[HJT Log] Slowdown + Can't go on websites

Author	All Replies
halfHAVOC 14 join:2002-05-30 New Jersey edit: April 13th, @08:45PM	[HJT Log] Slowdown + Can't go on websites alright so lemme explain the problem. just started happening and what happens is the computer slows down a lil bit, i ran all those programs and its moreso back to normal with that, but my Taskbar keeps crashing. Ok main problem is when i go on Firefox and it goes to my homepage (google) i can't go on anything, i type in anywebsite and it jus gets stuck loading halfway but the screen stays white. so thats not working, so im using internet explorer right now and the problem is i can't type in anything in the address bar to get to a website, the only way it works is by typing it in google and clicking on the website (like i typed dslreports in google to get here). oh btw i get some popups occasionaly in IE as well. ive tried using combofix(helped alot like i would use it restart my pc and then firefox and all would work and then suddenly i type any site and it just stops), vundofix(nothing), spybot (vario off the top of my head), ad-aware(which picked up 63 spyware/malwares and tracking stuff) i used avast as well but didn't get much help cept like two deletions. Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:14 PM, on 4/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM\aim.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80 O2 - BHO: {644a70f8-a1f8-8dba-1044-b36ed7429852} - {2589247d-e63b-4401-abd8-8f1a8f07a446} - C:\WINDOWS\system32\vhkdgtkp.dll O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing) O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing) O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing) O2 - BHO: (no name) - {D4FF871C-5791-47D0-B8CC-20AE3D0801FA} - C:\WINDOWS\system32\geeba.dll O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing) O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [dmxvp.exe] C:\WINDOWS\system32\dmxvp.exe O4 - HKLM\..\Run: [dmotx.exe] C:\WINDOWS\system32\dmotx.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\rggodyor.dll",b O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" DllInit O4 - HKLM\..\Run: [BMd7bd0422] Rundll32.exe "C:\WINDOWS\system32\fmxmufxp.dll",s O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Rusc] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" -vt yazb O4 - HKCU\..\Run: [Gzchx] "C:\Program Files\Common Files\??mantec\??xplore.exe" O8 - Extra context menu item: Add to Windows &Live Favorites - »favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D8951C65-92EC-4161-9459-B755EB19927C}: NameServer = 85.255.113.114,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{ED2FEFA9-FFF5-4140-B90D-060BC9431E7E}: NameServer = 85.255.113.114,85.255.112.8 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8 O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing) O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing) O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing) O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing) O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing) O21 - SSODL: MvpPwwv - {D48E3712-7E24-9DB8-DFA3-50C4B3DD1E5B} - (no file) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7986 bytes
	to forum · permalink · · 2008-04-13 20:44:03 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL edit: April 13th, @09:17PM	You have a ton of problems. One is a Wareout infection we will deal with in the next session. Lets get the rest of the junk pretty much out of the way first. TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. • Open Spybot Search & Destroy. • In the Mode menu click "Advanced mode" if not already selected. • Choose Yes at the Warning prompt. • Expand the Tools menu. • Click Resident. • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box. • In the File menu click Exit to exit Spybot Search & Destroy. • Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip • Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. First Steps :!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult. Please download ATF Cleaner http://www.atribune.org/ccount/click.php?id=1 It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies. • Double-click ATF-Cleaner.exe to run the program. First Step: • Under Main choose: Select All • Click the Empty Selected button. *Next, if you use Firefox (and some* Mozilla-based browsers) • Click Firefox at the top and choose: Select All • Click the Empty Selected button. Next, if you use the Opera browser • Click Opera at the top and choose: Select All • Click the Empty Selected button. :!: Click Exit on the Main menu to close the program. Reconfigure Windows XP to show hidden files:** To enable the viewing of Hidden files follow these steps: • Close all programs so that you are at your desktop. • Double-click on the My Computer icon. • Select the Tools menu and click Folder Options. • After the new window appears select the View tab. • Put a checkmark in the checkbox labeled Display the contents of system folders. • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. • Remove the checkmark from the checkbox labeled Hide file extensions for known file types. • Remove the checkmark from the checkbox labeled Hide protected operating system files. • Press the Apply button and then the OK button and exit My Computer. • Now your computer is configured to show all hidden files. Malware Removal Steps 1. Open HijackThis again, System scan only. Checkmark these items: O2 - BHO: {644a70f8-a1f8-8dba-1044-b36ed7429852} - {2589247d-e63b-4401-abd8-8f1a8f07a446} - C:\WINDOWS\system32\vhkdgtkp.dll O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing) O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing) O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing) O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing) O2 - BHO: (no name) - {D4FF871C-5791-47D0-B8CC-20AE3D0801FA} - C:\WINDOWS\system32\geeba.dll O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing) O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O4 - HKLM\..\Run: [dmxvp.exe] C:\WINDOWS\system32\dmxvp.exe O4 - HKLM\..\Run: [dmotx.exe] C:\WINDOWS\system32\dmotx.exe O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\rggodyor.dll",b O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" DllInit O4 - HKLM\..\Run: [BMd7bd0422] Rundll32.exe "C:\WINDOWS\system32\fmxmufxp.dll",s O4 - HKCU\..\Run: [Rusc] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" -vt yazb O4 - HKCU\..\Run: [Gzchx] "C:\Program Files\Common Files\??mantec\??xplore.exe" O8 - Extra context menu item: Add to Windows &Live Favorites - »favorites.live.com/quickadd.aspx O17 - HKLM\System\CCS\Services\Tcpip\..\{D8951C65-92EC-4161-9459-B755EB19927C}: NameServer = 85.255.113.114,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{ED2FEFA9-FFF5-4140-B90D-060BC9431E7E}: NameServer = 85.255.113.114,85.255.112.8 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.114 85.255.112.8 O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing) O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing) O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing) O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing) O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing) O21 - SSODL: MvpPwwv - {D48E3712-7E24-9DB8-DFA3-50C4B3DD1E5B} - (no file) Click "Fix checked" and when the log panel clears exit HijackThis. 2. Download SDFix and save it to your Desktop. http://downloads.andymanchesta.com/RemovalTools/SDFix.exe Double clickSDFix.exe and it will extract the files to the Windows Directory, C:\SDFix. Please then reboot your computer in *Safe Mode* by doing the following : • Restart your computer • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; • Instead of Windows loading as normal, the Advanced Options Menu should appear; • Select the first option, to run Windows in Safe Mode, then press [Enter]. • Choose your usual account. • Open the extracted SDFix folder and double click RunThis.ba to start the script. • Type Y[ to begin the cleanup process. • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. • Press any Key and it will restart the PC. • When the PC restarts the Fixtool will run again and complete the removal process then display ]Finished, press any key to end the script and load your desktop icons. • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). • For now, simply close Notepad. 3. Download and Run -- ComboFix© Download this file -- to your Desktop -- from any of these sources: http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe • Disconnect from the Internet. • Disable your Antivirus software -- this includes any Script Blocking Feature it may have. Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser. • A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes. A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. 4. Please download MalwareBytes Anti-malware (MBAM) from one of the following links: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html http://www.besttechie.net/tools/mbam-setup.exe Once downloaded, close all programs and Windows on your computer (including this one.) Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later. 5. Run HijackThis again, and save the log file. *Submit to the Forum:* • The contents of C:\SDFix\Report.txt; • The MBAM log results; • The contents of C:\Combofix.txt; • The new HijackThis log. -- ============ MS-MVP 2004 - -2008, ASAP Member *Users Helping Users*
	to forum · permalink · · 2008-04-13 21:15:10 ·
halfHAVOC 14 join:2002-05-30 New Jersey edit: April 13th, @11:35PM	dude ahhh after the sdfix step my internet isn't working so i can't download combofix and move on!!!!!!! what do i do!?? im posting from another pc in my house right now. should i download it on here and send it thru the network or somethin? oh also, i get this red balloon in the traybar saying your computer may be at risk. and when i did the hijackthis , some of the stuff u posted was not there like all the O2's and few one or two other ones were just not there..... please help ASAP!!
	to forum · permalink · · 2008-04-13 23:27:29 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL	reply to halfHAVOC Your internet issues are related to the Wareout infection. Download the following and bring it by floppy or USB pen drive to the problem computer: 1. Wareout Removal Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. At the end of the fix, you may need to restart your computer again. Notepad will open with the results of your FixWareout scan. Please save this file (C:\Report.txt) and exit Notepad. Then continue where you left off in my original instructions. -- ============ MS-MVP 2004 - -2008, ASAP Member *Users Helping Users*
	to forum · permalink · · 2008-04-14 10:44:29 ·
halfHAVOC 14 join:2002-05-30 New Jersey edit: April 14th, @03:14PM	hm well i sent it through my network on a shared folder(couln't find floppy/pin) and it worked but my internet is still not working. also that red security balloon in the tray area is still there. i really needdd to get this fixed asap!
	to forum · permalink · · 2008-04-14 14:32:26 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs:	reply to halfHAVOC If you completed the scan asked, please submit the logs requested: from FixWareout, Combofix, and MBAM, as well as a new HijackThis.
	to forum · permalink · · 2008-04-14 17:36:24 ·
halfHAVOC 14 join:2002-05-30 New Jersey edit: April 14th, @07:20PM	i didn't get to mbam yet but lemme go do the rest the logs
	to forum · permalink · · 2008-04-14 19:20:13 ·
halfHAVOC 14 join:2002-05-30 New Jersey edit: April 15th, @06:52AM	ok weird. i have like 3 combofix logs from before, so i dont know where the latest one is from yesterday....im pretty sure it saved? but ill post this i guess unless it posted the date wrong idk. combofix: idk it might be from before i posted cuz i can't find the latest one, where is it located? ComboFix 08-04-12.7 - Administrator 2008-04-13 17:33:53.7 - NTFSx86 Running from: C:\Documents and Settings\Administrator\desktop\cf.exe Command switches used :: /killall [color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\My Documents\MANTEC~1 C:\Documents and Settings\Administrator\My Documents\MANTEC~1\??mantec\ C:\Documents and Settings\Administrator\My Documents\MANTEC~1\msiexec.exe C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk C:\Documents and Settings\LocalService\Application Data\NetMon C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt C:\Documents and Settings\NetworkService\Application Data\NetMon C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt C:\Program Files\Common Files\mantec~1 C:\Program Files\Common Files\mantec~1\??xplore.exe C:\Program Files\outerinfo C:\Program Files\outerinfo\FF\chrome.manifest C:\Program Files\outerinfo\FF\components\FF.dll C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt C:\Program Files\outerinfo\FF\install.rdf C:\Program Files\outerinfo\Terms.rtf C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\abeeg.ini C:\WINDOWS\system32\abeeg.ini2 C:\WINDOWS\system32\awucbnde.dll C:\WINDOWS\system32\bqgpbbrf.ini C:\WINDOWS\system32\eobxrmdf.dll C:\WINDOWS\system32\frbbpgqb.dll C:\WINDOWS\system32\geBtSIBs.dll C:\WINDOWS\system32\gynokvko.dll C:\WINDOWS\system32\hglshnkk.dll C:\WINDOWS\system32\hkuvonkf.dll C:\WINDOWS\system32\ibflwwyk.dll C:\WINDOWS\system32\ieqstsip.dll C:\WINDOWS\system32\iifefEUl.dll C:\WINDOWS\system32\kywwlfbi.ini C:\WINDOWS\system32\llogagvo.ini C:\WINDOWS\system32\lsqxslns.dll C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\ovgagoll.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\rqRIaaXr.dll C:\WINDOWS\system32\wjhpojwc.dll C:\WINDOWS\system32\wli.dll C:\WINDOWS\system32\wuenfygh.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_NETWORK_MONITOR -------\Legacy_TNIDRIVER -------\Service_TnIDriver ((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))) . 2008-04-13 17:28 . 2008-04-13 17:28 3,648 --a------ C:\WINDOWS\system32\vrcvjnpm.dll 2008-04-13 17:26 . 2008-04-13 17:26 3,648 --a------ C:\WINDOWS\system32\giupqxhj.dll 2008-04-13 13:37 . 2008-04-13 13:37 3,648 --a------ C:\WINDOWS\system32\jmtmlbgv.dll 2008-04-13 13:23 . 2008-04-13 13:23 d--hs---- C:\WINDOWS\U2FtaXIgQWhtYWQ 2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\pinz1 2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\iFi 2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\IDE2 2008-04-13 13:23 . 2008-04-13 17:15 d-------- C:\WINDOWS\system32\ExTmp 2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\bharebio01 2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\axV 2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\Temp\wdlw14 2008-04-13 13:23 . 2008-04-13 13:23 63,839 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe 2008-04-13 13:23 . 2008-04-13 13:23 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2008-04-13 10:48 . 2008-04-13 10:48 d-------- C:\Program Files\Lavasoft 2008-04-13 10:29 . 2008-04-13 10:29 3,648 --a------ C:\WINDOWS\system32\orxvmfos.dll 2008-04-13 09:55 . 2008-04-13 09:55 3,648 --a------ C:\WINDOWS\system32\ttcbnthi.dll 2008-04-13 00:15 . 2008-04-13 00:15 3,648 --a------ C:\WINDOWS\system32\rlllduoj.dll 2008-04-11 20:26 . 2008-04-13 12:04 101,110 --a------ C:\WINDOWS\BMd7bd0422.xml 2008-04-11 20:26 . 2008-04-11 20:26 3,648 --a------ C:\WINDOWS\system32\wxoghvke.dll 2008-04-11 19:45 . 2008-04-11 19:45 3,648 --a------ C:\WINDOWS\system32\dvfskqyd.dll 2008-04-10 18:53 . 2008-03-29 13:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys 2008-04-10 18:53 . 2008-03-29 13:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys 2008-04-10 11:13 . 2008-04-10 11:13 3,648 --a------ C:\WINDOWS\system32\cmeujpiy.dll 2008-04-09 11:18 . 2008-04-09 16:13 878 --ahs---- C:\WINDOWS\system32\cbqoqefk.ini 2008-04-09 11:12 . 2008-04-09 11:12 3,648 --a------ C:\WINDOWS\system32\oqbmuvua.dll 2008-04-08 11:08 . 2008-04-08 11:08 3,648 --a------ C:\WINDOWS\system32\lafonvhy.dll 2008-04-05 14:56 . 2008-04-05 14:56 d-------- C:\Program Files\ATI Technologies 2008-04-04 14:55 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-04-04 07:35 . 2008-04-04 07:35 329,728 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll 2008-04-01 14:26 . 2008-04-01 14:27 1,597,294 --ahs---- C:\WINDOWS\system32\cpukaqck.ini 2008-03-31 09:04 . 2008-03-31 22:30 1,597,234 --ahs---- C:\WINDOWS\system32\hgwbxirw.ini 2008-03-30 09:01 . 2008-03-30 09:21 1,583,982 --ahs---- C:\WINDOWS\system32\vjvkpctk.ini 2008-03-29 13:21 . 2008-03-30 08:58 1,583,757 --ahs---- C:\WINDOWS\system32\hhuoiwga.ini 2008-03-28 13:25 . 2008-03-28 13:25 1,583,959 --ahs---- C:\WINDOWS\system32\uggjpiei.ini 2008-03-28 12:10 . 2008-03-28 12:51 1,584,259 --ahs---- C:\WINDOWS\system32\qcbvelel.ini 2008-03-27 12:07 . 2008-03-28 12:07 1,584,079 --ahs---- C:\WINDOWS\system32\egjaiwsd.ini 2008-03-16 10:27 . 2008-03-16 10:27 315,472 --a------ C:\WINDOWS\system32\geeba.dll 2008-03-16 00:23 . 2008-03-16 00:23 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico 2008-03-15 18:56 . 2008-03-15 18:57 1,366,923 --ahs---- C:\WINDOWS\system32\hcvncvih.ini 2008-03-14 23:34 . 2008-03-14 23:34 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA 2008-03-14 18:57 . 2008-03-14 18:57 d-------- C:\Documents and Settings\All Users\Application Data\Rabio 2008-03-14 18:55 . 2008-03-15 18:55 1,366,863 --ahs---- C:\WINDOWS\system32\quiswxto.ini 2008-03-14 18:44 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs 2008-03-13 18:30 . 2008-03-29 13:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-03-13 18:30 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-03-13 18:30 . 2008-03-29 13:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-03-13 18:30 . 2008-03-29 13:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-03-13 18:30 . 2008-01-17 11:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-03-13 18:30 . 2008-03-29 13:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-03-13 18:30 . 2008-03-29 13:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-03-13 18:30 . 2008-03-29 13:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-03-13 18:29 . 2008-03-13 18:29 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-13 22:51 1,201,184 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-04-13 22:44 699,044 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-04-13 22:44 56,039,456 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-04-13 22:44 113,636 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-04-13 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-13 15:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-05 19:56 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-04 19:55 --------- d-----w C:\Program Files\Java 2008-03-13 23:29 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-03-13 23:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-03-13 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-02 18:16 --------- d-----w C:\Program Files\The KMPlayer 2008-02-27 03:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp 2008-02-25 23:32 --------- d-----w C:\Program Files\ffdshow 2008-02-25 03:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks 2008-02-25 03:03 --------- d-----w C:\Program Files\SopCast 2008-02-25 02:54 --------- d-----w C:\Program Files\NBA Live Player 2008-02-24 22:15 --------- d-----w C:\Program Files\Winamp 2008-02-14 18:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-01-15 21:52 140,800 --sha-w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2007-08-11 02:24 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys 2007-08-11 02:24 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys 2007-08-11 02:24 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys 2007-08-11 02:24 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys 2007-08-11 02:24 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys 2007-08-11 02:24 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys 2007-08-11 02:24 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys 2007-08-11 02:24 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys 2007-08-11 02:24 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys 2007-07-24 14:21 6,471 --sha-w C:\WINDOWS\system32\kjjlm.bak1 2007-07-24 14:36 1,807,725 --sha-w C:\WINDOWS\system32\kjjlm.bak2 2007-07-24 21:37 1,846,866 --sha-w C:\WINDOWS\system32\kjjlm.ini2 2005-07-29 21:24 472 --sha-r C:\WINDOWS\U2FtaXIgQWhtYWQ\oZIQurK0kq1Qsqk.vbs . ((((((((((((((((((((((((((((( snapshot_2008-04-13_ 9.46.01.62 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-13 14:39:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-13 22:51:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-13 15:49:43 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe + 2008-04-13 15:49:43 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe + 2008-04-13 15:49:43 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe + 2008-04-13 15:49:43 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe + 2008-04-13 18:23:33 63,839 ----a-w C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe + 2008-04-04 12:35:02 329,728 ----a-w C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll + 2008-04-09 15:35:36 8,278 ----a-w C:\WINDOWS\system32\axV\retmwav3.exe + 2008-04-02 12:32:16 32,768 ----a-w C:\WINDOWS\system32\bharebio01\bharebio011065.exe + 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys + 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys + 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys + 2008-04-04 21:31:58 126,976 ----a-w C:\WINDOWS\system32\IDE2\mdllcom2.exe + 2008-04-11 22:34:16 400,987 ----a-w C:\WINDOWS\system32\iFi\prodll384.exe + 2007-12-14 17:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe + 2008-02-14 14:42:16 49,152 ----a-w C:\WINDOWS\system32\pinz1\cegmgr76.exe + 2008-04-13 22:51:26 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_674.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E3BE2B4-9688-443D-BACD-DD267AA674AE}] 2008-03-16 10:27 315472 --a------ C:\WINDOWS\system32\geeba.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BED0D7-0938-4700-9060-A436B69EB7BC}] C:\Program Files\Common Files\horev4444.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3831AF-F271-4DB6-BB2C-DCD46F9BF462}] C:\Program Files\MSN\comeqoc89104.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A67DA44A-58A5-4161-B77D-848247B6748C}] C:\Program Files\Common Files\horev7.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9457564-1FAB-4C4C-818D-417BA5F56D9C}] C:\WINDOWS\system32\jkkli.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBA5775-1351-4F21-881E-A4ADC9BEAB75}] C:\Program Files\Common Files\horev83122.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed76bfd-a0ff-938f-507d-216c8ab86a74}] 2008-04-04 07:35 329728 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 07:00 15360] "Rusc"="C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" [ ] "Gzchx"="C:\Program Files\Common Files\??mantec\??xplore.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Athan"="C:\Program Files\Athan\Athan.exe" [2007-07-07 05:09 954368] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576] "zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 08:33 892928] "dmxvp.exe"="C:\WINDOWS\system32\dmxvp.exe" [ ] "dmotx.exe"="C:\WINDOWS\system32\dmotx.exe" [ ] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480] "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "{E3-37-71-11-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-13 17:52 49173] "spa_start"="C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" [2008-04-04 07:35 329728] "g]eeV\mWhjlnspB"="C:\WINDOWS\system32\scntokdn.exe" [2008-04-13 17:53 196674] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Deewoo.lnk - C:\WINDOWS\system32\scntokdn.exe [2008-04-13 17:53:11 196674] DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-13 17:52:58 49173] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccaa] efcccaa.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefEUl] iifefEUl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnklmk] opnklmk.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrstqn] rqrstqn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrrpo] ssqrrpo.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geeba.dll [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bffeeuso] C:\Program Files\?ymantec\j?vaw.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager] C:\WINDOWS\system32\qjjofwjh.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbvmnemA] C:\WINDOWS\pbvmnemA.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] -ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop] C:\Program Files\WinPop\winpop.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup "zBrowser Launcher"=C:\Program Files\Logitech\iTouch\iTouch.exe "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" "nwiz"=nwiz.exe /install "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35] R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2002-12-31 07:00] S2 ATIBTCAP;ATI TV Wonder Video Capture;C:\WINDOWS\system32\drivers\atibtcap.sys [2002-11-05 00:00] S2 ATIBTXBAR;ATI TV Wonder Video Crossbar;C:\WINDOWS\system32\drivers\atibtxbr.sys [2002-11-05 00:00] S2 ATIVTUTW;ATI TV Wonder TV Tuner;C:\WINDOWS\system32\drivers\ativtutw.sys [2002-11-05 00:00] S2 ATIVXSTW;ATI TV Wonder Audio Crossbar;C:\WINDOWS\system32\drivers\ativxstw.sys [2002-11-05 00:00] S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50] S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS\system32\UnlockerDriver4.sys [2005-04-24 04:08] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder "2008-04-11 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe "2008-04-10 03:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2008-04-13 17:51:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\scntokdn.exe 196674 bytes executable C:\WINDOWS\system32\winpfz33.sys 936 bytes C:\WINDOWS\system32\msnav32.ax 148 bytes C:\WINDOWS\system32\rwwnw64d.exe 49173 bytes executable C:\WINDOWS\system32\g46.exe 400547 bytes executable C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes scan completed successfully hidden files: 6 ********************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\scntokdn.exe DWram" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\scardsvr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\rundll32.exe . ********************************************************************** . Completion time: 2008-04-13 17:58:16 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-13 22:58:03 ComboFix2.txt 2008-04-13 15:21:30 ComboFix3.txt 2008-04-13 14:46:44 ComboFix4.txt 2008-04-12 03:35:17 ComboFix5.txt 2008-04-12 01:08:10 Pre-Run: 49,116,758,016 bytes free Post-Run: 49,101,164,544 bytes free --------------------- HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:27:06 PM, on 4/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80 O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" DllInit O4 - HKLM\..\Run: [BMd7bd0422] Rundll32.exe "C:\WINDOWS\system32\mtyicqmn.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 5356 bytes ------------------- sdfix SDFix: Version 1.170 Run by Administrator on Sun 04/13/2008 at 11:02 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Missing SharedAccess Service Rebooting Checking Files : Trojan Files Found: C:\PROGRA~1\COMPLU~1\LADUPAJ - Deleted C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted C:\WINDOWS\system32KBRunOnce2.tm_ - Deleted C:\WINDOWS\system32KBRunOnce2.t__ - Deleted C:\WINDOWS\system32\lich.dat - Deleted C:\WINDOWS\system32\msnav32.ax - Deleted C:\WINDOWS\system32\zxdnt3d.cfg - Deleted C:\WINDOWS\tcb.pmw - Deleted C:\WINDOWS\uninstall_nmon.vbs - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2008-04-13 23:11:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services** : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:µTorrent" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 31 Dec 2002 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Tue 31 Dec 2002 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Tue 24 Jul 2007 1,845,858 A.SH. --- "C:\WINDOWS\system32\kjjlm.tmp" Tue 24 Jul 2007 6,471 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak1" Tue 24 Jul 2007 1,807,725 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak2" Fri 9 Nov 2007 923,066 A.SH. --- "C:\WINDOWS\system32\ogvfofdn.tmp" Wed 28 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Fri 26 Nov 2004 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL0001.tmp" Sat 25 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL0005.tmp" Sat 25 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL2653.tmp" Thu 16 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll" Sun 1 Sep 2002 45,056 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\Desktop\minibrowser_v1.0.dll" Sun 10 Apr 2005 22,528 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\My Documents\Farhan's Documents\~WRL1675.tmp" Thu 7 Apr 2005 21,504 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\My Documents\school\English\Research Paper\~WRL0291.tmp" Finished! ---- wareout: Username "Administrator" - 04/14/2008 14:24:06 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3E5BEC1F-998E-4766-A5ED-5CB6CFEF3B26} "DhcpNameServer"="85.255.113.114,85.255.112.8" Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D8951C65-92EC-4161-9459-B755EB19927C} "DhcpNameServer"="85.255.113.114,85.255.112.8" Value cleared. Successfully flushed the DNS Resolver Cache. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "system"="" .... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FCF0F8737177-CBCB-56F4-4256-0D409B28{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A81021EEEA11-B2AA-0584-EF34-AA942AD1{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "elfmd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FDE62E469FBB-A1AB-5D44-A456-6E9D93DE{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}11576FF2B5C3-3FDB-2734-E2BD-4F584BE8{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}71BDEC5CBBF9-7EE8-F6D4-F690-0F38C327{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C17FA5D49981-A7F9-4974-34E8-4BDDF0EE{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}461231CCCB50-2968-7954-02BB-035410ED{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "djxmd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}996423FA06AA-11AA-2EC4-DD37-8FAA33CB{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EAAADD02793F-E6AA-43B4-0DEE-2D67489B{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "fpcmd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8CBA0B891534-8AC8-A814-E12F-FA0FED00{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EBC911BEBB5A-09DB-1BD4-5530-490DCDCF{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3F1E1AA224F1-2308-3864-B546-23D505B2{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0E0D4AD0CD77-059A-A084-4269-E0A2A644{" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "pvxmd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ugcmd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xtomd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ztvmd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "zfimd" Deleted HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmfle.exe" Value deleted HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmcpf.exe" Value deleted HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmcgu.exe" Value deleted HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmvtz.exe" Value deleted .... ~~~~~ Misc files. C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe Deleted C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll Deleted .... ~~~~~ Checking for older varients. .... ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "Athan"="C:\\Program Files\\Athan\\Athan.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe" "WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\"" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "spa_start"="C:\\WINDOWS\\System32\\Rundll32.exe \"C:\\WINDOWS\\system32\\{12fdb189-6534-5715-5717-a9c2868b4931}.dll\" DllInit" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ should i send mbam to my computer and try using it now or what?i really need my computer back up and running like tommrow or so, please if you can work with me to figure this out as quickly as possible, i will appreciate it moreeee than ever. edit: im going to go now use mbam and then post the log. ///////////////////////////////// MBAM ADDED Malwarebytes' Anti-Malware 1.11 Database version: 599 Scan type: Quick Scan Objects scanned: 29306 Time elapsed: 9 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 22 Registry Values Infected: 4 Registry Data Items Infected: 2 Folders Infected: 2 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\geeba.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\nkqtkmpa.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58448347-2553-452e-8e97-e8e4b5120e01} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{58448347-2553-452e-8e97-e8e4b5120e01} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Delete on reboot. HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Adware.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMd7bd0422 (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geeba.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geeba.dll -> Delete on reboot. Folders Infected: C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\geeba.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\abeeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\abeeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nkqtkmpa.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\apmktqkn.ini (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\rggodyor.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\roydoggr.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rundll32.exe (Adware.Agent) -> Delete on reboot. C:\WINDOWS\system32\mtyicqmn.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\iefpmod.dll (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qshl.dll (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ierql.dll (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\iehrdata.dll (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ielog.dll (Malware.Trace) -> Quarantined and deleted successfully.
	to forum · permalink · · 2008-04-14 19:30:30 ·
halfHAVOC 14 join:2002-05-30 New Jersey	errr sorry about this double post but i needed to seperate the last hjt log... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:54:22 AM, on 4/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\Program Files\Athan\Athan.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80 O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing) O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing) O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing) O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing) O2 - BHO: {539d0426-5fb5-aa88-b654-46c17524fb1e} - {e1bf4257-1c64-456b-88aa-5bf56240d935} - C:\WINDOWS\system32\xcldfjbb.dll O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll (file missing) O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\nkqtkmpa.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing) O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing) O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing) O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing) O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6450 bytes oddly the Q2's show up now.
	to forum · permalink · · 2008-04-15 06:55:41 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL edit: April 15th, @03:40PM	reply to halfHAVOC You now have Kaspersky Antivirus installed. You cannot have two, active, antivirus programs installed. Doing so makes you less, not more protected. Please uninstall either AVAST or Kaspersky. Reboot. This is one of the most seriously compromised computers I have ever seen, and running or adding antivirus and antimalware programs at this point will effectively prevent this computer from ever becoming clean. 1. Open HijackThis again, System scan only. Checkmark these items: O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing) O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing) O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing) O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing) O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing) O2 - BHO: {539d0426-5fb5-aa88-b654-46c17524fb1e} - {e1bf4257-1c64-456b-88aa-5bf56240d935} - C:\WINDOWS\system32\xcldfjbb.dll O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll (file missing) O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\nkqtkmpa.dll",b O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing) O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing) O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing) O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing) O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing) Click "Fix checked" and when the log panel clears exit HijackThis. 2. Click Start, click Run, and enter into the command box that opens the single word: CMD. In the black box that opens, type carefully: netsh int ip reset resetlog.txt netsh winsock reset After a moment, a notice should appear telling you that a restart of your computer is requred. Reboot to the operating system fully loaded -- twice.. 3. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard": File:: C:\WINDOWS\system32\kjjlm.tmp C:\WINDOWS\system32\kjjlm.bak1 C:\WINDOWS\system32\kjjlm.bak2 C:\WINDOWS\system32\ogvfofdn.tmp C:\WINDOWS\system32\geeba.dll C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll C:\WINDOWS\system32\scntokdn.exe C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll c:\windows\system32\rwwnw64d.exe C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk C:\Program Files\?ymantec\j?vaw.exe C:\WINDOWS\system32\qjjofwjh.dll C:\WINDOWS\pbvmnemA.exe C:\WINDOWS\system32\vrcvjnpm.dll C:\WINDOWS\system32\giupqxhj.dll C:\WINDOWS\system32\jmtmlbgv.dll C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\WINDOWS\system32\orxvmfos.dll C:\WINDOWS\system32\ttcbnthi.dll C:\WINDOWS\BMd7bd0422.xml C:\WINDOWS\system32\wxoghvke.dll C:\WINDOWS\system32\dvfskqyd.dll C:\WINDOWS\system32\cmeujpiy.dll C:\WINDOWS\system32\cbqoqefk.ini C:\WINDOWS\system32\oqbmuvua.dll C:\WINDOWS\system32\lafonvhy.dll C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll C:\WINDOWS\system32\cpukaqck.ini C:\WINDOWS\system32\hgwbxirw.ini C:\WINDOWS\system32\vjvkpctk.ini C:\WINDOWS\system32\hhuoiwga.ini C:\WINDOWS\system32\uggjpiei.ini C:\WINDOWS\system32\qcbvelel.ini C:\WINDOWS\system32\egjaiwsd.ini C:\WINDOWS\system32\geeba.dll C:\WINDOWS\system32\hcvncvih.ini C:\WINDOWS\system32\quiswxto.ini C:\WINDOWS\uninstall_nmon.vbs C:\Program Files\Common Files\Yazzle1281OinAdmin.exe C:\WINDOWS\system32\kjjlm.bak1 C:\WINDOWS\system32\kjjlm.bak2 C:\WINDOWS\system32\kjjlm.ini2 C:\WINDOWS\U2FtaXIgQWhtYWQ\oZIQurK0kq1Qsqk.vbs C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll C:\WINDOWS\system32\axV\retmwav3.exe C:\WINDOWS\system32\bharebio01\bharebio011065.exe C:\WINDOWS\system32\drivers\NSDriver.sys C:\WINDOWS\system32\IDE2\mdllcom2.exe C:\WINDOWS\system32\iFi\prodll384.exe C:\WINDOWS\system32\pinz1\cegmgr76.exe Folder:: C:\WINDOWS\U2FtaXIgQWhtYWQ C:\WINDOWS\system32\pinz1 C:\WINDOWS\system32\iFi C:\WINDOWS\system32\IDE2 C:\WINDOWS\system32\ExTmp C:\WINDOWS\system32\bharebio01 C:\Temp\wdlw14 C:\Documents and Settings\All Users\Application Data\Rabio C:\WINDOWS\U2FtaXIgQWhtYWQ C:\WINDOWS\system32\axV C:\WINDOWS\system32\bharebio01 C:\WINDOWS\system32\pinz1 C:\WINDOWS\system32\iFi C:\WINDOWS\system32\IDE2 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E3BE2B4-9688-443D-BACD-DD267AA674AE}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BED0D7-0938-4700-9060-A436B69EB7BC}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3831AF-F271-4DB6-BB2C-DCD46F9BF462}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A67DA44A-58A5-4161-B77D-848247B6748C}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9457564-1FAB-4C4C-818D-417BA5F56D9C}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBA5775-1351-4F21-881E-A4ADC9BEAB75}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed76bfd-a0ff-938f-507d-216c8ab86a74}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Rusc"=- "Gzchx"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "dmxvp.exe"=- "dmotx.exe"=- "{E3-37-71-11-DW}"=- "spa_start"=- "g]eeV\mWhjlnspB"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccaa] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefEUl] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnklmk] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrstqn] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrrpo] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bffeeuso] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbvmnemA] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 Open a new Notepad session - (Do *not* use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click \| Paste the Code box contents from above into Notepad. Click File, *Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt"* . • Disconnect from the Internet. • Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well. Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser. • A window will open with a warning. Accept any Disclaimers to start the fix. Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture: When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes. •!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. 4. Please download to your Desktop OT_MOVEIT2: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe Please double-click OTMoveIt2.exe to run the utility. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Purity Return to OTMoveIt2, right click in the Left panel and choose Paste. Click the red Moveit button. This will not be quick. I am asking it to scan your entire Drive C twice. When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results. Save your Clipboard contents in a new Notepad file, as we will want to review these results later. Close OTMoveIt2 when it has finished. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. 5. Open MBAM. Do an update of its defitinition files if possible. Run the scan again exactly as you did earlier. 6. Run HijackThis again, and save the log file. *Submit to the Forum:* • The contents of C:\Combofix.txt; • The new MBAM log; • The new HijackThis log. -- ============ MS-MVP 2004 - -2008, ASAP Member *Users Helping Users*
	to forum · permalink · · 2008-04-15 15:30:49 ·
halfHAVOC 14 join:2002-05-30 New Jersey	so apparently i get some run dll dos pop up or something and quickly exits itself and it wont load add/remove programs nor can i find the uninstall icon for either of the two programs, is there any other shortcut or way to uninstall one of them?
	to forum · permalink · · 2008-04-15 18:08:19 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs:	reply to halfHAVOC Do it last rather than first, then. Please run the tasks requested and submit the log results.
	to forum · permalink · · 2008-04-15 18:23:56 ·
halfHAVOC 14 join:2002-05-30 New Jersey edit: April 15th, @07:04PM	it gives me that same error garbage when i try to put the script into combofix...some rundll32 dos pops up...arghh ( dont think its gonna work in safemode either because i tried to use add/remove in safemode and the same thing happened)!! btw all the code says in that code box is purity.
	to forum · permalink · · 2008-04-15 18:59:54 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL edit: April 15th, @08:35PM	reply to halfHAVOC Download The Avenger by Swandog46 from: http://swandog46.geekstogo.com/avenger2/download.php • Unzip/extract it to a folder on your desktop. • Double click on avenger.exe to run The Avenger. • Click OK. • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it. • Copy all of the text in the below textbox by clicking where it says "Copy to clibpboard". Files to delete: C:\WINDOWS\system32\kjjlm.tmp C:\WINDOWS\system32\kjjlm.bak1 C:\WINDOWS\system32\kjjlm.bak2 C:\WINDOWS\system32\ogvfofdn.tmp C:\WINDOWS\system32\geeba.dll C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll C:\WINDOWS\system32\scntokdn.exe C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll c:\windows\system32\rwwnw64d.exe C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk C:\Program Files\?ymantec\j?vaw.exe C:\WINDOWS\system32\qjjofwjh.dll C:\WINDOWS\pbvmnemA.exe C:\WINDOWS\system32\vrcvjnpm.dll C:\WINDOWS\system32\giupqxhj.dll C:\WINDOWS\system32\jmtmlbgv.dll C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\WINDOWS\system32\orxvmfos.dll C:\WINDOWS\system32\ttcbnthi.dll C:\WINDOWS\BMd7bd0422.xml C:\WINDOWS\system32\wxoghvke.dll C:\WINDOWS\system32\dvfskqyd.dll C:\WINDOWS\system32\cmeujpiy.dll C:\WINDOWS\system32\cbqoqefk.ini C:\WINDOWS\system32\oqbmuvua.dll C:\WINDOWS\system32\lafonvhy.dll C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll C:\WINDOWS\system32\cpukaqck.ini C:\WINDOWS\system32\hgwbxirw.ini C:\WINDOWS\system32\vjvkpctk.ini C:\WINDOWS\system32\hhuoiwga.ini C:\WINDOWS\system32\uggjpiei.ini C:\WINDOWS\system32\qcbvelel.ini C:\WINDOWS\system32\egjaiwsd.ini C:\WINDOWS\system32\geeba.dll C:\WINDOWS\system32\ZoneAlarmIconUS.ico C:\WINDOWS\system32\hcvncvih.ini C:\WINDOWS\system32\quiswxto.ini C:\WINDOWS\uninstall_nmon.vbs C:\Program Files\Common Files\Yazzle1281OinAdmin.exe C:\Documents and Settings\Administrator\mqdmmdm.sys C:\Documents and Settings\Administrator\mqdmmdfl.sys C:\Documents and Settings\Administrator\mqdmserd.sys C:\Documents and Settings\Administrator\mqdmbus.sys C:\Documents and Settings\Administrator\mqdmcmnt.sys C:\Documents and Settings\Administrator\mqdmwhnt.sys C:\Documents and Settings\Administrator\mqdmcr.sys C:\WINDOWS\system32\kjjlm.bak1 C:\WINDOWS\system32\kjjlm.bak2 C:\WINDOWS\system32\kjjlm.ini2 C:\WINDOWS\U2FtaXIgQWhtYWQ\oZIQurK0kq1Qsqk.vbs C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll C:\WINDOWS\system32\axV\retmwav3.exe C:\WINDOWS\system32\bharebio01\bharebio011065.exe C:\WINDOWS\system32\drivers\NSDriver.sys C:\WINDOWS\system32\IDE2\mdllcom2.exe C:\WINDOWS\system32\iFi\prodll384.exe C:\WINDOWS\system32\pinz1\cegmgr76.exe Folders to delete: C:\WINDOWS\U2FtaXIgQWhtYWQ C:\WINDOWS\system32\pinz1 C:\WINDOWS\system32\iFi C:\WINDOWS\system32\IDE2 C:\WINDOWS\system32\ExTmp C:\WINDOWS\system32\bharebio01 C:\WINDOWS\system32\axV C:\Temp\wdlw14 C:\Documents and Settings\All Users\Application Data\Rabio C:\WINDOWS\U2FtaXIgQWhtYWQ C:\WINDOWS\system32\axV C:\WINDOWS\system32\bharebio01 C:\WINDOWS\system32\pinz1 C:\WINDOWS\system32\iFi C:\WINDOWS\system32\IDE2 Registry keys to delete: HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E3BE2B4-9688-443D-BACD-DD267AA674AE} HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BED0D7-0938-4700-9060-A436B69EB7BC} HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A67DA44A-58A5-4161-B77D-848247B6748C} HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9457564-1FAB-4C4C-818D-417BA5F56D9C} HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBA5775-1351-4F21-881E-A4ADC9BEAB75} HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed76bfd-a0ff-938f-507d-216c8ab86a74} HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccaa HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefEUl HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnklmk HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrstqn HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrrpo HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bffeeuso HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbvmnemA Registry values to delete: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Rusc HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Gzchx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|dmxvp.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|dmotx.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|{E3-37-71-11-DW} HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|spa_start HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|g]eeV\mWhjlnspB"=- • In the avenger window, click the Paste Script from Clipboard icon, button. Click the Execute button. • You will be asked "Are you sure you want to execute the current script?" Click Yes. • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now? Click Yes. • Your PC will now be rebooted. • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at C:\avenger.txt. • Please save this. 2. Using your mouse, left click once below where it says: "Copy to