Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you sign in.
Create an Account Login to Account

startup msg says error loading dll specified module could not


  • This topic is locked This topic is locked

#1
conbotjuhn

conbotjuhn

    New Member

  • Member
  • Pip
  • 7 posts
hi, wow this is the first time i have ever posted something like this online. i've tried to fix this problem and have gotten to the hijackthis part. this is where i got too nervous about fixing stuff i have no idea about by myself!

tried, but have failed to fix 2 pop up messages i get when i startup my computer. after deleting like 100 trojan horses and spyware things, these message keep saying:

"Error loading C:\Program Files\cpmbkfaj\ixstcbap.dll
The specified module could not be found"

"Error loading C:\WINDOWS\system32\osqznsmOkZ.dll
The specified module could not be found"


Sincerest thanks to anyone who can help me fix this problem.


here is the hijackthis logfile (sorry it's so long):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:40 AM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\juhn\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddressHook Class - {420F61A2-B3BE-4A80-8A68-A2080770CD4C} - C:\Program Files\PC-Clean\PCCleanHModul.dll (file missing)
O2 - BHO: (no name) - {5127D8CD-9FF8-084F-790B-0526A08C1C2E} - C:\Program Files\Xceweqcy\bmkkdors.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: C:\WINDOWS\system32\J8dj3jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\J8dj3jg.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\Hfkr4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Hfkr4g.dll (file missing)
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [huzkjixc] rundll32.exe "C:\Program Files\cpmbkfaj\ixstcbap.dll",Init
O4 - HKLM\..\Run: [xfxporkw] C:\Program Files\Iyvkqafn\xfxporkw.exe
O4 - HKLM\..\Run: [hshqnwzc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hshqnwzc.dll"
O4 - HKLM\..\Run: [jwzqdevu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jwzqdevu.dll"
O4 - HKLM\..\Run: [ysnfbycz] C:\Program Files\Ssayodeb\ysnfbycz.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Policies\Explorer\Run: [DF] C:\Documents and Settings\All Users\Favorites\AHSQEHFU.exe
O4 - HKLM\..\Policies\Explorer\Run: [fXqIUgYs02] rundll32.exe "C:\WINDOWS\system32\osqznsmOkZ.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A566849C-86CC-41D5-B5CE-E3761F679384}: NameServer = 85.255.116.171,85.255.112.179
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.171 85.255.112.179
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.171 85.255.112.179
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.171 85.255.112.179
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: xWfdpaBVuabQk - {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\J8dj3jg.dll (file missing)
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Hfkr4g.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft PS Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe (file missing)

--
End of file - 7599 bytes
  • 0

Similar Topics: startup msg says error loading dll specified module could not     x


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
conbotjuhn

conbotjuhn

    New Member

  • Member
  • Pip
  • 7 posts
thanks! here's what you asked for:

Deckard's System Scanner v20071014.68
Run by juhn on 2008-02-12 20:06:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
21: 2008-02-13 04:06:14 UTC - RP106 - Deckard's System Scanner Restore Point
20: 2008-02-11 20:14:55 UTC - RP105 - System Checkpoint
19: 2008-02-10 18:27:55 UTC - RP104 - Installed AVG 7.5
18: 2008-02-10 07:16:25 UTC - RP103 - Configured AVG 7.5
17: 2008-02-10 04:16:15 UTC - RP102 - Installed AVG 7.5


-- First Restore Point --
1: 2007-11-20 03:31:14 UTC - RP86 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as juhn.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:42 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\juhn\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\juhn\Desktop\juhn.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddressHook Class - {420F61A2-B3BE-4A80-8A68-A2080770CD4C} - C:\Program Files\PC-Clean\PCCleanHModul.dll (file missing)
O2 - BHO: (no name) - {5127D8CD-9FF8-084F-790B-0526A08C1C2E} - C:\Program Files\Xceweqcy\bmkkdors.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [huzkjixc] rundll32.exe "C:\Program Files\cpmbkfaj\ixstcbap.dll",Init
O4 - HKLM\..\Run: [xfxporkw] C:\Program Files\Iyvkqafn\xfxporkw.exe
O4 - HKLM\..\Run: [hshqnwzc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hshqnwzc.dll"
O4 - HKLM\..\Run: [jwzqdevu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jwzqdevu.dll"
O4 - HKLM\..\Run: [ysnfbycz] C:\Program Files\Ssayodeb\ysnfbycz.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [DF] C:\Documents and Settings\All Users\Favorites\AHSQEHFU.exe
O4 - HKLM\..\Policies\Explorer\Run: [fXqIUgYs02] rundll32.exe "C:\WINDOWS\system32\osqznsmOkZ.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A566849C-86CC-41D5-B5CE-E3761F679384}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: xWfdpaBVuabQk - {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft PS Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)

