Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT Log + AVAST! Win32: TratBHO indication [RESOLVED]

Started by NanasComputer , Apr 06 2008 06:53 PM

  • This topic is locked This topic is locked

#1
NanasComputer
Posted 06 April 2008 - 06:53 PM

NanasComputer

    New Member

  • Member
  • Pip
  • 7 posts
Thank you so much for your consideration. I will be running ATF Cleaner, as per site instructions, and await your advice as to the next step! =)

Symptoms:

Recently added more (new) RAM, sped up computer, now computer is running slower and slower and SLOWER. AVAST! finally detected the virus/trojan below. And indicated there may be more problems. AVAST! cannot fix this issue, and key symptom is extreme slowing of computer.


AVAST! Found:

Win32:TratBHO [Trj]

C:\WINDOWS\system32\ssqpo.dll

UNRESOLVED: "cannot access the file because it is being used by another process"

========================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:55 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\V0230Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Work Only\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A314FD6-BF75-407F-9778-00F2820B2CAF} - C:\WINDOWS\system32\vtstu.dll
O2 - BHO: (no name) - {2A934DE4-92DA-4BC7-BD1E-D8B865704C4A} - C:\WINDOWS\system32\ssqpo.dll
O2 - BHO: {1b49539c-d55c-d589-e594-5e6f3b9b750a} - {a057b9b3-f6e5-495e-985d-c55dc93594b1} - C:\WINDOWS\system32\cctyujrq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\system32\awtqnlk.dll
O2 - BHO: (no name) - {F5E3100D-A5C8-4715-B64D-9F20A881502A} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [sountskmanager] sountaskmgr
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM37c27931] Rundll32.exe "C:\WINDOWS\system32\mvmqfelc.dll",s
O4 - HKLM\..\Run: [34f14aad] rundll32.exe "C:\WINDOWS\system32\oatgpsqv.dll",b
O4 - HKLM\..\RunServices: [sountskmanager] sountaskmgr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E15C89D4-CEEF-4799-BD08-1B5BC30B4A3F}: NameServer = 151.164.1.8,206.13.28.12
O20 - Winlogon Notify: awtqnlk - C:\WINDOWS\SYSTEM32\awtqnlk.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6950 bytes


====================


[Nana's Computer]
  • 0

Advertisements

#2
kahdah
Posted 06 April 2008 - 07:02 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello NanasComputer

Welcome to G2Go. :)
=====================
I will need to you show hidden files\folders so we can upload a new variant of Vundo to have someone check it out.
To Show Hidden Files\Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK
=====================

Then please go here:
The Spy Killer Forum
Click on "Uploads"
Click on "New Topic"
Put your name, e-mail address, and this as the title: "New Vundo's for nosirrah"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to these files:

C:\WINDOWS\system32\mvmqfelc.dll
C:\WINDOWS\system32\oatgpsqv.dll


Click Open.
Click Post.

Thank you!
==========
Let me know when you have done so and we will continue with the cleaning.
  • 0

#3
NanasComputer
Posted 06 April 2008 - 07:58 PM

NanasComputer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
As per your request, the Files have been Uploaded here:

http://thespykiller....pic,6335.0.html


I would like to note that i have looked at MSCONFIG and additionally found that these startup programs were turned off (unchecked, rather):

avserve -- windows\avserve.exe
avserve2 -- \avserve2.exe

CFD -- Program Files\BroadJump\Client Foundation\CFD.exe

McUpdate -- PROGRA~1\mcafee.com\agent\McUpdate.exe

NEWDOT~2 rundll32 C:\\Progra~1\NEWDOT~1\NEWDOT~2.DLL, NewDotNetStartup

Weather -- C:\Program Files\WeatherCast\Weather.exe /q

Save C:\Program Files\Save\Save.exe

uu -- uu.exe



What they are and if they being unchecked will affect the HJT Log is beyond me, but i wanted to share what the above, just in case.


Please let me know if there is a solution to my problem, as a virus warning appears each time i do as little as open up "My Computer"! =(


Looking toward your reply!

[Nana's Computer =]
  • 0

#4
kahdah
Posted 06 April 2008 - 08:49 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes they do affect what is show thank you .
You can leave the Mcafee unchecked as you already have Avast.
Uninstall Mcafee from your Add\Remove programs.
================================
Then:
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
NanasComputer
Posted 06 April 2008 - 11:05 PM

NanasComputer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Kahdah,

Thus far there has been noticable improvement. Please review my LOGs, below, as you have required.
Your assistance is being appreciated very much!

In MSCONFIG, i re-CHECKED the catagories which had been un-checked.

At startup, "AVSERVE.EXE" and "AVSERVE2.EXE" open (to empty folders).

Also "NEWDOT~2" sends up a warning window that states "Error Loading Module Could Not Be Found".


Your interpretation is appreciated! =)


[Nana's Computer]



===========================================================





HIJACKTHIS LOG 2:





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:00 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\V0230Mon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Documents and Settings\Work Only\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {F5E3100D-A5C8-4715-B64D-9F20A881502A} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [sountskmanager] sountaskmgr
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [yx] uu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124297695\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [avserve.exe] C:\WINDOWS\avserve.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\RunServices: [sountskmanager] sountaskmgr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E15C89D4-CEEF-4799-BD08-1B5BC30B4A3F}: NameServer = 151.164.1.8,206.13.28.12
O20 - Winlogon Notify: awtqnlk - awtqnlk.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8580 bytes







========================================================================




COMBO LOG:







ComboFix 08-04-06.1 - Work Only 2008-04-06 20:05:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.400 [GMT -8:00]
Running from: C:\Documents and Settings\Work Only\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM37c27931.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\bqfofhjx.ini
C:\WINDOWS\system32\bsiklgyl.dll
C:\WINDOWS\SYSTEM32\btbgvwxo.ini
C:\WINDOWS\system32\cctyujrq.dll
C:\WINDOWS\SYSTEM32\crsmisso.ini
C:\WINDOWS\system32\ctxixgvx.dll
C:\WINDOWS\system32\dmnsbipf.dll
C:\WINDOWS\system32\drhrutau.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drpyajke.dll
C:\WINDOWS\SYSTEM32\dyvwphdh.ini
C:\WINDOWS\system32\emmlxooa.dll
C:\WINDOWS\system32\fbdhallf.dll
C:\WINDOWS\system32\fhnhtkgg.dll
C:\WINDOWS\system32\giahncxn.dll
C:\WINDOWS\system32\hdhpwvyd.dll
C:\WINDOWS\system32\hwqsisab.dll
C:\WINDOWS\SYSTEM32\iccstvbm.ini
C:\WINDOWS\system32\jkfpjdxl.dll
C:\WINDOWS\system32\klkkohin.dll
C:\WINDOWS\system32\ksablaaq.dll
C:\WINDOWS\system32\kvnydfnd.dll
C:\WINDOWS\SYSTEM32\lnnmp.ini
C:\WINDOWS\SYSTEM32\lnnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\miajexxj.dll
C:\WINDOWS\system32\mmgyxuey.dll
C:\WINDOWS\system32\mvmqfelc.dll
C:\WINDOWS\system32\nexuohsh.dll
C:\WINDOWS\SYSTEM32\nsaankgc.ini
C:\WINDOWS\system32\nxdssevu.dll
C:\WINDOWS\system32\oatgpsqv.dll
C:\WINDOWS\system32\olwkcaal.dll
C:\WINDOWS\system32\onqhryyc.dll
C:\WINDOWS\SYSTEM32\opqss.ini
C:\WINDOWS\SYSTEM32\opqss.ini2
C:\WINDOWS\system32\pdlhgtqt.dll
C:\WINDOWS\SYSTEM32\pdxvltao.ini
C:\WINDOWS\system32\poppjsny.dll
C:\WINDOWS\SYSTEM32\rhkspytl.ini
C:\WINDOWS\system32\rpbekkme.dll
C:\WINDOWS\system32\sbtrbrjv.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\SYSTEM32\svihbkxn.ini
C:\WINDOWS\system32\tfdotwqk.dll
C:\WINDOWS\system32\tydofyer.dll
C:\WINDOWS\system32\umhygpsv.dll
C:\WINDOWS\SYSTEM32\utstv.ini
C:\WINDOWS\SYSTEM32\utstv.ini2
C:\WINDOWS\system32\vcfhaaxh.dll
C:\WINDOWS\system32\vcxkssrn.dll
C:\WINDOWS\system32\vgwgsexk.dll
C:\WINDOWS\system32\vpgsivjy.dll
C:\WINDOWS\SYSTEM32\vqspgtao.ini
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\SYSTEM32\vvytqihp.ini
C:\WINDOWS\system32\vyomybtg.dll
C:\WINDOWS\system32\xbpkbgtv.dll
C:\WINDOWS\system32\yconvlyy.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 18:08 . 2008-04-06 18:08 <DIR> d-------- C:\Documents and Settings\Work Only\Application Data\Grisoft
2008-04-06 18:06 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-04-06 18:04 . 2008-04-06 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 21:00 . 2008-03-29 10:31 75,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
2008-04-01 21:00 . 2008-03-29 10:35 20,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
2008-03-25 14:08 . 2008-03-25 22:44 2,527,753 --ahs---- C:\WINDOWS\SYSTEM32\wfkfsnkh.ini
2008-03-23 14:07 . 2008-03-24 14:08 1,334,557 --ahs---- C:\WINDOWS\SYSTEM32\yobdaduo.ini
2008-03-19 13:09 . 2008-03-21 09:16 1,302,522 --ahs---- C:\WINDOWS\SYSTEM32\oqnvugba.ini
2008-03-18 08:05 . 2008-03-19 13:01 1,316,031 --ahs---- C:\WINDOWS\SYSTEM32\efpagxnp.ini
2008-03-15 10:07 . 2008-03-18 07:58 1,951,451 --ahs---- C:\WINDOWS\SYSTEM32\ejtletxr.ini
2008-03-12 18:01 . 2008-03-13 20:29 1,339,938 --ahs---- C:\WINDOWS\SYSTEM32\oymrujln.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 03:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-07 02:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-06 23:59 --------- d-----w C:\Documents and Settings\Work Only\Application Data\AdobeUM
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-29 02:51 --------- d-----w C:\Documents and Settings\Work Only\Application Data\Move Networks
2008-02-21 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-25 02:21 54,616 ----a-w C:\Documents and Settings\Work Only\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5E3100D-A5C8-4715-B64D-9F20A881502A}]
C:\WINDOWS\system32\pmnnl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"ClockSync"="C:\Program Files\ClockSync\Sync.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 13:53 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 07:59 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 07:59 126976]
"sountskmanager"="sountaskmgr" []
"soundtask"="soundtask.exe" []
"soundcontrl"="soundcontrl.exe" []
"scvhost.exe"="scvhost.exe" []
"QAGENT"="C:\Program Files\QUICKENW\QAGENT.EXE" [2001-08-01 09:30 94208]
"Msrv32"="Msrv32.exe" []
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 09:28 684032]
"V0230Mon.exe"="C:\WINDOWS\system32\V0230Mon.exe" [2006-07-19 09:00 36961]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 19:44 20480]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"sountskmanager"="sountaskmgr" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 22:56:14 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnlk]
awtqnlk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve.exe]
dr-hs---- 2004-12-17 14:27 0 C:\WINDOWS\avserve.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve2.exe]
dr-hs---- 2004-12-17 14:27 0 C:\WINDOWS\avserve2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1124297695\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-12-15 10:18 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-10-01 01:47 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\Program Files\WeatherCast\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yx]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 10:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 10:35]
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 07:42]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
R3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys [2006-03-23 09:00]
R3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\DRIVERS\V0230VID.sys [2006-07-24 09:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a413d5a-22c7-11dc-b9df-000bdbbedc0b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 00:06:59 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-04-07 04:23:11 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ROXY-Nancy Jane).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-04-07 02:01:57 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 20:25:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-06 20:32:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 04:32:30
Pre-Run: 62,452,244,480 bytes free
Post-Run: 62,446,149,632 bytes free
.
2007-12-01 12:12:53 --- E O F ---
  • 0

#6
kahdah
Posted 07 April 2008 - 03:06 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

=================
Please uninstall Viewpoint



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\wfkfsnkh.ini
C:\WINDOWS\SYSTEM32\yobdaduo.ini
C:\WINDOWS\SYSTEM32\oqnvugba.ini
C:\WINDOWS\SYSTEM32\efpagxnp.ini
C:\WINDOWS\SYSTEM32\ejtletxr.ini
C:\WINDOWS\SYSTEM32\oymrujln.ini
C:\WINDOWS\avserve.exe
C:\WINDOWS\avserve2.exe
C:\PROGRA~1\NEWDOT~1
C:\WINDOWS\uu.exe
C:\WINDOWS\SYSTEM32\uu.exe
C:\WINDOWS\Msrv32.exe
C:\WINDOWS\SYSTEM32\Msrv32.exe
C:\WINDOWS\scvhost.exe
C:\WINDOWS\SYSTEM32\scvhost.exe
C:\Program Files\Viewpoint
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Viewpoint Manager Service 
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\scvhost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Msrv32.exe
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnlk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve2.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================================================
Post back with these logs:
OTMove it log
Mbam log
New Hijackthis log
  • 0

#7
NanasComputer
Posted 09 April 2008 - 11:59 PM

NanasComputer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry I have been absent -- work wanted my time. =)


I have completed the steps that you've required, and posted the logs below!




I would like to note that there seems to be an unexpected result in that "Gmail.com" and GeeksToGo.com do not appear normally. They seem like they are in a "safe mode" or something -- everything is fairly basic. And Gmail always is saying "seems like you cant view Gmail at this time -- please click here for the simple HTML version of the site." The simple HTML works perfectly fine.

Has this cleansing process affected my ability to browse?


Looking forward to your advice! =)







=============================================================



Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 9:54:36 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\V0230Mon.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Work Only\Desktop\Prep Cleaners\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {F5E3100D-A5C8-4715-B64D-9F20A881502A} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [sountskmanager] sountaskmgr
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [sountskmanager] sountaskmgr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E15C89D4-CEEF-4799-BD08-1B5BC30B4A3F}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6297 bytes

============================================











C:\WINDOWS\SYSTEM32\wfkfsnkh.ini moved successfully.
C:\WINDOWS\SYSTEM32\yobdaduo.ini moved successfully.
C:\WINDOWS\SYSTEM32\oqnvugba.ini moved successfully.
C:\WINDOWS\SYSTEM32\efpagxnp.ini moved successfully.
C:\WINDOWS\SYSTEM32\ejtletxr.ini moved successfully.
C:\WINDOWS\SYSTEM32\oymrujln.ini moved successfully.
C:\WINDOWS\avserve.exe moved successfully.
C:\WINDOWS\avserve2.exe moved successfully.
File/Folder C:\PROGRA~1\NEWDOT~1 not found.
File/Folder C:\WINDOWS\uu.exe not found.
File/Folder C:\WINDOWS\SYSTEM32\uu.exe not found.
File/Folder C:\WINDOWS\Msrv32.exe not found.
File/Folder C:\WINDOWS\SYSTEM32\Msrv32.exe not found.
File/Folder C:\WINDOWS\scvhost.exe not found.
File/Folder C:\WINDOWS\SYSTEM32\scvhost.exe not found.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell\AOL9Plus moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell\AOL9 moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\Components moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player moved successfully.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images moved successfully.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData moved successfully.
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData moved successfully.
C:\Program Files\Viewpoint\Viewpoint Manager moved successfully.
C:\Program Files\Viewpoint\Common moved successfully.
C:\Program Files\Viewpoint moved successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Viewpoint Manager Service >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Viewpoint Manager Service\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yx >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yx\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\scvhost.exe >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\scvhost.exe deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Msrv32.exe >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Msrv32.exe not found.
< HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnlk >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnlk\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve2.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve2.exe\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve.exe\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04092008_211155






==========================================









Malwarebytes' Anti-Malware 1.11
Database version: 606

Scan type: Full Scan (C:\|)
Objects scanned: 100698
Time elapsed: 34 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fbdhallf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mmgyxuey.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nxdssevu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\olwkcaal.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\onqhryyc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sbtrbrjv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP966\A0065880.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP966\A0065882.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP967\A0065912.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP967\A0065922.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP967\A0065925.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP967\A0065927.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP967\A0065928.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP967\A0065932.dll (Trojan.Vundo) -> Quarantined and deleted successfully.





==============================


Looking forward to your interpretation! =)


[Nana's Computer]
  • 0

#8
kahdah
Posted 10 April 2008 - 03:31 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I am not sure as to whythe background has changed on those 2 sites.
That used to happen to me before with Geekstogo whaen I was using Firefox.
But it seemed to correct itself.
======================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O2 - BHO: (no name) - {F5E3100D-A5C8-4715-B64D-9F20A881502A} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe


Now click on Fix Checked and then close Hijackthis.
====================================
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===========================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

#9
NanasComputer
Posted 13 April 2008 - 10:05 PM

NanasComputer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I had to use IE to be able to use the Upload feature, as Firefox no longer shows your rich features.

Summary...... :)

Number of viruses found: 7
Number of infected objects: 94
Number of suspicious objects: 0
Duration of the scan process: 01:11:28


Hopefully these can be fixed.. let me know your thoughts! =)


[Nana's Computer]

==============================


ATTACHMENT

Attached Files


  • 0

#10
kahdah
Posted 14 April 2008 - 02:29 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\ajhfnvif.dll 
C:\WINDOWS\SYSTEM32\bmkpuerl.dll 
C:\WINDOWS\SYSTEM32\bbgwpgpw.dll 
C:\WINDOWS\SYSTEM32\vihpvqkb.dll 
C:\WINDOWS\SYSTEM32\umlmuaji.dll
C:\WINDOWS\SYSTEM32\hxruitvd.dll 
C:\Documents and Settings\Work Only\Desktop\AntiVirus Files\BHO Cleaners\OiUninstaller.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Msrv32.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================
Please also post another Hijackthis log and let me know how everything is running?
  • 0

#11
NanasComputer
Posted 14 April 2008 - 09:40 PM

NanasComputer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Things are running much better than before, that's for sure!

Still only having a "simple" view in Firefox, however. But most else seems normal. =)


Here ya go:

=========================




LoadLibrary failed for C:\WINDOWS\SYSTEM32\ajhfnvif.dll
C:\WINDOWS\SYSTEM32\ajhfnvif.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\ajhfnvif.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\bmkpuerl.dll
C:\WINDOWS\SYSTEM32\bmkpuerl.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\bmkpuerl.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\bbgwpgpw.dll
C:\WINDOWS\SYSTEM32\bbgwpgpw.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\bbgwpgpw.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\vihpvqkb.dll
C:\WINDOWS\SYSTEM32\vihpvqkb.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\vihpvqkb.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\umlmuaji.dll
C:\WINDOWS\SYSTEM32\umlmuaji.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\umlmuaji.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\hxruitvd.dll
C:\WINDOWS\SYSTEM32\hxruitvd.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\hxruitvd.dll moved successfully.
C:\Documents and Settings\Work Only\Desktop\AntiVirus Files\BHO Cleaners\OiUninstaller.exe moved successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Msrv32.exe >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Msrv32.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04142008_193549








--------





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:31 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\V0230Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Work Only\Desktop\Prep Cleaners\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [sountskmanager] sountaskmgr
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [sountskmanager] sountaskmgr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E15C89D4-CEEF-4799-BD08-1B5BC30B4A3F}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5858 bytes





=================




How does it look....?


[Nana's Computer]
  • 0

#12
kahdah
Posted 15 April 2008 - 02:57 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Loos good.
Try to reinstall firefox and see if that helps with the way the background looks.

If it does not help then start a thread in the Web Browsers forum where they will be able to help further.
you can find that forum Here
=============================================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [sountskmanager] sountaskmgr
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\RunServices: [sountskmanager] sountaskmgr

Now click on Fix Checked and then close Hijackthis.
==========================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Delete\uninstall anything else we used.
=============
Then I will need you to reset your System Restore points, please note that you will need to log into your computer with an account which has full administrator access.
You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.

2. Reboot.

3. Turn ON System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.


How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=======================================
AFter that your log is clean.:)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0

#13
NanasComputer
Posted 17 April 2008 - 07:09 PM

NanasComputer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Alright! Sounds good!

I did everything you asked.

Looks like things are [RESOLVED], everything except the site-issue.

Wonder what's causing that, but no big deal. Gmail's interface works again, just not G2G.

Oh well. Comp is running smoothly!


Thank you! I will monitor for anything strange for the next few days! Yay! =)

[Nana's Computer]
  • 0

#14
kahdah
Posted 17 April 2008 - 07:33 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok great.

You can try posting a thread in the Web Browsers and E-mail forum and they may be able to resolve that issue.
==============
You are welcome :)
If you should have anymore problems pm me and I will re-open this thread.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#15
kahdah
Posted 17 April 2008 - 07:33 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP