Jump to content

New Problem

Whome

By Whome
in Resolved Malware Removal Logs

 Share

Recommended Posts

Whome

Whome

Posted
Posted

Computer wont allow programs to be installed unless in safe mode - cant install Avira due to no network in safe mode. Installed malwarebytes, but will not load. Installed Spybot-S&D but only partly loads. Can run HijackThis and here is log.

Logfile of HijackThis v1.99.1

Scan saved at 11:57:15 PM, on 09/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Multimedia\main\ATISched.EXE

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Killer Stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.mdg.ca

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [380a59d7] rundll32.exe "C:\WINDOWS\system32\joterqaj.dll",b

O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE

O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.ca

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.cogeco.ca/en/OLS3.3/fscax.cab

O20 - AppInit_DLLs: yvmlrx.dll frjicl.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - Unknown owner - C:\Program Files\COGECO Security Services\FSAUA\program\fsaua.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\COGECO Security Services\Common\FSMA32.EXE (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Hello Whome

Welcome to MAlwareBytes

==================

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt.

============

Download GMER from Here :

Unzip it to the desktop.

Open the program and click on the Rootkit tab.

Make sure all the boxes on the right of the screen are checked, EXCEPT for

Link to post
Share on other sites
Whome

Whome

Posted
  • Author
Posted

Hello Kahdah

Ive done as you have instructed. DDS worked and the logs are below. However GMER would not run.

DDS (Ver_09-01-07.01) - NTFSx86

Run by Laycocks at 23:34:33.93 on 10/01/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1051 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Multimedia\main\ATISched.EXE

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Documents and Settings\Laycocks\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

mDefault_Page_URL = hxxp:\\www.mdg.ca

uInternet Connection Wizard,ShellNext = iexplore

BHO: {42a409b5-57bb-49cf-a348-b32a2162f834} - c:\windows\system32\jkkJCsrR.dll

BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jKaYsPgG.dll

BHO: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dll

TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll

TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File

uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE

uRun: [ATI Launchpad]

uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE

uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide

uRun: [<NO NAME>]

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [uSRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA

mRun: [soundMan] SOUNDMAN.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [F-Secure Manager] "c:\program files\cogeco security services\common\FSM32.EXE" /splash

mRun: [F-Secure TNB] "c:\program files\cogeco security services\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW

mRun: [380a59d7] rundll32.exe "c:\windows\system32\joterqaj.dll",b

uPolicies-explorer: NoFolderOptions = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL

IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxsrvc.dll

Notify: jKaYsPgG - jKaYsPgG.dll

AppInit_DLLs: yvmlrx.dll frjicl.dll

STS: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dll

SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jKaYsPgG.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkJCsrR

LSA: Notification Packages = :\WINDOW

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laycocks\applic~1\mozilla\firefox\profiles\igth902o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\documents and settings\laycocks\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]

R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]

R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys --> c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys [?]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-1-12 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-1-12 85696]

S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\cogeco security services\anti-virus\win2k\fsfilter.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSfilter.sys [?]

S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\cogeco security services\anti-virus\win2k\fsrec.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSrec.sys [?]

=============== Created Last 30 ================

2009-01-09 22:55 133,120 a------- c:\windows\system32\frjicl.dll

2009-01-09 22:55 133,120 a------- c:\windows\system32\hyiyuqar.dll

2009-01-09 22:52 1,367,332 ---sh--- c:\windows\system32\eqobtoeb.ini

2009-01-09 22:52 90,624 a------- c:\windows\system32\beotboqe.dll

2009-01-09 21:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-01-09 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-01-09 21:34 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-09 21:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-09 21:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-01-09 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-07 18:55 129,536 a------- c:\windows\system32\yvmlrx.dll

2009-01-07 18:55 129,536 a------- c:\windows\system32\anwlpynk.dll

2009-01-07 18:52 1,353,973 ---sh--- c:\windows\system32\jaqretoj.ini

2009-01-07 17:19 <DIR> --d----- C:\Killer Stuff

2009-01-07 17:18 <DIR> --d----- C:\!KillBox

2009-01-06 22:41 <DIR> --d----- c:\docume~1\laycocks\applic~1\F-Secure

2009-01-06 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure

2009-01-06 19:46 1,353,973 ---sh--- c:\windows\system32\slngntlt.ini

2009-01-06 19:46 86,528 a------- c:\windows\system32\tltngnls.dll

2009-01-06 18:53 137,728 a------- c:\windows\system32\ritjkftq.dll

2009-01-06 18:53 137,728 a------- c:\windows\system32\dwwjai.dll

2009-01-06 18:50 1,353,973 ---sh--- c:\windows\system32\oxhunnse.ini

2008-12-29 02:31 45,056 a------- c:\windows\system32\mlJAsQih.dll

2008-12-29 00:39 139,264 a------- c:\windows\system32\uownem.dll

2008-12-29 00:39 139,264 a------- c:\windows\system32\jdiowumj.dll

2008-12-29 00:39 1,762,028 ---sh--- c:\windows\system32\lfnooslc.ini

2008-12-26 02:49 135,680 a------- c:\windows\system32\ahvoih.dll

2008-12-26 02:49 135,680 a------- c:\windows\system32\xlqbbiid.dll

2008-12-26 02:49 1,762,028 ---sh--- c:\windows\system32\jqhqfuok.ini

2008-12-21 10:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg

2008-12-20 19:46 <DIR> --d----- C:\fsaua.data

2008-12-20 16:50 <DIR> --d----- c:\temp\REX81

2008-12-20 16:50 <DIR> --d----- c:\windows\system32\foi

2008-12-20 16:50 <DIR> --d----- c:\temp\1cb

2008-12-20 16:49 15,000 a------- c:\windows\system32\tyshb36rfjdf.dll

2008-12-20 16:49 57,856 a------- c:\windows\system32\bYOgHWNd.dll

2008-12-20 16:43 57,856 a------- c:\windows\system32\aWOHwVOe.dll

2008-12-20 16:43 135,168 a------- c:\windows\system32\crkiaq.dll

2008-12-20 16:42 135,168 a------- c:\windows\system32\nmjgydwi.dll

2008-12-20 16:41 1,668,120 ---sh--- c:\windows\system32\fyecmtfi.ini

2008-12-20 16:39 423,304 a--sh--- c:\windows\system32\RrsCJkkj.ini

2008-12-20 16:39 423,197 a--sh--- c:\windows\system32\RrsCJkkj.ini2

2008-12-20 16:39 286,208 a------- c:\windows\system32\jkkJCsrR.dll

2008-12-20 16:34 57,856 a------- c:\windows\system32\jKaYsPgG.dll

2008-12-20 16:34 70,656 a------- c:\windows\system32\prunnet.exe

==================== Find3M ====================

2008-12-29 01:08 10,740 a------- c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-29 01:08 805 a------- c:\windows\system32\drivers\SYMEVENT.INF

2008-11-26 04:04 14,154 a------- c:\docume~1\laycocks\applic~1\wklnhst.dat

2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll

2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll

2008-10-16 05:20 667,648 a------- c:\windows\system32\wininet.dll

2008-05-21 17:31 133,160 ac------ c:\docume~1\laycocks\applic~1\GDIPFONTCACHEV1.DAT

2006-09-19 00:24 81,920 ac------ c:\docume~1\laycocks\applic~1\ezpinst.exe

2006-09-19 00:24 47,360 ac------ c:\docume~1\laycocks\applic~1\pcouffin.sys

2006-09-13 00:18 774,144 ac------ c:\program files\RngInterstitial.dll

============= FINISH: 23:37:37.67 ===============

Attach.txt

Attach.txt

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :processesexplorer.exe
:filesc:\windows\system32\frjicl.dllc:\windows\system32\hyiyuqar.dllc:\windows\system32\eqobtoeb.inic:\windows\system32\beotboqe.dllc:\windows\system32\yvmlrx.dllc:\windows\system32\anwlpynk.dllc:\windows\system32\jaqretoj.inic:\windows\system32\slngntlt.inic:\windows\system32\tltngnls.dllc:\windows\system32\ritjkftq.dllc:\windows\system32\dwwjai.dllc:\windows\system32\oxhunnse.inic:\windows\system32\mlJAsQih.dllc:\windows\system32\uownem.dllc:\windows\system32\jdiowumj.dllc:\windows\system32\lfnooslc.inic:\windows\system32\ahvoih.dllc:\windows\system32\xlqbbiid.dllc:\windows\system32\jqhqfuok.inic:\temp\REX81c:\windows\system32\foic:\temp\1cbc:\windows\system32\tyshb36rfjdf.dllc:\windows\system32\bYOgHWNd.dllc:\windows\system32\aWOHwVOe.dllc:\windows\system32\crkiaq.dllc:\windows\system32\nmjgydwi.dllc:\windows\system32\fyecmtfi.inic:\windows\system32\RrsCJkkj.inic:\windows\system32\RrsCJkkj.ini2c:\windows\system32\jkkJCsrR.dllc:\windows\system32\jKaYsPgG.dllc:\windows\system32\prunnet.exe
:commands[emptytemp][start explorer]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

===================================

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a dds log so we can continue cleaning the system.

