Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PLEASE HELP, COMPUTER DYING, NEEDS CPR [RESOLVED]


  • This topic is locked This topic is locked

#16
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Are you sure you using an old version ?

Do this

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Check the box beside Scan All User Accounts at the top
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

Advertisements


#17
drpepper23

drpepper23

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
i am only using the links you are giving me and following your directions.
if i am wrong, i apologize but it seems like we are going around in circles between trying to run combofix and then running this program and posting logs.

but then again, you are the computer expert and your help is appreciated.

p.s. i know C:\WINDOWS\SYSTEM32\JKHFC.DLL is a PROBLEM, anything I can do to delete that?

Attached Files


  • 0

#18
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I know that file is the one causing trouble, however it is not that simple to remove it.

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> nircmd.cfexe -> %SystemDrive%\ComboFix\nircmd.cfe
[Files/Folders - Created Within 30 days]
YY -> ComboFix -> %SystemDrive%\ComboFix
YY -> ComboFix(2) -> %SystemDrive%\ComboFix(2)
YY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
YY -> _OTMoveIt -> %SystemDrive%\_OTMoveIt
[Files Created - Additional Folder Scans - Non-Microsoft Only]
YY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
[Files/Folders - Modified Within 90 days]
YY -> ComboFix -> %SystemDrive%\ComboFix
YY -> ComboFix(2) -> %SystemDrive%\ComboFix(2)
YY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
YY -> _OTMoveIt -> %SystemDrive%\_OTMoveIt
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
YY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.


Then try run ComboFix.exe again, if it fails do this

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#19
drpepper23

drpepper23

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
combo fix of course did not work.

i ran the online virus scan, it took forever and then windows restarted for some reason and i wasnt able to save a file to my desktop.
i ran it again and just targeted the infected file. i got the following:

Infected: not-a-virus:AdWare.Win32.Virtumonde.gen

ill run the online scan again and try to post the results.

if you think it would help, i can get the full version of this virus scanner from a friend, dl it and run that.
  • 0

#20
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this instead

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Then reboot and do this

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#21
drpepper23

drpepper23

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
MAIN

Deckard's System Scanner v20071014.68
Run by Ilya Shor on 2008-03-06 11:48:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 5.04 GiB (less than 15%) free.


-- HijackThis (run as Ilya Shor.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:02 AM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRAM FILES\COMMON FILES\NETWORK ASSOCIATES\TALKBACK\TBMON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\desktop\dss.exe
C:\DOCUME~1\ILYASH~1.ICO\Desktop\ILYASH~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D0AB4ADB-F179-482F-9EDF-E1B0BC075055} - C:\WINDOWS\system32\jkhfc.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [BM7b4db051] Rundll32.exe "C:\WINDOWS\system32\uvauokui.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-21-1004336348-1078081533-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1078081533-725345543-1004\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://resnet.verif.../CAT/CNICAT.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://bigflash.mic...ash/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...350/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://i.xanga.com/p...lie/header2.jpg

--
End of file - 7513 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ILYASH~1.ICO\Desktop\backups\) --------

backup-20080229-150006-942 O2 - BHO: (no name) - {80251448-BB28-45E8-B655-DFB6FB940B08} - C:\WINDOWS\system32\jkhfc.dll
backup-20080229-150032-238 O2 - BHO: (no name) - {80251448-BB28-45E8-B655-DFB6FB940B08} - C:\WINDOWS\system32\jkhfc.dll
backup-20080229-152552-121 O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Local Settings\Temp\thinksnet.exe
backup-20080229-152552-159 O2 - BHO: (no name) - {80251448-BB28-45E8-B655-DFB6FB940B08} - C:\WINDOWS\system32\jkhfc.dll
backup-20080229-152552-174 O2 - BHO: (no name) - {66DEBAF8-3C4D-4944-B5F5-A629709AB9C9} - (no file)
backup-20080229-152552-195 O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll (file missing)
backup-20080229-152552-301 O2 - BHO: (no name) - {EF8EFD1C-0BE3-4D13-957A-738643AFD590} - (no file)
backup-20080229-152552-311 O4 - S-1-5-21-1004336348-1078081533-725345543-1004 Startup: PowerReg Scheduler V3.exe (User '?')
backup-20080229-152552-366 O4 - Startup: PowerReg Scheduler V3.exe
backup-20080229-152552-478 O2 - BHO: (no name) - {E4C33052-78B6-44B2-A8AA-31DC1FE78759} - (no file)
backup-20080229-152552-546 O20 - Winlogon Notify: jkkkhfd - jkkkhfd.dll (file missing)
backup-20080229-152552-630 O4 - HKLM\..\Run: [BM7b4db051] Rundll32.exe "C:\WINDOWS\system32\wrhshuwc.dll",s
backup-20080229-152552-764 O2 - BHO: (no name) - {75FFC9F0-CB82-43C0-8BB3-395A8EECDEB6} - (no file)
backup-20080229-152552-829 O4 - HKLM\..\Run: [787e83cd] rundll32.exe "C:\WINDOWS\system32\wwrnyyng.dll",b
backup-20080229-185449-507 O4 - HKLM\..\Run: [787e83cd] rundll32.exe "C:\WINDOWS\system32\cxssiyvx.dll",b
backup-20080229-185531-144 O2 - BHO: (no name) - {9795DAB4-EAEC-4BC1-A13C-515689B0CDD5} - C:\WINDOWS\system32\jkhfc.dll
backup-20080301-110842-977 O2 - BHO: (no name) - {9795DAB4-EAEC-4BC1-A13C-515689B0CDD5} - C:\WINDOWS\system32\jkhfc.dll
backup-20080301-110917-877 O20 - Winlogon Notify: jkkkhfd - C:\WINDOWS\
backup-20080301-110947-445 O2 - BHO: (no name) - {9795DAB4-EAEC-4BC1-A13C-515689B0CDD5} - C:\WINDOWS\system32\jkhfc.dll
backup-20080302-131437-738 O2 - BHO: (no name) - {9795DAB4-EAEC-4BC1-A13C-515689B0CDD5} - C:\WINDOWS\system32\jkhfc.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 dsNcAdpt (Juniper Network Connect Adapter) - system32\drivers\dsncadpt.sys (file missing)
3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
2 HPFECP13 - c:\windows\system32\drivers\hpfecp13.sys
3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
1 oreans32 - c:\windows\system32\drivers\oreans32.sys
3 PortTalk - system32\drivers\porttalk.sys (file missing)
3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys <Not Verified; RapidSolution Software AG; Tunebite High-Speed Dubbing>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe
2 McTaskManager (Network Associates Task Manager) - c:\program files\network associates\virusscan\vstskmgr.exe
4 NMIndexingService - c:\program files\common files\ahead\lib\nmindexingservice.exe (file missing)
2 Viewpoint Manager Service - c:\program files\viewpoint\common\viewpointservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\SYSTEM32\svchost.exe (pid 896)
2005-01-14 19:00:00 41018 --a------ C:\WINDOWS\SYSTEM32\entapi.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>

C:\WINDOWS\SYSTEM32\svchost.exe (pid 1140)
2005-01-14 19:00:00 41018 --a------ C:\WINDOWS\SYSTEM32\entapi.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>

C:\WINDOWS\SYSTEM32\svchost.exe (pid 1200)
2003-04-09 21:32:50 114688 --a------ C:\WINDOWS\SYSTEM32\mclsp.dll <Not Verified; Networks Associates Technology, Inc; McAfee LSP>
1997-06-06 19:52:10 11264 --a------ C:\WINDOWS\SYSTEM32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2005-01-14 19:00:00 41018 --a------ C:\WINDOWS\SYSTEM32\entapi.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>

C:\WINDOWS\SYSTEM32\svchost.exe (pid 1860)
2005-01-14 19:00:00 41018 --a------ C:\WINDOWS\SYSTEM32\entapi.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>

C:\WINDOWS\explorer.exe (pid 3596)
2008-02-25 14:31:28 321600 -----n--- C:\WINDOWS\SYSTEM32\jkhfc.dll
2005-01-14 19:00:00 41018 --a------ C:\WINDOWS\SYSTEM32\entapi.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
2008-03-01 00:10:49 8704 --a------ C:\Program Files\Unlocker\UnlockerCOM.dll
2006-12-03 13:53:06 126464 --a------ C:\Program Files\WinRAR\RarExt.dll
2004-09-22 19:00:00 13824 --a------ C:\Program Files\Network Associates\VirusScan\shext.dll <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
2004-09-22 19:00:00 4608 --a------ C:\Program Files\Network Associates\VirusScan\Res09\shextres.dll <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
2003-04-09 21:32:50 114688 --a------ C:\WINDOWS\SYSTEM32\mclsp.dll <Not Verified; Networks Associates Technology, Inc; McAfee LSP>
1997-06-06 19:52:10 11264 --a------ C:\WINDOWS\SYSTEM32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-03-06 10:54:17 92736 --a------ C:\WINDOWS\SYSTEM32\uvauokui.dll
2008-03-06 11:03:17 91200 --a------ C:\WINDOWS\SYSTEM32\hhnkudgc.dll

C:\WINDOWS\SYSTEM32\rundll32.exe (pid 2436)
2008-03-06 10:54:17 92736 --a------ C:\WINDOWS\SYSTEM32\uvauokui.dll

C:\WINDOWS\SYSTEM32\rundll32.exe (pid 444)
2008-03-06 11:03:17 91200 --a------ C:\WINDOWS\SYSTEM32\hhnkudgc.dll
2008-03-06 10:54:17 92736 --a------ C:\WINDOWS\SYSTEM32\uvauokui.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-03-06 03:20:21 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-01-19 21:31:21 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2005-05-15 01:07:00 420 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-02-06 and 2008-03-06 -----------------------------

2008-03-06 11:03:16 91200 --a------ C:\WINDOWS\system32\hhnkudgc.dll
2008-03-06 11:00:16 96320 --a------ C:\WINDOWS\system32\jxclnunb.dll
2008-03-06 10:54:16 92736 --a------ C:\WINDOWS\system32\uvauokui.dll
2008-03-06 03:19:47 0 d-------- C:\WINDOWS\LastGood
2008-03-05 12:22:45 0 d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\DoctorWeb
2008-03-05 12:14:12 66048 --a------ C:\WINDOWS\ieResetIcons.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-05 10:55:42 94784 --a------ C:\WINDOWS\system32\bplwprcx.dll
2008-03-05 10:55:38 89664 --a------ C:\WINDOWS\system32\joysfmcy.dll
2008-03-04 23:52:33 0 d-------- C:\Combo-Fix
2008-03-04 10:58:23 97344 --a------ C:\WINDOWS\system32\ujkvbssl.dll
2008-03-03 10:55:07 90176 --a------ C:\WINDOWS\system32\cixssuev.dll
2008-03-03 10:55:04 86080 --a------ C:\WINDOWS\system32\wxurleij.dll
2008-03-02 11:00:37 89664 --a------ C:\WINDOWS\system32\mklooqme.dll
2008-03-02 10:57:32 84544 --a------ C:\WINDOWS\system32\bjvovggl.dll
2008-03-01 11:21:31 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-03-01 11:21:27 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-01 10:55:20 89664 --a------ C:\WINDOWS\system32\ufvnutro.dll
2008-02-29 23:45:01 0 d-------- C:\Media
2008-02-29 15:36:36 235210 --ahs---- C:\WINDOWS\system32\cfhkj.ini2
2008-02-27 15:16:38 0 d-------- C:\Program Files\VideoLAN
2008-02-27 15:08:20 116224 --a------ C:\WINDOWS\system32\pdfcmnnt.dll
2008-02-27 15:08:18 23552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL <Not Verified; Microsoft Corporation; MSMAPI-Steuerelementbibliothek>
2008-02-27 15:08:17 0 d-------- C:\Program Files\PDFCreator
2008-02-27 14:28:54 0 dr-h----- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Recent
2008-02-27 01:01:14 32 --a------ C:\WINDOWS\go
2008-02-26 01:10:42 0 d-------- C:\Program Files\USBDLM
2008-02-25 14:31:16 321600 -----n--- C:\WINDOWS\system32\jkhfc.dll
2008-02-24 16:02:14 0 d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\Juniper Networks
2008-02-24 13:53:05 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-22 02:40:25 0 d-------- C:\Program Files\Western Digital Technologies
2008-02-22 02:39:15 364544 --a------ C:\WINDOWS\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>
2008-02-22 02:20:09 0 d-------- C:\New Folder
2008-02-22 01:51:46 0 d-------- C:\WINDOWS\system32\NtmsData
2008-02-21 08:05:08 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-03-06 11:43:07 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-06 11:42:00 0 d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\Skype
2008-03-05 13:54:06 0 d-------- C:\Program Files\DC++
2008-02-29 15:29:23 0 d-a------ C:\Program Files\Common Files
2008-02-27 16:58:30 0 d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\vlc
2008-02-27 14:23:22 0 d-------- C:\Program Files\Ares Lite Edition
2008-02-27 01:59:04 120 --a------ C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\AVSDVDPlayer.m3u
2008-02-23 01:39:33 0 d-------- C:\Program Files\Microsoft Silverlight
2008-02-21 08:01:16 0 d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\AdobeUM
2008-01-30 17:40:29 0 d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\Adobe
2008-01-21 23:27:54 0 d-------- C:\Program Files\Camfrog


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0AB4ADB-F179-482F-9EDF-E1B0BC075055}]
02/25/2008 02:31 PM 321600 --------- C:\WINDOWS\system32\jkhfc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 07:00 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 02:50 AM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/27/2008 12:38 AM]
"BM7b4db051"="C:\WINDOWS\system32\uvauokui.dll" [03/06/2008 10:54 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 02:35 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{ED120D76-BF31-412C-A99B-783C6676E128}"= C:\WINDOWS\system32\jkkkhfd.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhfc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares Lite Edition\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"McAfeeFramework"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-03-06 11:54:37 ------------

EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 69%
Physical Memory (total/avail): 510.98 MiB / 154.11 MiB
Pagefile Memory (total/avail): 1247.53 MiB / 744.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1906.53 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.46 GiB total, 5.04 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
AUState says computer is ready and waiting.
Windows Internal Firewall is disabled.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ICOMPUTETHINGS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ilya Shor.ICOMPUTETHINGS
LOGONSERVER=\\ICOMPUTETHINGS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ILYASH~1.ICO\LOCALS~1\Temp
TMP=C:\DOCUME~1\ILYASH~1.ICO\LOCALS~1\Temp
USERDOMAIN=ICOMPUTETHINGS
USERNAME=Ilya Shor
USERPROFILE=C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ilya Shor.ICOMPUTETHINGS (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA9EC1C6-3B51-11D6-B1A9-BCD2747AA951}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D43F13A1-1E39-4BD4-9682-DF889FE75421}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 4.0, 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
AIM Toolbar --> C:\Program Files\AIM Toolbar\uninstall.exe
AIM+ (remove only) --> "C:\Program Files\AIM+\uninst.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
Ares 2.0.2 --> "C:\Program Files\Ares\uninstall.exe"
Ares Lite Edition 1.8.1 --> "C:\Program Files\Ares Lite Edition\uninstall.exe"
AudioShell 1.3.5 --> "C:\Program Files\AudioShell\unins000.exe"
AVS DVD Player version 2.3 --> "C:\Program Files\AVSMedia\DVDPlayer\unins000.exe"
B.U.I.C.K. 95 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BUICK95\Uninst.isu"
Broadcom Advanced Control Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{468190DA-FB4C-45BA-8E40-4B165FF1A939} /l1033
Camfrog Video Chat 4.0 (remove only) --> "C:\Program Files\Camfrog\Camfrog Video Chat\uninstall.exe"
Canon MP160 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0009
Canon MP160 User Registration --> C:\Program Files\Canon\IJEREG\MP160\UNINST.EXE
CBL/CBR Programs and Activities for TI-89 --> C:\PROGRA~1\TIEDUC~1\TI-GRA~1\CBL_CBR\UNWISE.EXE C:\PROGRA~1\TIEDUC~1\TI-GRA~1\CBL_CBR\Install.log
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Creative PC-CAM Center Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D43F13A1-1E39-4BD4-9682-DF889FE75421}\setup.exe" -l0x9 /remove
Creative WebCam Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA9EC1C6-3B51-11D6-B1A9-BCD2747AA951}\setup.exe" -l0x9 /remove
Creative WebCam NX Driver (1.02.01.0827) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script P1110.uns -unsext NT -plugin p1110pin.dll -pluginres p1110pin.crl
Creative WebCam NX User's Guide (English) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative WebCam NX\Creative WebCam NX User's Guide\English\CTManual.isu"
DC++ 0.698 --> "C:\Program Files\DC++\uninstall.exe"
Dell AIO Printer A920 --> C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Download Accelerator Plus --> C:\PROGRA~1\DAP\UNWISE.EXE C:\PROGRA~1\DAP\INSTALL.LOG
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Gaim (remove only) --> C:\Program Files\Gaim\gaim-uninst.exe
GameTime+ --> MsiExec.exe /I{8DFB3904-FBDB-4C2B-AC98-20EFDD37C83D}
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
GTK+ Runtime 2.6.9 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP DeskJet 710C Series (Remove only) --> C:\Program Files\HP DeskJet 710C Series\hpfiui.exe -c -vdivid=HPF -vpnum=13 -vproduct=710C -huninstall
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
IrfanView (remove only) --> C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Desktop\iv_uninstall.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
JobTabs 2006 --> C:\Program Files\JobTabs\uninst.exe
JukeBox Database v2.01 (32-bit) --> C:\WINDOWS\ST4UNST.EXE -n "C:\Program Files\Jukebox32\ST4UNST.LOG"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Micrografx Windows Draw 6 LE --> C:\WINDOWS\MGXCLEAN.EXE DRAWOEM.APP FONTS.APP
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Converter Pack --> MsiExec.exe /X{6EECB283-E65F-40EF-86D3-D51BF02A8D43}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
Outerinfo --> "C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PDFCreator --> C:\Program Files\PDFCreator\unins000.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Real Alternative 1.46 --> "C:\Program Files\Real Alternative\unins000.exe"
Security Task Manager 1.6e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Security Task Manager"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TBS WMP Plug-in --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{DB5F474C-B584-417F-810B-DEBBC1893C2A}
Unlocker 1.8.6 --> C:\Program Files\Unlocker\uninst.exe
Unreal Tournament Demo --> C:\TournamentDemo\System\Setup.exe uninstall "Unreal Tournament Demo"
Veoh Player --> C:\Program Files\InstallShield Installation Information\{3D5A72E1-1467-4199-8CF6-12DA8D502A6B}\setup.exe -runfromtemp -l0x0409
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Related --> Rundll32.exe C:\WINDOWS\lbbho.dll,Uninst
WinPatrol 2007 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type51044 / Warning
Event Submitted/Written: 03/06/2008 11:52:41 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from ICOMPUTETHINGS IP 128.226.200.31 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type51043 / Warning
Event Submitted/Written: 03/06/2008 11:52:38 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from ICOMPUTETHINGS IP 128.226.200.31 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type51042 / Warning
Event Submitted/Written: 03/06/2008 11:52:21 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from ICOMPUTETHINGS IP 128.226.200.31 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type51041 / Error
Event Submitted/Written: 03/06/2008 10:57:30 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Local Settings\Temp\msvmcqlk.dll is infected with Vundo Trojan. The file was successfully deleted.(from ICOMPUTETHINGS IP 128.226.200.31 user ICOMPUTETHINGS running VirusScan Enter 8.0 OAS)

Event Record #/Type51040 / Error
Event Submitted/Written: 03/06/2008 10:57:29 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Local Settings\Temporary Internet Files\Content.IE5\NMNH92KO\tr[1] is infected with the Vundo Trojan. Undetermined clean error, quarantine failed. Detected using Scan engine version 5200 DAT version 5245.(from ICOMPUTETHINGS IP 128.226.200.31 user ICOMPUTETHINGS running VirusScan Enter 8.0 OAS)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type84217 / Error
Event Submitted/Written: 03/06/2008 11:53:38 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type84216 / Error
Event Submitted/Written: 03/06/2008 11:53:36 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type84215 / Error
Event Submitted/Written: 03/06/2008 11:50:00 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type84214 / Error
Event Submitted/Written: 03/06/2008 11:49:26 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type84213 / Error
Event Submitted/Written: 03/06/2008 11:49:22 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}



-- End of Deckard's System Scanner: finished at 2008-03-06 11:54:37 ------------

The Dr.Web program found some viruses, deleted them, oddly enough there were some from combofix related.

p.s. any ideas why comobo fix wont run?
  • 0

#22
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No idea why ComboFix won't run, that is very strange. It is very helpful in dealing with the infection you have

Try ComboFix in Safe Mode if you still have it

Do this as well

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {D0AB4ADB-F179-482F-9EDF-E1B0BC075055} - C:\WINDOWS\system32\jkhfc.dll
O4 - HKLM\..\Run: [BM7b4db051] Rundll32.exe "C:\WINDOWS\system32\uvauokui.dll",s


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\hhnkudgc.dll
    C:\WINDOWS\system32\jxclnunb.dll
    C:\WINDOWS\system32\uvauokui.dll
    C:\WINDOWS\system32\bplwprcx.dll
    C:\WINDOWS\system32\joysfmcy.dll
    C:\WINDOWS\system32\ujkvbssl.dll
    C:\WINDOWS\system32\cixssuev.dll
    C:\WINDOWS\system32\wxurleij.dll
    C:\WINDOWS\system32\mklooqme.dll
    C:\WINDOWS\system32\bjvovggl.dll
    C:\WINDOWS\system32\ufvnutro.dll
    C:\WINDOWS\system32\cfhkj.ini2
    C:\WINDOWS\system32\jkhfc.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#23
drpepper23

drpepper23

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
even before you replied to my post i thought to run combo fix in safe mode...it worked.

ComboFix 08-03-07.3 - Ilya Shor 2008-03-07 18:13:29.1 - NTFSx86 MINIMAL

Running from: C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\macromedia\Flash Player\#SharedObjects\NR7GGTN9\www.broadcaster.com
C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Temp\fse
C:\Temp\sanR24
C:\WINDOWS\BM7b4db051.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bjvovggl.dll
C:\WINDOWS\system32\bplwprcx.dll
C:\WINDOWS\SYSTEM32\cfhkj.ini
C:\WINDOWS\SYSTEM32\cfhkj.ini2
C:\WINDOWS\SYSTEM32\cgduknhh.ini
C:\WINDOWS\system32\cixssuev.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\febjners.dll
C:\WINDOWS\SYSTEM32\gnyynrww.ini
C:\WINDOWS\system32\hhnkudgc.dll
C:\WINDOWS\SYSTEM32\jielruxw.ini
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\joysfmcy.dll
C:\WINDOWS\system32\jxclnunb.dll
C:\WINDOWS\SYSTEM32\lggvovjb.ini
C:\WINDOWS\SYSTEM32\lxkeeegp.ini
C:\WINDOWS\system32\mklooqme.dll
C:\WINDOWS\SYSTEM32\myymwoil.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\oyonwpxw.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\pwcwegdd.ini
C:\WINDOWS\SYSTEM32\qrrqfkhb.ini
C:\WINDOWS\system32\rljxdnmo.dll
C:\WINDOWS\SYSTEM32\srenjbef.ini
C:\WINDOWS\system32\ufvnutro.dll
C:\WINDOWS\system32\ujkvbssl.dll
C:\WINDOWS\system32\uvauokui.dll
C:\WINDOWS\system32\wxurleij.dll
C:\WINDOWS\SYSTEM32\xvyissxc.ini
C:\WINDOWS\SYSTEM32\ycmfsyoj.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 17:26 . 2008-03-07 17:26 <DIR> d-------- C:\Program Files\Opera
2008-03-05 12:22 . 2008-03-05 12:22 <DIR> d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\DoctorWeb
2008-03-05 12:16 . 2008-03-05 12:16 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-03-05 12:14 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-03-04 11:01 . 2008-03-05 01:49 1,303,040 ---hs---- C:\WINDOWS\SYSTEM32\exwohthp.ini
2008-03-01 11:21 . 2008-03-01 11:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-03-01 11:21 . 2008-03-01 11:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-02-29 23:45 . 2008-02-29 23:45 <DIR> d-------- C:\Media
2008-02-29 14:50 . 2008-02-29 14:50 <DIR> d-------- C:\Deckard
2008-02-27 15:16 . 2008-02-27 15:16 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-27 15:08 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\PDFCreator
2008-02-27 15:08 . 2001-10-28 17:42 116,224 --a------ C:\WINDOWS\SYSTEM32\pdfcmnnt.dll
2008-02-27 15:08 . 1998-07-06 01:00 23,552 --a------ C:\WINDOWS\SYSTEM32\MSMPIDE.DLL
2008-02-27 01:01 . 2008-02-27 01:01 32 --a------ C:\WINDOWS\go
2008-02-26 01:10 . 2007-06-19 17:33 <DIR> d-------- C:\Program Files\USBDLM
2008-02-24 16:02 . 2008-02-24 16:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Juniper Networks
2008-02-24 16:02 . 2008-02-24 16:02 <DIR> d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\Juniper Networks
2008-02-24 13:53 . 2008-02-24 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-24 13:53 . 2008-02-24 15:13 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-22 02:40 . 2008-02-22 02:40 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-02-22 02:39 . 2008-02-22 02:39 364,544 --a------ C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
2008-02-22 02:20 . 2008-02-24 13:33 <DIR> d-------- C:\New Folder
2008-02-22 01:51 . 2008-02-26 01:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2008-02-13 03:02 . 2007-12-18 04:51 179,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mrxdav.sys
2008-02-13 03:01 . 2007-12-04 13:38 550,912 --a------ C:\WINDOWS\SYSTEM32\oleaut32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 22:59 --------- d-----w C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\Skype
2008-03-07 22:05 --------- d-----w C:\Program Files\DC++
2008-03-03 01:02 --------- d-----w C:\Program Files\Unlocker
2008-02-27 21:58 --------- d-----w C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\vlc
2008-02-27 19:23 --------- d-----w C:\Program Files\Ares Lite Edition
2008-02-23 06:39 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-22 20:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\River Past G5
2008-02-21 13:01 --------- d-----w C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\AdobeUM
2008-01-22 04:27 --------- d-----w C:\Program Files\Camfrog
2003-11-18 18:37 241,664 ----a-w C:\Program Files\npmusicn.dll
2005-10-28 05:29 163,943 --sha-w C:\WINDOWS\SYSTEM32\dfhkj.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 00:38 316728]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 14:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares Lite Edition\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a------ 2003-06-26 05:02 184320 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-03 09:40 53248 C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"McAfeeFramework"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Ares Lite Edition\\AresLite.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-03-02 14:15]
S2 HPFECP13;HPFECP13;C:\WINDOWS\system32\drivers\HPFECP13.SYS [1998-07-30 16:40]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys []
S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-01-20 02:31:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-07 23:26:34 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-05-15 06:07:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 18:39:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2008-03-07 18:45:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 23:45:17
.
2008-03-07 06:09:02 --- E O F ---


seems like alot of bad things were deleted...should i still follow the remainder of your post, or is there a new set of directions to following in light of combofix actually working?
  • 0

#24
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Perfect

Follow my previous steps then do this


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\exwohthp.ini
C:\WINDOWS\SYSTEM32\dfhkj.bak2


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#25
drpepper23

drpepper23

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:51 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {104AA49D-DC59-4017-AF1F-AB230CE25E8B} - (no file)
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: (no name) - {66DEBAF8-3C4D-4944-B5F5-A629709AB9C9} - (no file)
O2 - BHO: (no name) - {75FFC9F0-CB82-43C0-8BB3-395A8EECDEB6} - (no file)
O2 - BHO: (no name) - {80251448-BB28-45E8-B655-DFB6FB940B08} - (no file)
O2 - BHO: (no name) - {9795DAB4-EAEC-4BC1-A13C-515689B0CDD5} - (no file)
O2 - BHO: (no name) - {E4C33052-78B6-44B2-A8AA-31DC1FE78759} - (no file)
O2 - BHO: (no name) - {EF8EFD1C-0BE3-4D13-957A-738643AFD590} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://resnet.verif.../CAT/CNICAT.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://bigflash.mic...ash/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...350/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: jkkkhfd - C:\WINDOWS\
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://i.xanga.com/p...lie/header2.jpg

--
End of file - 6988 bytes

guessing i should go into hijack and tell it to delete all the 02-no file entries.
  • 0

Advertisements


#26
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes and fix this

O20 - Winlogon Notify: jkkkhfd - C:\WINDOWS\


Also do the ComboFix step and post that log
  • 0

#27
drpepper23

drpepper23

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
ComboFix 08-03-07.3 - Ilya Shor 2008-03-07 20:40:07.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.366 [GMT -5:00]
Running from: C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Desktop\CFSCRIPT.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\dfhkj.bak2
C:\WINDOWS\SYSTEM32\exwohthp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\NDNuninstall6_38-1.exe
C:\WINDOWS\SYSTEM32\dfhkj.bak2
C:\WINDOWS\SYSTEM32\exwohthp.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-07 19:09 . 2008-03-07 19:09 <DIR> d-------- C:\_OTMoveIt
2008-03-07 17:26 . 2008-03-07 19:24 <DIR> d-------- C:\Program Files\Opera
2008-03-05 12:22 . 2008-03-05 12:22 <DIR> d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\DoctorWeb
2008-03-05 12:16 . 2008-03-05 12:16 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-03-05 12:14 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-02-29 23:45 . 2008-02-29 23:45 <DIR> d-------- C:\Media
2008-02-29 14:50 . 2008-02-29 14:50 <DIR> d-------- C:\Deckard
2008-02-27 15:16 . 2008-02-27 15:16 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-27 15:08 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\PDFCreator
2008-02-27 15:08 . 2001-10-28 17:42 116,224 --a------ C:\WINDOWS\SYSTEM32\pdfcmnnt.dll
2008-02-27 15:08 . 1998-07-06 01:00 23,552 --a------ C:\WINDOWS\SYSTEM32\MSMPIDE.DLL
2008-02-27 01:01 . 2008-02-27 01:01 32 --a------ C:\WINDOWS\go
2008-02-26 01:10 . 2007-06-19 17:33 <DIR> d-------- C:\Program Files\USBDLM
2008-02-24 16:02 . 2008-02-24 16:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Juniper Networks
2008-02-24 16:02 . 2008-02-24 16:02 <DIR> d-------- C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\Juniper Networks
2008-02-24 13:53 . 2008-02-24 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-24 13:53 . 2008-02-24 15:13 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-22 02:40 . 2008-02-22 02:40 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-02-22 02:39 . 2008-02-22 02:39 364,544 --a------ C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
2008-02-22 02:20 . 2008-02-24 13:33 <DIR> d-------- C:\New Folder
2008-02-22 01:51 . 2008-02-26 01:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2008-02-13 03:02 . 2007-12-18 04:51 179,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mrxdav.sys
2008-02-13 03:01 . 2007-12-04 13:38 550,912 --a------ C:\WINDOWS\SYSTEM32\oleaut32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 00:27 --------- d-----w C:\Program Files\DC++
2008-03-08 00:25 --------- d-----w C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\AdobeUM
2008-03-08 00:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 00:15 --------- d-----w C:\Program Files\Google
2008-03-07 22:59 --------- d-----w C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\Skype
2008-03-03 01:02 --------- d-----w C:\Program Files\Unlocker
2008-02-27 21:58 --------- d-----w C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Application Data\vlc
2008-02-27 19:23 --------- d-----w C:\Program Files\Ares Lite Edition
2008-02-23 06:39 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-22 20:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\River Past G5
2008-01-22 04:27 --------- d-----w C:\Program Files\Camfrog
2003-11-18 18:37 241,664 ----a-w C:\Program Files\npmusicn.dll
.

((((((((((((((((((((((((((((( [email protected]_18.45.00.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-21 13:05:56 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\SC_Reader.exe
+ 2008-03-08 00:27:27 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\SC_Reader.exe
- 2008-03-07 23:27:35 40,836 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
+ 2008-03-07 23:51:54 40,836 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
- 2008-03-07 23:27:35 314,508 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
+ 2008-03-07 23:51:54 314,508 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{104AA49D-DC59-4017-AF1F-AB230CE25E8B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66DEBAF8-3C4D-4944-B5F5-A629709AB9C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75FFC9F0-CB82-43C0-8BB3-395A8EECDEB6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80251448-BB28-45E8-B655-DFB6FB940B08}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9795DAB4-EAEC-4BC1-A13C-515689B0CDD5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4C33052-78B6-44B2-A8AA-31DC1FE78759}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF8EFD1C-0BE3-4D13-957A-738643AFD590}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 00:38 316728]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 02:56 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkhfd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 14:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares Lite Edition\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a------ 2003-06-26 05:02 184320 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-03 09:40 53248 C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"McAfeeFramework"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Ares Lite Edition\\AresLite.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-03-02 14:15]
S2 HPFECP13;HPFECP13;C:\WINDOWS\system32\drivers\HPFECP13.SYS [1998-07-30 16:40]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys []
S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-01-20 02:31:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 01:41:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-05-15 06:07:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 20:44:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 20:47:56
ComboFix-quarantined-files.txt 2008-03-08 01:47:23
ComboFix2.txt 2008-03-07 23:45:23
.
2008-03-07 06:09:02 --- E O F ---
  • 0

#28
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log and tell me how your PC is running
  • 0

#29
drpepper23

drpepper23

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
Malwarebytes' Anti-Malware 1.07
Database version: 468

Scan type: Full Scan (C:\|)
Objects scanned: 147720
Time elapsed: 1 hour(s), 29 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\chilkat.email2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4643a87-99a0-4404-9bc5-2322bdd61637} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a46e5261-9956-4767-88ca-dfced050d09e} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7ec2cd3-9941-4fd4-9d01-105dc16a4313} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.email2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.mailman2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.mailman2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.emailbundle2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.emailbundle2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{51a0888c-9970-44de-8c2c-835ba870d06f} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5acae4b8-62d9-4124-a58a-9b1258b77e99} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7d37ded8-1945-4e42-a3fd-b9620e0ad8e3} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ccb7fb40-99ec-4678-9202-52798da78aba} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d56c1af1-3fde-471c-9bc2-c52515f260c1} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-992c-4462-a27d-ebe604ec3a48} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1df3afed-99e0-4474-9900-954b8fd24e86} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d12fb216-99da-4eb3-9cc0-c0f760b174a0} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-aa2c-4462-a27d-ebe604ec3a48} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\ChilkatMail2.dll (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\20080229154003\backup\DOCUME~1\ILYASH~1.ICO\LOCALS~1\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Ares\tcpip_patcher.sys (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1004336348-1078081533-725345543-1004\Dc6\MovedFiles\03042008_232821\_OTMoveIt\MovedFiles\02292008_152919\Program Files\Common Files\Yazzle1281OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:58 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRAM FILES\COMMON FILES\NETWORK ASSOCIATES\TALKBACK\TBMON.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ilya Shor.ICOMPUTETHINGS\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://resnet.verif.../CAT/CNICAT.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://bigflash.mic...ash/FlashAX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...350/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://i.xanga.com/p...lie/header2.jpg

--
End of file - 6477 bytes

the pc appears to be running better.
  • 0

#30
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

  • Make sure you have an Internet Connection.
  • Double-click WinPFind3U.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP