortcut or way to uninstall one of them?]]> http://www.dslreports.com/forum/remark,20339498 Tue, 15 Apr 2008 18:08:19 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20338651 bcastner : You now have Kaspersky Antivirus installed. You cannot have two, active, antivirus programs installed. Doing so makes you less, not more protected. Please uninstall either AVAST or Kaspersky. Reboot.

This is one of the most seriously compromised computers I have ever seen, and running or adding antivirus and antimalware programs at this point will effectively prevent this computer from ever becoming clean.

1. Open HijackThis again, System scan only. Checkmark these items:

O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing)
O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing)
O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing)
O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing)
O2 - BHO: {539d0426-5fb5-aa88-b654-46c17524fb1e} - {e1bf4257-1c64-456b-88aa-5bf56240d935} - C:\WINDOWS\system32\xcldfjbb.dll
O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll (file missing)
O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\nkqtkmpa.dll",b
O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing)
O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing)
O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing)
O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing)
O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing)

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Click Start, click Run, and enter into the command box that opens the single word: CMD.
In the black box that opens, type carefully:

netsh int ip reset resetlog.txt
netsh winsock reset

After a moment, a notice should appear telling you that a restart of your computer is requred.
Reboot to the operating system fully loaded -- twice..

3. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":

Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

4. Please download to your Desktop OT_MOVEIT2:

Please double-click OTMoveIt2.exe to run the utility.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


Return to OTMoveIt2, right click in the Left panel and choose Paste.

Click the red Moveit button.
This will not be quick. I am asking it to scan your entire Drive C twice.
When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results.
Save your Clipboard contents in a new Notepad file, as we will want to review these results later.
Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

5. Open MBAM. Do an update of its defitinition files if possible. Run the scan again exactly as you did earlier.

6. Run HijackThis again, and save the log file.

Submit to the Forum:
• The contents of C:\Combofix.txt;
• The new MBAM log;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20338651 Tue, 15 Apr 2008 15:30:49 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20336159 halfHAVOC : errr sorry about this double post but i needed to seperate the last hjt log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:22 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80
O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing)
O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing)
O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing)
O2 - BHO: {539d0426-5fb5-aa88-b654-46c17524fb1e} - {e1bf4257-1c64-456b-88aa-5bf56240d935} - C:\WINDOWS\system32\xcldfjbb.dll
O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll (file missing)
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\nkqtkmpa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing)
O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing)
O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing)
O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing)
O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6450 bytes

oddly the Q2's show up now.]]> http://www.dslreports.com/forum/remark,20336159 Tue, 15 Apr 2008 06:55:41 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20334039 halfHAVOC : ok weird. i have like 3 combofix logs from before, so i dont know where the latest one is from yesterday....im pretty sure it saved? but ill post this i guess unless it posted the date wrong idk.

combofix: idk it might be from before i posted cuz i can't find the latest one, where is it located?
ComboFix 08-04-12.7 - Administrator 2008-04-13 17:33:53.7 - NTFSx86
Running from: C:\Documents and Settings\Administrator\desktop\cf.exe
Command switches used :: /killall

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\MANTEC~1
C:\Documents and Settings\Administrator\My Documents\MANTEC~1\??mantec\
C:\Documents and Settings\Administrator\My Documents\MANTEC~1\msiexec.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\??xplore.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\awucbnde.dll
C:\WINDOWS\system32\bqgpbbrf.ini
C:\WINDOWS\system32\eobxrmdf.dll
C:\WINDOWS\system32\frbbpgqb.dll
C:\WINDOWS\system32\geBtSIBs.dll
C:\WINDOWS\system32\gynokvko.dll
C:\WINDOWS\system32\hglshnkk.dll
C:\WINDOWS\system32\hkuvonkf.dll
C:\WINDOWS\system32\ibflwwyk.dll
C:\WINDOWS\system32\ieqstsip.dll
C:\WINDOWS\system32\iifefEUl.dll
C:\WINDOWS\system32\kywwlfbi.ini
C:\WINDOWS\system32\llogagvo.ini
C:\WINDOWS\system32\lsqxslns.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\ovgagoll.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqRIaaXr.dll
C:\WINDOWS\system32\wjhpojwc.dll
C:\WINDOWS\system32\wli.dll
C:\WINDOWS\system32\wuenfygh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-13 17:28 . 2008-04-13 17:28 3,648 --a------ C:\WINDOWS\system32\vrcvjnpm.dll
2008-04-13 17:26 . 2008-04-13 17:26 3,648 --a------ C:\WINDOWS\system32\giupqxhj.dll
2008-04-13 13:37 . 2008-04-13 13:37 3,648 --a------ C:\WINDOWS\system32\jmtmlbgv.dll
2008-04-13 13:23 . 2008-04-13 13:23 d--hs---- C:\WINDOWS\U2FtaXIgQWhtYWQ
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\pinz1
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\iFi
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\IDE2
2008-04-13 13:23 . 2008-04-13 17:15 d-------- C:\WINDOWS\system32\ExTmp
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\bharebio01
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\axV
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\Temp\wdlw14
2008-04-13 13:23 . 2008-04-13 13:23 63,839 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe
2008-04-13 13:23 . 2008-04-13 13:23 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-13 10:48 . 2008-04-13 10:48 d-------- C:\Program Files\Lavasoft
2008-04-13 10:29 . 2008-04-13 10:29 3,648 --a------ C:\WINDOWS\system32\orxvmfos.dll
2008-04-13 09:55 . 2008-04-13 09:55 3,648 --a------ C:\WINDOWS\system32\ttcbnthi.dll
2008-04-13 00:15 . 2008-04-13 00:15 3,648 --a------ C:\WINDOWS\system32\rlllduoj.dll
2008-04-11 20:26 . 2008-04-13 12:04 101,110 --a------ C:\WINDOWS\BMd7bd0422.xml
2008-04-11 20:26 . 2008-04-11 20:26 3,648 --a------ C:\WINDOWS\system32\wxoghvke.dll
2008-04-11 19:45 . 2008-04-11 19:45 3,648 --a------ C:\WINDOWS\system32\dvfskqyd.dll
2008-04-10 18:53 . 2008-03-29 13:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-10 18:53 . 2008-03-29 13:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-10 11:13 . 2008-04-10 11:13 3,648 --a------ C:\WINDOWS\system32\cmeujpiy.dll
2008-04-09 11:18 . 2008-04-09 16:13 878 --ahs---- C:\WINDOWS\system32\cbqoqefk.ini
2008-04-09 11:12 . 2008-04-09 11:12 3,648 --a------ C:\WINDOWS\system32\oqbmuvua.dll
2008-04-08 11:08 . 2008-04-08 11:08 3,648 --a------ C:\WINDOWS\system32\lafonvhy.dll
2008-04-05 14:56 . 2008-04-05 14:56 d-------- C:\Program Files\ATI Technologies
2008-04-04 14:55 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-04 07:35 . 2008-04-04 07:35 329,728 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll
2008-04-01 14:26 . 2008-04-01 14:27 1,597,294 --ahs---- C:\WINDOWS\system32\cpukaqck.ini
2008-03-31 09:04 . 2008-03-31 22:30 1,597,234 --ahs---- C:\WINDOWS\system32\hgwbxirw.ini
2008-03-30 09:01 . 2008-03-30 09:21 1,583,982 --ahs---- C:\WINDOWS\system32\vjvkpctk.ini
2008-03-29 13:21 . 2008-03-30 08:58 1,583,757 --ahs---- C:\WINDOWS\system32\hhuoiwga.ini
2008-03-28 13:25 . 2008-03-28 13:25 1,583,959 --ahs---- C:\WINDOWS\system32\uggjpiei.ini
2008-03-28 12:10 . 2008-03-28 12:51 1,584,259 --ahs---- C:\WINDOWS\system32\qcbvelel.ini
2008-03-27 12:07 . 2008-03-28 12:07 1,584,079 --ahs---- C:\WINDOWS\system32\egjaiwsd.ini
2008-03-16 10:27 . 2008-03-16 10:27 315,472 --a------ C:\WINDOWS\system32\geeba.dll
2008-03-16 00:23 . 2008-03-16 00:23 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-03-15 18:56 . 2008-03-15 18:57 1,366,923 --ahs---- C:\WINDOWS\system32\hcvncvih.ini
2008-03-14 23:34 . 2008-03-14 23:34 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-14 18:57 . 2008-03-14 18:57 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-14 18:55 . 2008-03-15 18:55 1,366,863 --ahs---- C:\WINDOWS\system32\quiswxto.ini
2008-03-14 18:44 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-03-13 18:30 . 2008-03-29 13:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-13 18:30 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-13 18:30 . 2008-03-29 13:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-13 18:30 . 2008-03-29 13:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-13 18:30 . 2008-01-17 11:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-13 18:30 . 2008-03-29 13:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-13 18:30 . 2008-03-29 13:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-13 18:30 . 2008-03-29 13:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-13 18:29 . 2008-03-13 18:29 d-------- C:\Documents and Settings\All Users\Application Data\Avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:51 1,201,184 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-13 22:44 699,044 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-13 22:44 56,039,456 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 22:44 113,636 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-13 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-13 15:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 19:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 19:55 --------- d-----w C:\Program Files\Java
2008-03-13 23:29 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-13 23:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-13 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-02 18:16 --------- d-----w C:\Program Files\The KMPlayer
2008-02-27 03:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-02-25 23:32 --------- d-----w C:\Program Files\ffdshow
2008-02-25 03:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-02-25 03:03 --------- d-----w C:\Program Files\SopCast
2008-02-25 02:54 --------- d-----w C:\Program Files\NBA Live Player
2008-02-24 22:15 --------- d-----w C:\Program Files\Winamp
2008-02-14 18:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-15 21:52 140,800 --sha-w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2007-08-11 02:24 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-08-11 02:24 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-08-11 02:24 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-08-11 02:24 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-08-11 02:24 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-08-11 02:24 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-08-11 02:24 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-08-11 02:24 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-08-11 02:24 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2007-07-24 14:21 6,471 --sha-w C:\WINDOWS\system32\kjjlm.bak1
2007-07-24 14:36 1,807,725 --sha-w C:\WINDOWS\system32\kjjlm.bak2
2007-07-24 21:37 1,846,866 --sha-w C:\WINDOWS\system32\kjjlm.ini2
2005-07-29 21:24 472 --sha-r C:\WINDOWS\U2FtaXIgQWhtYWQ\oZIQurK0kq1Qsqk.vbs
.

((((((((((((((((((((((((((((( snapshot_2008-04-13_ 9.46.01.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 14:39:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-13 22:51:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-13 15:49:43 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-04-13 15:49:43 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-04-13 15:49:43 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-04-13 15:49:43 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-04-13 18:23:33 63,839 ----a-w C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe
+ 2008-04-04 12:35:02 329,728 ----a-w C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll
+ 2008-04-09 15:35:36 8,278 ----a-w C:\WINDOWS\system32\axV\retmwav3.exe
+ 2008-04-02 12:32:16 32,768 ----a-w C:\WINDOWS\system32\bharebio01\bharebio011065.exe
+ 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-04-04 21:31:58 126,976 ----a-w C:\WINDOWS\system32\IDE2\mdllcom2.exe
+ 2008-04-11 22:34:16 400,987 ----a-w C:\WINDOWS\system32\iFi\prodll384.exe
+ 2007-12-14 17:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2008-02-14 14:42:16 49,152 ----a-w C:\WINDOWS\system32\pinz1\cegmgr76.exe
+ 2008-04-13 22:51:26 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_674.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E3BE2B4-9688-443D-BACD-DD267AA674AE}]
2008-03-16 10:27 315472 --a------ C:\WINDOWS\system32\geeba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BED0D7-0938-4700-9060-A436B69EB7BC}]
C:\Program Files\Common Files\horev4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3831AF-F271-4DB6-BB2C-DCD46F9BF462}]
C:\Program Files\MSN\comeqoc89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A67DA44A-58A5-4161-B77D-848247B6748C}]
C:\Program Files\Common Files\horev7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9457564-1FAB-4C4C-818D-417BA5F56D9C}]
C:\WINDOWS\system32\jkkli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBA5775-1351-4F21-881E-A4ADC9BEAB75}]
C:\Program Files\Common Files\horev83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed76bfd-a0ff-938f-507d-216c8ab86a74}]
2008-04-04 07:35 329728 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 07:00 15360]
"Rusc"="C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" [ ]
"Gzchx"="C:\Program Files\Common Files\??mantec\??xplore.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-07-07 05:09 954368]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 08:33 892928]
"dmxvp.exe"="C:\WINDOWS\system32\dmxvp.exe" [ ]
"dmotx.exe"="C:\WINDOWS\system32\dmotx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"{E3-37-71-11-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-13 17:52 49173]
"spa_start"="C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" [2008-04-04 07:35 329728]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\scntokdn.exe" [2008-04-13 17:53 196674]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\scntokdn.exe [2008-04-13 17:53:11 196674]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-13 17:52:58 49173]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccaa]
efcccaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefEUl]
iifefEUl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnklmk]
opnklmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrstqn]
rqrstqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrrpo]
ssqrrpo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geeba.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bffeeuso]
C:\Program Files\?ymantec\j?vaw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
C:\WINDOWS\system32\qjjofwjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbvmnemA]
C:\WINDOWS\pbvmnemA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.0\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
"zBrowser Launcher"=C:\Program Files\Logitech\iTouch\iTouch.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"nwiz"=nwiz.exe /install
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2002-12-31 07:00]
S2 ATIBTCAP;ATI TV Wonder Video Capture;C:\WINDOWS\system32\drivers\atibtcap.sys [2002-11-05 00:00]
S2 ATIBTXBAR;ATI TV Wonder Video Crossbar;C:\WINDOWS\system32\drivers\atibtxbr.sys [2002-11-05 00:00]
S2 ATIVTUTW;ATI TV Wonder TV Tuner;C:\WINDOWS\system32\drivers\ativtutw.sys [2002-11-05 00:00]
S2 ATIVXSTW;ATI TV Wonder Audio Crossbar;C:\WINDOWS\system32\drivers\ativxstw.sys [2002-11-05 00:00]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS\system32\UnlockerDriver4.sys [2005-04-24 04:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-10 03:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-13 17:51:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\scntokdn.exe 196674 bytes executable
C:\WINDOWS\system32\winpfz33.sys 936 bytes
C:\WINDOWS\system32\msnav32.ax 148 bytes
C:\WINDOWS\system32\rwwnw64d.exe 49173 bytes executable
C:\WINDOWS\system32\g46.exe 400547 bytes executable
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\scntokdn.exe DWram"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-13 17:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 22:58:03
ComboFix2.txt 2008-04-13 15:21:30
ComboFix3.txt 2008-04-13 14:46:44
ComboFix4.txt 2008-04-12 03:35:17
ComboFix5.txt 2008-04-12 01:08:10
Pre-Run: 49,116,758,016 bytes free
Post-Run: 49,101,164,544 bytes free

---------------------
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:06 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" DllInit
O4 - HKLM\..\Run: [BMd7bd0422] Rundll32.exe "C:\WINDOWS\system32\mtyicqmn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5356 bytes
-------------------
sdfix

SDFix: Version 1.170
Run by Administrator on Sun 04/13/2008 at 11:02 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting

Checking Files :

Trojan Files Found:

C:\PROGRA~1\COMPLU~1\LADUPAJ - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\system32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\lich.dat - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted

Removing Temp Files

ADS Check :


Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-13 23:11:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 31 Dec 2002 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 31 Dec 2002 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 24 Jul 2007 1,845,858 A.SH. --- "C:\WINDOWS\system32\kjjlm.tmp"
Tue 24 Jul 2007 6,471 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak1"
Tue 24 Jul 2007 1,807,725 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak2"
Fri 9 Nov 2007 923,066 A.SH. --- "C:\WINDOWS\system32\ogvfofdn.tmp"
Wed 28 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 26 Nov 2004 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL0001.tmp"
Sat 25 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL0005.tmp"
Sat 25 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL2653.tmp"
Thu 16 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sun 1 Sep 2002 45,056 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\Desktop\minibrowser_v1.0.dll"
Sun 10 Apr 2005 22,528 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\My Documents\Farhan's Documents\~WRL1675.tmp"
Thu 7 Apr 2005 21,504 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\My Documents\school\English\Research Paper\~WRL0291.tmp"

Finished!

----
wareout:
Username "Administrator" - 04/14/2008 14:24:06 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3E5BEC1F-998E-4766-A5ED-5CB6CFEF3B26}
"DhcpNameServer"="85.255.113.114,85.255.112.8" Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D8951C65-92EC-4161-9459-B755EB19927C}
"DhcpNameServer"="85.255.113.114,85.255.112.8" Value cleared.

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FCF0F8737177-CBCB-56F4-4256-0D409B28{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A81021EEEA11-B2AA-0584-EF34-AA942AD1{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "elfmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FDE62E469FBB-A1AB-5D44-A456-6E9D93DE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}11576FF2B5C3-3FDB-2734-E2BD-4F584BE8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}71BDEC5CBBF9-7EE8-F6D4-F690-0F38C327{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C17FA5D49981-A7F9-4974-34E8-4BDDF0EE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}461231CCCB50-2968-7954-02BB-035410ED{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "djxmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}996423FA06AA-11AA-2EC4-DD37-8FAA33CB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EAAADD02793F-E6AA-43B4-0DEE-2D67489B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "fpcmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8CBA0B891534-8AC8-A814-E12F-FA0FED00{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EBC911BEBB5A-09DB-1BD4-5530-490DCDCF{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3F1E1AA224F1-2308-3864-B546-23D505B2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0E0D4AD0CD77-059A-A084-4269-E0A2A644{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "pvxmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ugcmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xtomd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ztvmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "zfimd" Deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmfle.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmcpf.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmcgu.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmvtz.exe" Value deleted
....
~~~~~ Misc files.
C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe Deleted
C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Athan"="C:\\Program Files\\Athan\\Athan.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"spa_start"="C:\\WINDOWS\\System32\\Rundll32.exe \"C:\\WINDOWS\\system32\\{12fdb189-6534-5715-5717-a9c2868b4931}.dll\" DllInit"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

should i send mbam to my computer and try using it now or what?i really need my computer back up and running like tommrow or so, please if you can work with me to figure this out as quickly as possible, i will appreciate it moreeee than ever.
edit: im going to go now use mbam and then post the log.

/////////////////////////////////
MBAM ADDED

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 29306
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 22
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geeba.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\nkqtkmpa.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58448347-2553-452e-8e97-e8e4b5120e01} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{58448347-2553-452e-8e97-e8e4b5120e01} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMd7bd0422 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geeba.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geeba.dll -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\geeba.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\abeeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abeeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nkqtkmpa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\apmktqkn.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rggodyor.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roydoggr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rundll32.exe (Adware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mtyicqmn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iefpmod.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qshl.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ierql.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehrdata.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ielog.dll (Malware.Trace) -> Quarantined and deleted successfully.]]> http://www.dslreports.com/forum/remark,20334039 Mon, 14 Apr 2008 19:30:30 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20333983 halfHAVOC : i didn't get to mbam yet

but lemme go do the rest the logs]]> http://www.dslreports.com/forum/remark,20333983 Mon, 14 Apr 2008 19:20:13 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20333421 bcastner : If you completed the scan asked, please submit the logs requested: from FixWareout, Combofix, and MBAM, as well as a new HijackThis.]]> http://www.dslreports.com/forum/remark,20333421 Mon, 14 Apr 2008 17:36:24 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20332430 halfHAVOC : hm well i sent it through my network on a shared folder(couln't find floppy/pin) and it worked

but

my internet is still not working. also that red security balloon in the tray area is still there.

i really needdd to get this fixed asap!]]> http://www.dslreports.com/forum/remark,20332430 Mon, 14 Apr 2008 14:32:26 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20331175 bcastner : Your internet issues are related to the Wareout infection. Download the following and bring it by floppy or USB pen drive to the problem computer:

1. Wareout Removal
Please download FixWareout from one of these sites:

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.
Notepad will open with the results of your FixWareout scan. Please save this file (C:\Report.txt) and exit Notepad.

Then continue where you left off in my original instructions.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20331175 Mon, 14 Apr 2008 10:44:29 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20329724 halfHAVOC : dude ahhh after the sdfix step

my internet isn't working so i can't download combofix and move on!!!!!!!

what do i do!?? im posting from another pc in my house right now.

should i download it on here and send it thru the network or somethin?

oh also, i get this red balloon in the traybar saying your computer may be at risk. and when i did the hijackthis , some of the stuff u posted was not there like all the O2's and few one or two other ones were just not there..... please help ASAP!!]]> http://www.dslreports.com/forum/remark,20329724 Sun, 13 Apr 2008 23:27:29 EDT Re: [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20329079 bcastner : You have a ton of problems. One is a Wareout infection we will deal with in the next session. Lets get the rest of the junk pretty much out of the way first.

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.

First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.

Malware Removal Steps

1. Open HijackThis again, System scan only. Checkmark these items:

O2 - BHO: {644a70f8-a1f8-8dba-1044-b36ed7429852} - {2589247d-e63b-4401-abd8-8f1a8f07a446} - C:\WINDOWS\system32\vhkdgtkp.dll
O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing)
O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing)
O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing)
O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {D4FF871C-5791-47D0-B8CC-20AE3D0801FA} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing)
O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [dmxvp.exe] C:\WINDOWS\system32\dmxvp.exe
O4 - HKLM\..\Run: [dmotx.exe] C:\WINDOWS\system32\dmotx.exe
O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\rggodyor.dll",b
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" DllInit
O4 - HKLM\..\Run: [BMd7bd0422] Rundll32.exe "C:\WINDOWS\system32\fmxmufxp.dll",s
O4 - HKCU\..\Run: [Rusc] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Gzchx] "C:\Program Files\Common Files\??mantec\??xplore.exe"
O8 - Extra context menu item: Add to Windows &Live Favorites - »favorites.live.com/quickadd.aspx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8951C65-92EC-4161-9459-B755EB19927C}: NameServer = 85.255.113.114,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED2FEFA9-FFF5-4140-B90D-060BC9431E7E}: NameServer = 85.255.113.114,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8
O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing)
O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing)
O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing)
O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing)
O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing)
O21 - SSODL: MvpPwwv - {D48E3712-7E24-9DB8-DFA3-50C4B3DD1E5B} - (no file)

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Download SDFix and save it to your Desktop.

Double clickSDFix.exe and it will extract the files to the Windows Directory, C:\SDFix.

Please then reboot your computer in Safe Mode by doing the following :
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press [Enter].
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.ba to start the script.
• Type Y[ to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display ]Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
• For now, simply close Notepad.

3. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:

• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

4. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:

Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

5. Run HijackThis again, and save the log file.

Submit to the Forum:
• The contents of C:\SDFix\Report.txt;
• The MBAM log results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20329079 Sun, 13 Apr 2008 21:15:10 EDT [HJT Log] Slowdown + Can't go on websites http://www.dslreports.com/forum/remark,20328922 halfHAVOC : alright so lemme explain the problem. just started happening and what happens is the computer slows down a lil bit, i ran all those programs and its moreso back to normal with that, but my Taskbar keeps crashing. Ok main problem is when i go on Firefox and it goes to my homepage (google) i can't go on anything, i type in anywebsite and it jus gets stuck loading halfway but the screen stays white. so thats not working, so im using internet explorer right now and the problem is i can't type in anything in the address bar to get to a website, the only way it works is by typing it in google and clicking on the website (like i typed dslreports in google to get here). oh btw i get some popups occasionaly in IE as well.

ive tried using combofix(helped alot like i would use it restart my pc and then firefox and all would work and then suddenly i type any site and it just stops), vundofix(nothing), spybot (vario off the top of my head), ad-aware(which picked up 63 spyware/malwares and tracking stuff) i used avast as well but didn't get much help cept like two deletions.

Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:14