========================

Please post these logs in your next reply:


  2. Ot Move it log
  3. Combofix log
Link to post
Share on other sites
Whome

Whome

Posted
  • Author
Posted

Ok I ran OTMoveIt and it came up with an "Access violation at address 77124BA7. Read of address 77124BA7."

I copied the log it did create to clip board but when I closed the program it crashed my computer. I tried to find a log at the folder specified but there were none. What I did find were 2 .dll files. frjicl and hyiyuqar. I tried running it a second time but again it came up with the same error. The log it did create were all "did not find" type errors and only had about 6 or so. If needed I can run it again to get exact log. I will save the log before closing the app.

Here is the log from Combo-fix. There was no dds log that I could find.

ComboFix 09-01-10.02 - Laycocks 2009-01-11 0:46:12.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1126 [GMT -5:00]

Running from: c:\documents and settings\Laycocks\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Laycocks\Local Settings\Temporary Internet Files\fbk.sts

c:\temp\1cb

c:\temp\1cb\syscheck.log

c:\windows\system32\ahvoih.dll

c:\windows\system32\anwlpynk.dll

c:\windows\system32\aWOHwVOe.dll

c:\windows\system32\beotboqe.dll

c:\windows\system32\bYOgHWNd.dll

c:\windows\system32\crkiaq.dll

c:\windows\system32\drivers\TDSSmqlt.sys

c:\windows\system32\dwwjai.dll

c:\windows\system32\jdiowumj.dll

c:\windows\system32\jKaYsPgG.dll

c:\windows\system32\jkkJCsrR.dll

c:\windows\system32\mfcans32.DLL

c:\windows\system32\msexcl35.dll

c:\windows\system32\msltus35.dll

c:\windows\system32\mspdox35.dll

c:\windows\system32\msrdo20.dll

c:\windows\system32\mstext35.dll

c:\windows\system32\msxbse35.dll

c:\windows\system32\nmjgydwi.dll

c:\windows\system32\prunnet.exe

c:\windows\system32\rdocurs.dll

c:\windows\system32\ritjkftq.dll

c:\windows\system32\RrsCJkkj.ini

c:\windows\system32\RrsCJkkj.ini2

c:\windows\system32\TDSShrxm.dll

c:\windows\system32\TDSSkhyp.log

c:\windows\system32\TDSSkkai.log

c:\windows\system32\TDSSlxwp.dll

c:\windows\system32\TDSSmtvd.dat

c:\windows\system32\TDSSoiqt.dll

c:\windows\system32\TDSSsahc.dll

c:\windows\system32\TDSSvkql.dll

c:\windows\system32\TDSSxfum.dll

c:\windows\system32\TDSSxmxh.log

c:\windows\system32\tltngnls.dll

c:\windows\system32\tyshb36rfjdf.dll

c:\windows\system32\uownem.dll

c:\windows\system32\xlqbbiid.dll

c:\windows\system32\yvmlrx.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSSERV.SYS

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))

.

2009-01-11 00:18 . 2009-01-11 00:18 <DIR> d-------- C:\_OTMoveIt

2009-01-09 21:57 . 2009-01-09 21:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-09 21:57 . 2009-01-09 22:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-09 21:34 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-09 21:34 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-07 18:52 . 2009-01-07 18:53 1,353,973 --ahs---- c:\windows\system32\jaqretoj.ini

2009-01-07 17:19 . 2009-01-09 23:57 <DIR> d-------- C:\Killer Stuff

2009-01-07 17:18 . 2009-01-07 17:18 <DIR> d-------- C:\!KillBox

2009-01-06 22:41 . 2009-01-06 22:41 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\F-Secure

2009-01-06 22:30 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\F-Secure

2009-01-06 19:46 . 2009-01-06 19:47 1,353,973 --ahs---- c:\windows\system32\slngntlt.ini

2009-01-06 18:50 . 2009-01-06 18:50 1,353,973 --ahs---- c:\windows\system32\oxhunnse.ini

2008-12-29 02:31 . 2008-12-29 02:31 45,056 --a------ c:\windows\system32\mlJAsQih.dll

2008-12-29 00:39 . 2008-12-29 00:39 1,762,028 --ahs---- c:\windows\system32\lfnooslc.ini

2008-12-26 02:49 . 2008-12-29 00:38 1,762,028 --ahs---- c:\windows\system32\jqhqfuok.ini

2008-12-21 10:46 . 2008-12-26 02:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg

2008-12-20 19:46 . 2008-12-20 19:46 <DIR> d-------- C:\fsaua.data

2008-12-20 16:50 . 2008-12-20 16:50 <DIR> d-------- c:\windows\system32\foi

2008-12-20 16:50 . 2008-12-20 16:50 <DIR> d-------- c:\temp\REX81

2008-12-20 16:41 . 2008-12-20 16:41 1,668,120 --ahs---- c:\windows\system32\fyecmtfi.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-11 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-07 01:48 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-29 06:08 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2008-12-29 06:08 10,740 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-21 00:42 --------- d-----w c:\program files\SopCast

2008-11-28 05:16 --------- d-----w c:\program files\QuickTime

2008-11-27 17:39 --------- d-----w c:\program files\iTunes

2008-11-27 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-11-27 17:35 --------- d-----w c:\program files\iPod

2008-11-27 17:35 --------- d-----w c:\program files\Common Files\Apple

2008-11-27 17:21 --------- d-----w c:\program files\Safari

2008-11-26 09:04 14,154 ----a-w c:\documents and settings\Laycocks\Application Data\wklnhst.dat

2008-11-24 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC

2008-11-15 03:00 --------- d-----w c:\program files\Morpheus

2008-05-21 22:31 133,160 -c--a-w c:\documents and settings\Laycocks\Application Data\GDIPFONTCACHEV1.DAT

2006-09-19 05:24 81,920 -c--a-w c:\documents and settings\Laycocks\Application Data\ezpinst.exe

2006-09-19 05:24 47,360 -c--a-w c:\documents and settings\Laycocks\Application Data\pcouffin.sys

2006-09-13 05:18 774,144 -c--a-w c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-05-04 36864]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-05-04 53248]

"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-10 77891]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]

"Alcmtr"="ALCMTR.EXE" [2004-07-02 c:\windows\ALCMTR.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=yvmlrx.dll frjicl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.UYVY"= c:\windows\system32\msyuv.dll

"VIDC.YUY2"= ATIVYUY.DLL

"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\jkkJCsrR

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance Trial\\MW4.exe"=

"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-03-30 173824]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-03-30 29184]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys --> c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys [?]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-01-12 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-01-12 85696]

S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys [?]

S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{019f7bfa-dd09-11dd-a766-00132057a270}]

\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2acb4399-dc4c-11dd-a75e-00132057a270}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654267062666774

.

Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-10 c:\windows\Tasks\uhbjlxmv.job

- c:\windows\system32\rundll32.exe [2004-08-10 07:00]

.

- - - - ORPHANS REMOVED - - - -

BHO-{51368521-EAF6-421F-8BAB-88CC588D02DB} - (no file)

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\jKaYsPgG.dll

BHO-{D23C72B9-0F38-4762-85D5-D38A413A399D} - c:\windows\system32\jkkJCsrR.dll

BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)

HKCU-Run-ATI Launchpad - (no file)

HKLM-Run-F-Secure Manager - c:\program files\COGECO Security Services\Common\FSM32.EXE

HKLM-Run-F-Secure TNB - c:\program files\COGECO Security Services\FSGUI\TNBUtil.exe

HKLM-Run-380a59d7 - c:\windows\system32\joterqaj.dll

SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll

ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\jKaYsPgG.dll

Notify-dimsntfy - (no file)

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\Laycocks\Application Data\Mozilla\Firefox\Profiles\igth902o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\documents and settings\Laycocks\Application Data\Mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-11 00:53:40

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-262542382-820493166-2832226997-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\windows\system32\HPZipm12.exe

c:\windows\ehome\RMSvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\ehome\McrdSvc.exe

c:\windows\system32\dllhost.exe

c:\windows\ehome\ehmsas.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-01-11 0:59:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-11 05:58:04

Pre-Run: 47,490,891,776 bytes free

Post-Run: 48,073,273,344 bytes free

256 --- E O F --- 2008-12-19 00:22:05

Link to post
Share on other sites
Whome

Whome

Posted
  • Author
Posted

As an update. I can now run Spybot S&D and Malwarebytes. I did not do any scans of them yet and at the first opertunity closed them. Reading your post again, you want me to run dds.scr again... here is its log.

DDS (Ver_09-01-07.01) - NTFSx86

Run by Laycocks at 1:07:54.56 on 11/01/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1045 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\ehome\RMSvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Multimedia\main\ATISched.EXE

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Laycocks\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll

TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File

uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE

uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE

uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ATI Launchpad]

mRun: [uSRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA

mRun: [soundMan] SOUNDMAN.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Alcmtr] ALCMTR.EXE

mRun: [F-Secure Manager] "c:\program files\cogeco security services\common\FSM32.EXE" /splash

mRun: [F-Secure TNB] "c:\program files\cogeco security services\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW

mRun: [380a59d7] rundll32.exe "c:\windows\system32\joterqaj.dll",b

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL

IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: yvmlrx.dll frjicl.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkJCsrR

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laycocks\applic~1\mozilla\firefox\profiles\igth902o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\documents and settings\laycocks\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]

R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]

R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys --> c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys [?]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-1-12 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-1-12 85696]

S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\cogeco security services\anti-virus\win2k\fsfilter.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSfilter.sys [?]

S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\cogeco security services\anti-virus\win2k\fsrec.sys --> c:\program files\cogeco security services\anti-virus\win2k\FSrec.sys [?]

=============== Created Last 30 ================

2009-01-11 01:05 <DIR> --d----- c:\docume~1\laycocks\applic~1\Malwarebytes

2009-01-11 00:36 161,792 a------- c:\windows\SWREG.exe

2009-01-11 00:36 98,816 a------- c:\windows\sed.exe

2009-01-11 00:18 <DIR> --d----- C:\_OTMoveIt

2009-01-09 21:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-01-09 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-01-09 21:34 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-09 21:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-09 21:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-01-09 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-07 18:52 1,353,973 a--sh--- c:\windows\system32\jaqretoj.ini

2009-01-07 17:19 <DIR> --d----- C:\Killer Stuff

2009-01-07 17:18 <DIR> --d----- C:\!KillBox

2009-01-06 22:41 <DIR> --d----- c:\docume~1\laycocks\applic~1\F-Secure

2009-01-06 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure

2009-01-06 19:46 1,353,973 a--sh--- c:\windows\system32\slngntlt.ini

2009-01-06 18:50 1,353,973 a--sh--- c:\windows\system32\oxhunnse.ini

2008-12-29 02:31 45,056 a------- c:\windows\system32\mlJAsQih.dll

2008-12-29 00:39 1,762,028 a--sh--- c:\windows\system32\lfnooslc.ini

2008-12-26 02:49 1,762,028 a--sh--- c:\windows\system32\jqhqfuok.ini

2008-12-21 10:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg

2008-12-20 19:46 <DIR> --d----- C:\fsaua.data

2008-12-20 16:50 <DIR> --d----- c:\temp\REX81

2008-12-20 16:50 <DIR> --d----- c:\windows\system32\foi

2008-12-20 16:41 1,668,120 a--sh--- c:\windows\system32\fyecmtfi.ini

==================== Find3M ====================

2008-12-29 01:08 10,740 a------- c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-29 01:08 805 a------- c:\windows\system32\drivers\SYMEVENT.INF

2008-11-26 04:04 14,154 a------- c:\docume~1\laycocks\applic~1\wklnhst.dat

2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll

2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll

2008-10-16 05:20 667,648 a------- c:\windows\system32\wininet.dll

2008-05-21 17:31 133,160 ac------ c:\docume~1\laycocks\applic~1\GDIPFONTCACHEV1.DAT

2006-09-19 00:24 81,920 ac------ c:\docume~1\laycocks\applic~1\ezpinst.exe

2006-09-19 00:24 47,360 ac------ c:\docume~1\laycocks\applic~1\pcouffin.sys

2006-09-13 00:18 774,144 ac------ c:\program files\RngInterstitial.dll

============= FINISH: 1:08:20.50 ===============

Attach.txt

Attach.txt

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::c:\windows\system32\jaqretoj.inic:\windows\system32\slngntlt.inic:\windows\system32\oxhunnse.inic:\windows\system32\mlJAsQih.dllc:\windows\system32\lfnooslc.inic:\windows\system32\jqhqfuok.inic:\windows\system32\fyecmtfi.ini
Folder::c:\windows\system32\foic:\temp\REX81
Registry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=""HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt

=========

Then update Malwareytes and run a quick scan on the system then quarantine what it finds and post the resulting log here please.

Link to post
Share on other sites
Whome

Whome

Posted
  • Author
Posted

Here is the log.

ComboFix 09-01-10.02 - Laycocks 2009-01-11 10:23:49.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.1071 [GMT -5:00]

Running from: c:\documents and settings\Laycocks\Desktop\Combo-Fix.exe

Command switches used :: E:\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\windows\system32\fyecmtfi.ini

c:\windows\system32\jaqretoj.ini

c:\windows\system32\jqhqfuok.ini

c:\windows\system32\lfnooslc.ini

c:\windows\system32\mlJAsQih.dll

c:\windows\system32\oxhunnse.ini

c:\windows\system32\slngntlt.ini

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\temp\REX81

c:\temp\REX81\BDF.log

c:\windows\system32\foi

c:\windows\system32\fyecmtfi.ini

c:\windows\system32\jaqretoj.ini

c:\windows\system32\jqhqfuok.ini

c:\windows\system32\lfnooslc.ini

c:\windows\system32\mlJAsQih.dll

c:\windows\system32\oxhunnse.ini

c:\windows\system32\slngntlt.ini

----- BITS: Possible infected sites -----

hxxp://childhe.com

.

((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))

.

2009-01-11 01:05 . 2009-01-11 01:05 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\Malwarebytes

2009-01-11 00:18 . 2009-01-11 00:18 <DIR> d-------- C:\_OTMoveIt

2009-01-09 21:57 . 2009-01-09 21:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-09 21:57 . 2009-01-11 01:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-09 21:34 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-09 21:34 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-07 17:19 . 2009-01-09 23:57 <DIR> d-------- C:\Killer Stuff

2009-01-07 17:18 . 2009-01-07 17:18 <DIR> d-------- C:\!KillBox

2009-01-06 22:41 . 2009-01-06 22:41 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\F-Secure

2009-01-06 22:30 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\F-Secure

2008-12-21 10:46 . 2008-12-26 02:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg

2008-12-20 19:46 . 2008-12-20 19:46 <DIR> d-------- C:\fsaua.data

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-11 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-07 01:48 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-29 06:08 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2008-12-29 06:08 10,740 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-21 00:42 --------- d-----w c:\program files\SopCast

2008-11-28 05:16 --------- d-----w c:\program files\QuickTime

2008-11-27 17:39 --------- d-----w c:\program files\iTunes

2008-11-27 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-11-27 17:35 --------- d-----w c:\program files\iPod

2008-11-27 17:35 --------- d-----w c:\program files\Common Files\Apple

2008-11-27 17:21 --------- d-----w c:\program files\Safari

2008-11-26 09:04 14,154 ----a-w c:\documents and settings\Laycocks\Application Data\wklnhst.dat

2008-11-24 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC

2008-11-15 03:00 --------- d-----w c:\program files\Morpheus

2008-05-21 22:31 133,160 -c--a-w c:\documents and settings\Laycocks\Application Data\GDIPFONTCACHEV1.DAT

2006-09-19 05:24 81,920 -c--a-w c:\documents and settings\Laycocks\Application Data\ezpinst.exe

2006-09-19 05:24 47,360 -c--a-w c:\documents and settings\Laycocks\Application Data\pcouffin.sys

2006-09-13 05:18 774,144 -c--a-w c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((( snapshot@2009-01-11_ 0.57.10.10 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-11 05:28:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-11 06:00:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-01-11 05:28:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-01-11 06:00:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-11 05:28:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-11 06:00:00 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-11 15:27:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-05-04 36864]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-05-04 53248]

"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

"ATI Launchpad"="" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-10 77891]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"F-Secure Manager"="c:\program files\COGECO Security Services\Common\FSM32.EXE" [bU]

"F-Secure TNB"="c:\program files\COGECO Security Services\FSGUI\TNBUtil.exe" [bU]

"380a59d7"="c:\windows\system32\joterqaj.dll" [bU]

"SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]

"Alcmtr"="ALCMTR.EXE" [2004-07-02 c:\windows\ALCMTR.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.UYVY"= c:\windows\system32\msyuv.dll

"VIDC.YUY2"= ATIVYUY.DLL

"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance Trial\\MW4.exe"=

"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-03-30 173824]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-03-30 29184]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys --> c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys [?]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-01-12 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-01-12 85696]

S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys [?]

S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{019f7bfa-dd09-11dd-a766-00132057a270}]

\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2acb4399-dc4c-11dd-a75e-00132057a270}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654267062666774

.

Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-11 c:\windows\Tasks\uhbjlxmv.job

- c:\windows\system32\rundll32.exe [2004-08-10 07:00]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\Laycocks\Application Data\Mozilla\Firefox\Profiles\igth902o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\documents and settings\Laycocks\Application Data\Mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-11 10:27:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-262542382-820493166-2832226997-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\windows\system32\HPZipm12.exe

c:\windows\ehome\RMSvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\ehome\McrdSvc.exe

c:\windows\system32\dllhost.exe

c:\windows\ehome\ehmsas.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-01-11 10:32:41 - machine was rebooted [Laycocks]

ComboFix-quarantined-files.txt 2009-01-11 15:31:43

ComboFix2.txt 2009-01-11 05:59:08

Pre-Run: 48,051,662,848 bytes free

Post-Run: 48,030,658,560 bytes free

222 --- E O F --- 2008-12-19 00:22:05

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

Link to post
Share on other sites
Whome

Whome

Posted
  • Author
Posted

Kahdah, I currently do not have an anti-virus program installed (uninstalled after infection). The machine has not been hooked up to the net and I have been working with a difrent comp. for downloads and just transfering files. Would it be OK to load an anit-virus software before proceding to the next step and allowing Malwarebytes to search for an upgrade?

Link to post
Share on other sites
Whome

Whome

Posted
  • Author
Posted

Ran Malwarebytes but was unable to update, computer did not want to acquire IP address( I will work on this). Ran anyways (v1.32) and here is the log.

Malwarebytes' Anti-Malware 1.32

Database version: 1616

Windows 5.1.2600 Service Pack 2

13/01/2009 4:08:38 PM

mbam-log-2009-01-13 (16-08-38).txt

Scan type: Quick Scan

Objects scanned: 63923

Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\380a59d7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\reset.cmd (Trojan.Agent) -> Quarantined and deleted successfully.

When I finished running the scan, Spy-Bot came up with a choice to allow or deny a change, of System Startup global entry, Change was Balue deleted Entry: 380a59d7 old data: rundll32.exe "c:\windows\system32\joterqaj.dll".b

I ran Malwarebytes again it found one infected object and here is the log

Malwarebytes' Anti-Malware 1.32

Database version: 1616

Windows 5.1.2600 Service Pack 2

13/01/2009 4:20:56 PM

mbam-log-2009-01-13 (16-20-56).txt

Scan type: Quick Scan

Objects scanned: 63967

Time elapsed: 1 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\380a59d7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Please uninstall Spybot for now it interferes with the removal.

It blocked a registry deletion from happening that is why that error was present on startup and that is why MalwareBytes found the same item twice.

hjt_logo.gifClick here to download HJTInstall.exe

  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Link to post
Share on other sites
Whome

Whome

Posted
  • Author
Posted

Here is the HJT log

Logfile of HijackThis v1.99.1

Scan saved at 4:53:05 PM, on 14/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Multimedia\main\ATISched.EXE

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Killer Stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [380a59d7] rundll32.exe "C:\WINDOWS\system32\joterqaj.dll",b

O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE

O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.ca

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.cogeco.ca/en/OLS3.3/fscax.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - Unknown owner - C:\Program Files\COGECO Security Services\FSAUA\program\fsaua.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\COGECO Security Services\Common\FSMA32.EXE (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Please re-open Hijackthis and click on "Do a system scan only"

Then place a check mark next to the entry below:

O4 - HKLM\..\Run: [380a59d7] rundll32.exe "C:\WINDOWS\system32\joterqaj.dll",b

Now click on Fix Checked and then close Hijackthis.

========================================================

Cleanup:

Please download OT CLeanit from Here save it to your desktop.

Double click on OT Clean it to run it.

Then click on Clean up.

Restart your computer when prompted.

This will remove what tools we used.

===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

======================

Delete\uninstall anything else that we have used.

System Restore

Then I will need you to reset your System Restore points.

The link below shows how to create a clean restore point.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual

=====================================

After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.

You do not have to have all or any of them they are only suggestions.

This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.