--
End of file - 7377 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 sysrest.sys - c:\windows\system32\sysrest.sys

S2 burito518e-5335 - c:\windows\system32\burito518e-5335.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Microsoft PS Service - c:\windows\system32\_svchost.exe -a (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-01-12 and 2008-02-12 -----------------------------

2008-02-12 12:55:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 10:06:14 0 dr-h----- C:\Documents and Settings\juhn\Recent
2008-02-12 09:40:18 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-10 10:28:29 0 d-------- C:\Documents and Settings\juhn\Application Data\AVG7
2008-02-10 10:28:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 00:13:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-09 23:41:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-09 23:41:38 0 d-------- C:\Documents and Settings\juhn\Application Data\Mozilla
2008-02-09 23:30:22 0 d-------- C:\Documents and Settings\juhn\Application Data\Grisoft
2008-02-09 20:16:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 18:36:11 0 d-------- C:\Documents and Settings\juhn\Application Data\InfeStop.com
2008-02-09 18:28:09 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-09 18:27:02 0 d-------- C:\WINDOWS\system32\appmgmt
2008-02-09 18:15:45 0 d-------- C:\Documents and Settings\juhn\Application Data\spy-rid.com
2008-02-09 18:15:17 0 d-------- C:\WINDOWS\phvdvvtm
2008-02-09 18:14:45 0 d-------- C:\Documents and Settings\juhn\Application Data\EasySpywareCleaner.com
2008-02-09 18:06:09 18991 --a------ C:\WINDOWS\system32\k.dat
2008-02-09 18:05:59 0 d-------- C:\WINDOWS\PerfInfo
2008-02-09 18:05:28 0 d-------- C:\Documents and Settings\LocalService\Application Data\EasySpywareCleaner.com
2008-02-09 18:04:56 153 --a------ C:\WINDOWS\system32\delFSF.bat
2008-02-09 18:04:30 8 --a------ C:\WINDOWS\system32\1548230851
2008-02-09 18:04:28 0 d-------- C:\WINDOWS\system32\LogFiles
2008-02-09 15:08:54 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-02-09 15:08:44 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-02-09 15:06:23 36864 --a------ C:\WINDOWS\system32\herjt372.exe


-- Find3M Report ---------------------------------------------------------------

2008-02-09 18:33:39 0 d-------- C:\Program Files\Common Files
2008-02-09 18:33:39 0 d-------- C:\Program Files\Ahead
2008-02-07 13:36:11 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-07 20:37:42 0 d-------- C:\Documents and Settings\juhn\Application Data\MSNInstaller
2008-01-06 22:53:04 0 d-------- C:\Documents and Settings\juhn\Application Data\U3
2008-01-06 19:24:51 0 d-------- C:\Program Files\MSECache


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5127D8CD-9FF8-084F-790B-0526A08C1C2E}]
C:\Program Files\Xceweqcy\bmkkdors.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}]
C:\WINDOWS\system32\pgd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 05:07 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/03/2004 05:07 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 05:07 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 05:07 PM]
"PC-Clean"="C:\Program Files\PC-Clean\PC-Clean.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 07:24 PM]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [06/24/2002 06:11 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 10:46 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"huzkjixc"="C:\Program Files\cpmbkfaj\ixstcbap.dll" []
"xfxporkw"="C:\Program Files\Iyvkqafn\xfxporkw.exe" []
"hshqnwzc"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\hshqnwzc.dll" []
"jwzqdevu"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\jwzqdevu.dll" []
"ysnfbycz"="C:\Program Files\Ssayodeb\ysnfbycz.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/10/2008 10:30 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/10/2008 10:30 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 05:07 PM]
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"jkdfj94kgdftdf"=C:\WINDOWS\TEMP\winlogan.exe

C:\Documents and Settings\juhn\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 6:16:50 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"DF"=C:\Documents and Settings\All Users\Favorites\AHSQEHFU.exe
"fXqIUgYs02"=rundll32.exe "C:\WINDOWS\system32\osqznsmOkZ.dll",DllCleanServer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xWfdpaBVuabQk"= {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdupt.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{068de23e-05c0-11dc-9f3a-000c6e20cb59}]
AutoRun\command- G:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7902 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-12 20:08:30 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 255.53 MiB / 79.37 MiB
Pagefile Memory (total/avail): 618.09 MiB / 318.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.59 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 34.18 GiB total, 28.19 GiB free.
D: is Fixed (NTFS) - 3.08 GiB total, 3.06 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC35L060AVV207-0 - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 34.18 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 3.08 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\herjt376.exe"="C:\\WINDOWS\\system32\\herjt376.exe:*:Enabled:Enabled"
"C:\\Documents and Settings\\juhn\\Local Settings\\Temp\\.ttA.tmp"="C:\\Documents and Settings\\juhn\\Local Settings\\Temp\\.ttA.tmp:*:Enabled:enable"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\WINDOWS\\system32\\wmedia32.exe"="C:\\WINDOWS\\system32\\wmedia32.exe:*:Enabled:ENABLE"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\juhn\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JUHNCOM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\juhn
LOGONSERVER=\\JUHNCOM
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\juhn\LOCALS~1\Temp
TMP=C:\DOCUME~1\juhn\LOCALS~1\Temp
USERDOMAIN=JUHNCOM
USERNAME=juhn
USERPROFILE=C:\Documents and Settings\juhn
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

juhn (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe?Photoshop?Album Starter Edition 3.0.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\juhn\Desktop\HijackThis.exe" /uninstall
Korean Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5670-0000-800000000003}
Lexmark X74-X75 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBBUN5C.EXE -dLexmark X74-X75
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Peachtree Complete Accounting 2006 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4712DD15-D681-4BDF-B623-9D4F33550F44}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1802 / Error
Event Submitted/Written: 02/12/2008 01:56:35 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1768 / Error
Event Submitted/Written: 02/10/2008 09:21:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1767 / Error
Event Submitted/Written: 02/10/2008 09:21:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1748 / Error
Event Submitted/Written: 02/09/2008 11:38:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1747 / Error
Event Submitted/Written: 02/09/2008 11:38:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9483 / Error
Event Submitted/Written: 02/12/2008 07:59:29 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
sisagp

Event Record #/Type9482 / Error
Event Submitted/Written: 02/12/2008 07:59:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The burito518e-5335 service failed to start due to the following error:
%%2

Event Record #/Type9460 / Error
Event Submitted/Written: 02/12/2008 06:56:45 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
sisagp

Event Record #/Type9459 / Error
Event Submitted/Written: 02/12/2008 06:56:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The burito518e-5335 service failed to start due to the following error:
%%2

Event Record #/Type9455 / Error
Event Submitted/Written: 02/12/2008 06:54:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-02-12 20:08:30 ------------
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

* I notice that you have no firewall on your PC, this is extremely dangerous and leaves your PC open to vulnerabilities, so please download and install one of the following programs : ZoneAlarm, Comodo, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.



Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
conbotjuhn

conbotjuhn

    New Member

  • Member
  • Pip
  • 7 posts
hi there. thanks for that! the link explaining firewalls was really helpful. i've installed zonealarm now.

here are the logfiles you asked for:

ComboFix 08-02-13.2 - juhn 2008-02-13 10:59:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.79 [GMT -8:00]
Running from: C:\Documents and Settings\juhn\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\symavc32.sys
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\fXqIUgYs02sc.exe
C:\WINDOWS\PerfInfo\X1vV8gYs02.exe.bak
C:\WINDOWS\system32\burito.ini
C:\WINDOWS\system32\drivers\GJIJ52.sys
C:\WINDOWS\system32\k.dat
C:\WINDOWS\system32\kdupt.exe
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\n2.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GJIJ52
-------\LEGACY_MSUPDATE
-------\LEGACY_NDISWON
-------\LEGACY_SYMAVC32


((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-13 10:46 . 2008-02-13 11:09 120,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-13 10:46 . 2008-02-13 11:07 3,512 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-13 10:44 . 2008-02-13 10:44 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-13 10:42 . 2008-02-13 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-13 10:42 . 2008-02-13 10:44 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-13 10:41 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-13 10:41 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-13 10:40 . 2008-02-13 10:42 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-13 10:40 . 2008-02-13 10:40 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-13 10:40 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-13 10:40 . 2008-02-13 11:10 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-13 10:36 . 2008-02-13 11:10 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-12 18:55 . 2008-02-12 18:55 29 --a------ C:\WINDOWS\system32\awtuqsgd.tmp
2008-02-12 13:54 . 2008-02-12 14:42 310 --a------ C:\WINDOWS\wininit.ini
2008-02-12 12:55 . 2008-02-12 12:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 12:55 . 2008-02-12 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 11:42 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-12 11:42 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-02-12 09:40 . 2008-02-12 09:40 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-10 10:28 . 2008-02-10 10:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 10:28 . 2008-02-13 10:01 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\AVG7
2008-02-10 00:13 . 2008-02-10 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-09 23:41 . 2008-02-09 23:41 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-09 23:30 . 2008-02-09 23:30 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\Grisoft
2008-02-09 23:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-09 23:29 . 2008-02-09 23:29 14,113,576 --a------ C:\Program Files\avgas-setup-7.5.1.43-3339.exe
2008-02-09 20:16 . 2008-02-10 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 20:08 . 2008-02-09 20:08 31,768,752 --a------ C:\Program Files\avg75free_516a1225.exe
2008-02-09 18:52 . 2008-02-09 18:52 29,184 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-02-09 18:52 . 2008-02-13 10:48 15,328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-02-09 18:36 . 2008-02-09 18:36 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\InfeStop.com
2008-02-09 18:28 . 2008-02-09 18:28 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-09 18:15 . 2008-02-09 18:15 <DIR> d-------- C:\WINDOWS\phvdvvtm
2008-02-09 18:15 . 2008-02-09 18:15 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\spy-rid.com
2008-02-09 18:14 . 2008-02-09 18:14 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\EasySpywareCleaner.com
2008-02-09 18:05 . 2008-02-09 18:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\EasySpywareCleaner.com
2008-02-09 18:04 . 2008-02-09 18:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-09 18:04 . 2008-02-09 18:04 153 --a------ C:\WINDOWS\system32\delFSF.bat
2008-02-09 18:04 . 2008-02-09 18:04 8 --a------ C:\WINDOWS\system32\1548230851
2008-02-09 15:06 . 2008-02-09 15:06 36,864 --a------ C:\WINDOWS\system32\herjt372.exe
2008-02-09 15:05 . 2008-02-09 18:04 44 --a------ C:\WINDOWS\system32\svchost.t__
2008-02-09 15:03 . 2008-02-09 22:10 486 --a------ C:\WINDOWS\system32\svchost.tmp
2008-01-22 21:15 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-01-22 21:15 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-01-22 21:15 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 02:33 --------- d-----w C:\Program Files\Ahead
2008-02-07 21:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 04:37 --------- d-----w C:\Documents and Settings\juhn\Application Data\MSNInstaller
2008-01-07 06:53 --------- d-----w C:\Documents and Settings\juhn\Application Data\U3
2008-01-07 03:24 --------- d-----w C:\Program Files\MSECache
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5127D8CD-9FF8-084F-790B-0526A08C1C2E}]
C:\Program Files\Xceweqcy\bmkkdors.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-13 10:44 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 17:07 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 17:07 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:07 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:07 455168]
"PC-Clean"="C:\Program Files\PC-Clean\PC-Clean.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 32768]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 18:11 57344]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"xfxporkw"="C:\Program Files\Iyvkqafn\xfxporkw.exe" [ ]
"ysnfbycz"="C:\Program Files\Ssayodeb\ysnfbycz.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 10:30 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 10:28 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DF"= C:\Documents and Settings\All Users\Favorites\AHSQEHFU.exe
"fXqIUgYs02"= rundll32.exe "C:\WINDOWS\system32\osqznsmOkZ.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xWfdpaBVuabQk"= {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll [ ]

S2 burito518e-5335;burito518e-5335;C:\WINDOWS\system32\burito518e-5335.sys []
S2 Microsoft PS Service;Microsoft PS Service;C:\WINDOWS\system32\_svchost.exe []
S3 sysrest.sys;sysrest.sys;C:\WINDOWS\system32\sysrest.sys [2008-02-13 10:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{068de23e-05c0-11dc-9f3a-000c6e20cb59}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 11:09:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-13 11:14:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 19:14:42





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:53 AM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\juhn\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddressHook Class - {420F61A2-B3BE-4A80-8A68-A2080770CD4C} - C:\Program Files\PC-Clean\PCCleanHModul.dll (file missing)
O2 - BHO: (no name) - {5127D8CD-9FF8-084F-790B-0526A08C1C2E} - C:\Program Files\Xceweqcy\bmkkdors.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [xfxporkw] C:\Program Files\Iyvkqafn\xfxporkw.exe
O4 - HKLM\..\Run: [ysnfbycz] C:\Program Files\Ssayodeb\ysnfbycz.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [DF] C:\Documents and Settings\All Users\Favorites\AHSQEHFU.exe
O4 - HKLM\..\Policies\Explorer\Run: [fXqIUgYs02] rundll32.exe "C:\WINDOWS\system32\osqznsmOkZ.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A566849C-86CC-41D5-B5CE-E3761F679384}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: xWfdpaBVuabQk - {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft PS Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7138 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\awtuqsgd.tmp
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\delFSF.bat
C:\WINDOWS\system32\1548230851
C:\WINDOWS\system32\herjt372.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\Documents and Settings\All Users\Favorites\AHSQEHFU.exe
C:\WINDOWS\system32\osqznsmOkZ.dll

Folder::
C:\WINDOWS\phvdvvtm
C:\Program Files\Xceweqcy
C:\Program Files\Iyvkqafn
C:\Program Files\Ssayodeb

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{068de23e-05c0-11dc-9f3a-000c6e20cb59}]

Driver::
burito518e-5335
Microsoft PS Service
sysrest.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#7
conbotjuhn

conbotjuhn

    New Member

  • Member
  • Pip
  • 7 posts
hi rorschach. thanks SO much. i feel like my computer is slowing healing thanks to your help.


SDFix report.txt


SDFix: Version 1.142

Run by juhn on 02/13/2008 Wed at 09:06 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft PS Service

Path:
C:\WINDOWS\system32\_svchost.exe -A

Microsoft PS Service - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\AWTUQSGD.TMP - Deleted
C:\WINDOWS\system32\herjt372.exe - Deleted
C:\WINDOWS\system32\delFSF.bat - Deleted
C:\WINDOWS\system32\svchost.t__ - Deleted
C:\WINDOWS\system32\svchost.tmp - Deleted





Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 21:22:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000a1
"TracesSuccessful"=dword:00000003

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\juhn\Application Data\U3\temp\Launchpad Removal.exe"

Finished!



ComboFix.txt

ComboFix 08-02-13.2 - juhn 2008-02-13 21:44:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.84 [GMT -8:00]
Running from: C:\Documents and Settings\juhn\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\juhn\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\All Users\Favorites\AHSQEHFU.exe
C:\WINDOWS\system32\1548230851
C:\WINDOWS\system32\awtuqsgd.tmp
C:\WINDOWS\system32\delFSF.bat
C:\WINDOWS\system32\herjt372.exe
C:\WINDOWS\system32\osqznsmOkZ.dll
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\phvdvvtm
C:\WINDOWS\phvdvvtm\1.png
C:\WINDOWS\phvdvvtm\2.png
C:\WINDOWS\phvdvvtm\3.png
C:\WINDOWS\phvdvvtm\4.png
C:\WINDOWS\phvdvvtm\5.png
C:\WINDOWS\phvdvvtm\6.png
C:\WINDOWS\phvdvvtm\bottom-rc.gif
C:\WINDOWS\phvdvvtm\content.png
C:\WINDOWS\phvdvvtm\download.gif
C:\WINDOWS\phvdvvtm\frame-bottom-left.gif
C:\WINDOWS\phvdvvtm\frame-h1bg.gif
C:\WINDOWS\phvdvvtm\head.png
C:\WINDOWS\phvdvvtm\indexsc.html
C:\WINDOWS\phvdvvtm\indexsd.html
C:\WINDOWS\phvdvvtm\main.css
C:\WINDOWS\phvdvvtm\net.png
C:\WINDOWS\phvdvvtm\pc-mag.gif
C:\WINDOWS\phvdvvtm\pc.gif
C:\WINDOWS\phvdvvtm\poloska1.png
C:\WINDOWS\phvdvvtm\poloska2.png
C:\WINDOWS\phvdvvtm\poloska3.png
C:\WINDOWS\phvdvvtm\promosc1.html
C:\WINDOWS\phvdvvtm\promosc2.html
C:\WINDOWS\phvdvvtm\promosc3.html
C:\WINDOWS\phvdvvtm\promosc4.html
C:\WINDOWS\phvdvvtm\promosc5.html
C:\WINDOWS\phvdvvtm\promosd1.html
C:\WINDOWS\phvdvvtm\promosd2.html
C:\WINDOWS\phvdvvtm\promosd3.html
C:\WINDOWS\phvdvvtm\promosd4.html
C:\WINDOWS\phvdvvtm\promosd5.html
C:\WINDOWS\phvdvvtm\reg.png
C:\WINDOWS\phvdvvtm\repair.png
C:\WINDOWS\phvdvvtm\scr-1.png
C:\WINDOWS\phvdvvtm\scr-2.png
C:\WINDOWS\phvdvvtm\scr-3.png
C:\WINDOWS\phvdvvtm\scr-4.png
C:\WINDOWS\phvdvvtm\styles.css
C:\WINDOWS\phvdvvtm\top-rc.gif
C:\WINDOWS\phvdvvtm\vline.gif
C:\WINDOWS\system32\1548230851
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BURITO518E-5335
-------\LEGACY_SYSREST.SYS
-------\burito518e-5335
-------\sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-13 21:04 . 2008-02-13 21:04 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-13 17:29 . 2008-02-13 21:23 <DIR> d-------- C:\SDFix
2008-02-13 10:46 . 2008-02-13 21:52 200,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-13 10:46 . 2008-02-13 21:49 4,424 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-13 10:44 . 2008-02-13 10:44 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-13 10:42 . 2008-02-13 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-13 10:42 . 2008-02-13 10:44 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-13 10:41 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-13 10:41 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-13 10:40 . 2008-02-13 10:42 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-13 10:40 . 2008-02-13 10:40 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-13 10:40 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-13 10:40 . 2008-02-13 21:50 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-13 10:36 . 2008-02-13 21:37 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-12 13:54 . 2008-02-12 14:42 310 --a------ C:\WINDOWS\wininit.ini
2008-02-12 12:55 . 2008-02-12 12:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 12:55 . 2008-02-12 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 11:42 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-12 11:42 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-02-12 09:40 . 2008-02-12 09:40 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-10 10:28 . 2008-02-10 10:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 10:28 . 2008-02-13 10:01 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\AVG7
2008-02-10 00:13 . 2008-02-10 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-09 23:41 . 2008-02-09 23:41 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-09 23:30 . 2008-02-09 23:30 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\Grisoft
2008-02-09 23:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-09 23:29 . 2008-02-09 23:29 14,113,576 --a------ C:\Program Files\avgas-setup-7.5.1.43-3339.exe
2008-02-09 20:16 . 2008-02-10 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 20:08 . 2008-02-09 20:08 31,768,752 --a------ C:\Program Files\avg75free_516a1225.exe
2008-02-09 18:36 . 2008-02-09 18:36 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\InfeStop.com
2008-02-09 18:28 . 2008-02-09 18:28 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-09 18:15 . 2008-02-09 18:15 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\spy-rid.com
2008-02-09 18:14 . 2008-02-09 18:14 <DIR> d-------- C:\Documents and Settings\juhn\Application Data\EasySpywareCleaner.com
2008-02-09 18:05 . 2008-02-09 18:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\EasySpywareCleaner.com
2008-02-09 18:04 . 2008-02-09 18:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-22 21:15 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-01-22 21:15 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-01-22 21:15 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-01-22 21:15 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 02:33 --------- d-----w C:\Program Files\Ahead
2008-02-07 21:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 04:37 --------- d-----w C:\Documents and Settings\juhn\Application Data\MSNInstaller
2008-01-07 06:53 --------- d-----w C:\Documents and Settings\juhn\Application Data\U3
2008-01-07 03:24 --------- d-----w C:\Program Files\MSECache
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5127D8CD-9FF8-084F-790B-0526A08C1C2E}]
C:\Program Files\Xceweqcy\bmkkdors.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-13 10:44 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 17:07 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 17:07 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:07 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:07 455168]
"PC-Clean"="C:\Program Files\PC-Clean\PC-Clean.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 32768]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 18:11 57344]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"xfxporkw"="C:\Program Files\Iyvkqafn\xfxporkw.exe" [ ]
"ysnfbycz"="C:\Program Files\Ssayodeb\ysnfbycz.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 10:30 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 10:28 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xWfdpaBVuabQk"= {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll [ ]


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 21:53:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
.
**************************************************************************
.
Completion time: 2008-02-13 21:56:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 05:56:41
ComboFix2.txt 2008-02-13 19:14:55



hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:03 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\juhn\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddressHook Class - {420F61A2-B3BE-4A80-8A68-A2080770CD4C} - C:\Program Files\PC-Clean\PCCleanHModul.dll (file missing)
O2 - BHO: (no name) - {5127D8CD-9FF8-084F-790B-0526A08C1C2E} - C:\Program Files\Xceweqcy\bmkkdors.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [xfxporkw] C:\Program Files\Iyvkqafn\xfxporkw.exe
O4 - HKLM\..\Run: [ysnfbycz] C:\Program Files\Ssayodeb\ysnfbycz.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A566849C-86CC-41D5-B5CE-E3761F679384}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: xWfdpaBVuabQk - {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6852 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yep making progress :)

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: AddressHook Class - {420F61A2-B3BE-4A80-8A68-A2080770CD4C} - C:\Program Files\PC-Clean\PCCleanHModul.dll (file missing)
O2 - BHO: (no name) - {5127D8CD-9FF8-084F-790B-0526A08C1C2E} - C:\Program Files\Xceweqcy\bmkkdors.dll (file missing)
O4 - HKLM\..\Run: [xfxporkw] C:\Program Files\Iyvkqafn\xfxporkw.exe
O4 - HKLM\..\Run: [ysnfbycz] C:\Program Files\Ssayodeb\ysnfbycz.exe
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O21 - SSODL: xWfdpaBVuabQk - {5C4820C4-F6E2-8A6E-5A44-68C877BA1334} - C:\WINDOWS\system32\agkz.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and post a new HijackThis log
  • 0

#9
conbotjuhn

conbotjuhn

    New Member

  • Member
  • Pip
  • 7 posts
Hi, I fixed the items you outlined in hijackthis. However, I encountered a problem with the second step of your instructions. I successfully downloaded Malwarebytes but during the installation process I received an error message saying: "An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team. Error code: 701(0)."

Sorry, I tried downloading the Malwarebytes from both sites you recommended and I received the same message. :)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you delete MBAM.exe and it's folder if present, then download it again and install it. Update it and that should fix the problem.

If it fails do this


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#11
conbotjuhn

conbotjuhn

    New Member

  • Member
  • Pip
  • 7 posts
hi rorschach! hope u had a good weekend. here's the txt file from the kaspersky scan. still couldn't get the malwarebytes to work and retried it 4 times. :) not sure what i'm doing wrong!


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 18, 2008 9:48:05 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 570665
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 35906
Number of viruses found: 6
Number of infected objects: 46
Number of suspicious objects: 0
Duration of the scan process: 01:15:00

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\juhn\LOCALS~1\Temp\.tt4.tmp/stream/data0012 Infected: not-a-virus:FraudTool.Win32.AntiVirPro.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\juhn\LOCALS~1\Temp\.tt4.tmp/stream Infected: not-a-virus:FraudTool.Win32.AntiVirPro.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\juhn\LOCALS~1\Temp\.tt4.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\juhn\LOCALS~1\Temp\.tt6.tmp/stream/data0012 Infected: not-a-virus:FraudTool.Win32.AntiVirPro.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\juhn\LOCALS~1\Temp\.tt6.tmp/stream Infected: not-a-virus:FraudTool.Win32.AntiVirPro.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\juhn\LOCALS~1\Temp\.tt6.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\.ttA.tmp/stream/data0010 Infected: not-a-virus:FraudTool.Win32.EasySpywareCleaner.a skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\.ttA.tmp/stream/data0012 Infected: not-a-virus:FraudTool.Win32.AntiVirPro.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\.ttA.tmp/stream Infected: not-a-virus:FraudTool.Win32.AntiVirPro.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\.ttA.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\juhn\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\juhn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\juhn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\juhn\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\juhn\Local Settings\History\History.IE5\MSHist012008021820080219\index.dat Object is locked skipped
C:\Documents and Settings\juhn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\juhn\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\juhn\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\PerfInfo\fXqIUgYs02sc.exe.vir Infected: not-a-virus:AdWare.Win32.WebSearch.bq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kdupt.exe.vir Infected: Trojan.Win32.DNSChanger.aum skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sysrest.sys.vir Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\SDFix\backups\backups.zip/backups/herjt372.exe Infected: Trojan-Proxy.Win32.Agent.zg skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP101\A0010206.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP101\A0011206.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP101\A0011221.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP101\A0012225.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP101\A0013224.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP102\A0014232.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP102\A0014281.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP102\A0015313.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP102\A0015329.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP103\A0015491.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP104\A0015534.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP104\A0015544.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP104\A0015552.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP104\A0015560.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP105\A0016560.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP105\A0016568.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP105\A0016578.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP105\A0016587.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP105\A0016753.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP105\A0017763.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP105\A0017772.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP106\A0017788.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP106\A0017797.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP106\A0017817.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP107\A0017827.exe Infected: not-a-virus:AdWare.Win32.WebSearch.bq skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP107\A0017845.exe Infected: Trojan.Win32.DNSChanger.aum skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP107\A0017924.exe Infected: Trojan-Proxy.Win32.Agent.zg skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP107\A0017932.exe Infected: Trojan-Proxy.Win32.Agent.zg skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP108\A0017980.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP113\change.log Object is locked skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP99\A0008912.exe Infected: not-a-virus:FraudTool.Win32.EasySpywareCleaner.a skipped
C:\System Volume Information\_restore{1A5EC603-B93A-4D17-AF25-E21CA80442C7}\RP99\A0008913.dll Infected: not-a-virus:FraudTool.Win32.AntiVirPro.c skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\JUHNCOM.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BAD4EEF9-DE39-4E20-8215-9738E25CA26F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT02f63.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06ba7.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post a new HijackThis log and tell me how your PC is running
  • 0

#13
conbotjuhn

conbotjuhn

    New Member

  • Member
  • Pip
  • 7 posts
it's running really slow for some reason?? i've been using firefox as a browser instead and thought i had all the right antivirus and antispyware installed.... how depressing!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:32 AM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\juhn\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A566849C-86CC-41D5-B5CE-E3761F679384}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6974 bytes
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

Edited by Rorschach112, 18 February 2008 - 01:40 PM.

  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured