Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Antispyware-reviews.biz popups, & taskbar security popups. [CLOSED


  • This topic is locked This topic is locked

#16
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets get this back under control. we will go back to the AWF infection later.

try and keep your machine offline as much as possible, looks like it is just getting re-infected.

firstly, do you have an antivirus program on your machine? i cant see one in your logs though perhaps the infection has knocked it out.

====STEP 1====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

====STEP 2====
coud you rerun combofix


In your next reply could i see:
1. confirmation on whether you have an antivirus program on your machine
2. the malwarebytes log
3. the combofix log
4. a new hijackthis log

andrewuk
  • 0

Advertisements


#17
ohsocarlyx3

ohsocarlyx3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Alright, I did already have Malwarebytes, I also have SUPERantispyware, but that's it.
I didn't know which program to use, though i've had many before just wasn't sure which one actually did it's job.

Malwarebytes would scan, then it'd stop and say error send error report. So I ran combofix first, then Malwarebytes, and it worked.

here's the combofix log.

ComboFix 08-04-12.3 - Compaq_Administrator 2008-04-13 19:09:28.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1437 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
.
ADS - svchost.exe: deleted 28160 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Desktop\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Compaq_Administrator\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\Compaq_Administrator\Application Data\ASKS~1
C:\Documents and Settings\Compaq_Administrator\Application Data\ASKS~1\?explore.exe
C:\Documents and Settings\Compaq_Administrator\Application Data\ICROSO~1.NET
C:\Documents and Settings\Compaq_Administrator\Application Data\ICROSO~1.NET\?icrosoft.NET\
C:\Documents and Settings\Compaq_Administrator\Application Data\ICROSO~1.NET\rundll.exe
C:\Documents and Settings\Compaq_Administrator\Application Data\Install.dat
C:\Documents and Settings\Compaq_Administrator\Application Data\microsoft\internet explorer\Desktop.htt
C:\Documents and Settings\Compaq_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\Compaq_Administrator\Application Data\printer.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\bravesentry.lnk
C:\Documents and Settings\Compaq_Administrator\ftpdll.dll
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\n.ini
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Brave-Sentry
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\AntiVirusPro
C:\Program Files\AntiVirusPro\AntiVirusPro.exe
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.local
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.log
C:\Program Files\AntiVirusPro\Core.dll
C:\Program Files\AntiVirusPro\database.pkg
C:\Program Files\AntiVirusPro\Localization.dll
C:\Program Files\AntiVirusPro\msvcp71.dll
C:\Program Files\AntiVirusPro\msvcr71.dll
C:\Program Files\AntiVirusPro\Uninstall.exe
C:\Program Files\AntiVirusPro\WndSystem.dll
C:\Program Files\bravesentry
C:\Program Files\bravesentry\BraveSentry.exe
C:\Program Files\bravesentry\BraveSentry.lic
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry0.dll
C:\Program Files\bravesentry\BraveSentry1.bs
C:\Program Files\bravesentry\BraveSentry2.dll
C:\Program Files\bravesentry\BraveSentry3.dll
C:\Program Files\bravesentry\Uninstall.exe
C:\Program Files\cjb
C:\Program Files\cjb\cjb8.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\iSecurity
C:\Program Files\iSecurity\{32FF2108-1EF0-4ae8-8C23-17C92EAA5DEF}\install.exe
C:\Program Files\iSecurity\iSecurity.dat
C:\Program Files\iSecurity\ucleaner.bmp
C:\Program Files\iSecurity\ucleaneri.bmp
C:\Program Files\iSecurity\udefender.bmp
C:\Program Files\iSecurity\udefenderi.bmp
C:\Program Files\iSecurity\v5\iSecurity.cpl
C:\Program Files\iSecurity\winifixer.bmp
C:\Program Files\iSecurity\winifixeri.bmp
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\conf.inf
C:\WINDOWS\desktop.html
C:\WINDOWS\Installer\{9bffcd6d-45aa-49bf-835c-bec81c0d191c}
C:\WINDOWS\Installer\{9bffcd6d-45aa-49bf-835c-bec81c0d191c}\zip.dll
C:\WINDOWS\kavir.exe
C:\WINDOWS\ky.sxc
C:\WINDOWS\lfn.exe
C:\WINDOWS\mrofinu1854.exe
C:\WINDOWS\mrofinu27.exe
C:\WINDOWS\mscon.sio
C:\WINDOWS\nivavir.config
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\22405248441.dll
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\config\56733378.Evt
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\qzphmqbc.dat
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\Tff23.sys
c:\windows\system32\Drivers\Xfm31.sys
C:\WINDOWS\system32\drivers\YKY42.sys
C:\WINDOWS\system32\duomslht.dll
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\system32\gQBbcMoq.ini
C:\WINDOWS\system32\gQBbcMoq.ini2
C:\WINDOWS\system32\hxccwtaa.ini
C:\WINDOWS\system32\iSecurity.cpl
C:\WINDOWS\system32\khfEWPGw.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\maxpaynow1.exe
C:\WINDOWS\system32\maxpaynowti.exe
C:\WINDOWS\system32\maxpaynowti1.exe
C:\WINDOWS\system32\msdefender.exe
C:\WINDOWS\system32\msram.dll
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\rceu.dll
C:\WINDOWS\system32\shift.exe.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\thlsmoud.ini
C:\WINDOWS\system32\tkfepsbehgbit.dll
C:\WINDOWS\system32\tuvWmKdE.dll
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxga4m1et4.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vedxga5me3.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wGPWEfhk.ini
C:\WINDOWS\system32\wGPWEfhk.ini2
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\taskmon.exe
C:\WINDOWS\TEMP\2111024123.exe
C:\WINDOWS\winself.exe
C:\windows\xpupdate.exe

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Legacy_TFF23
-------\Legacy_XFM31
-------\Legacy_YKY42
-------\Service_asc3550p
-------\Service_bxdbhgeo
-------\Service_ccEvtMgr
-------\Service_ccPwdSvc
-------\Service_ccPxySvc
-------\Service_ICF
-------\Service_NISUM
-------\Service_Tff23
-------\Service_Xfm31
-------\Service_YKY42
-------\Service_Yky42
-------\Legacy_bxdbhgeo
-------\Legacy_MSSysInterv1
-------\Legacy_Schedule
-------\bxdbhgeo
-------\MSSysInterv1
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-13 19:01 . 2008-04-13 19:01 3,648 --a------ C:\WINDOWS\system32\upluspdi.dll
2008-04-13 18:16 . 2008-04-13 18:16 <DIR> d-------- C:\_OTMoveIt
2008-04-13 17:57 . 2008-04-13 17:57 37,888 -rahs---- C:\WINDOWS\system32\actmoviev.exe
2008-04-13 17:56 . 2008-04-13 17:56 269,334 --a------ C:\WINDOWS\system32\fmpgrqt.bmp
2008-04-13 17:50 . 2008-04-13 17:50 37,888 -rahs---- C:\WINDOWS\system32\a234h.exe
2008-04-13 17:50 . 2008-04-13 17:50 37,888 -rahs---- C:\WINDOWS\system32\000080o.exe
2008-04-13 17:50 . 2008-04-13 17:50 3,648 --a------ C:\WINDOWS\system32\lgvydlsi.dll
2008-04-13 17:48 . 2008-04-13 17:48 269,334 --a------ C:\WINDOWS\system32\tsbalkfel.bmp
2008-04-13 17:47 . 2008-04-13 17:47 66,864 --ahs---- C:\Documents and Settings\LocalService\cftmon.exe
2008-04-13 17:42 . 2008-04-13 17:42 22,016 --ahs---- C:\WINDOWS\system32\aaaamonj.dll
2008-04-13 17:40 . 2004-08-09 23:00 113,664 --a------ C:\WINDOWS\system32\bihcf.sys
2008-04-13 17:40 . 2008-04-13 17:40 41,984 -rahs---- C:\WINDOWS\system32\1041l.exe
2008-04-13 17:40 . 2008-04-13 17:56 7,168 --a------ C:\WINDOWS\win32ole.dll
2008-04-13 17:39 . 2008-04-13 17:39 37,888 -rahs---- C:\WINDOWS\system32\alrsvcu.exe
2008-04-13 17:39 . 2008-04-13 17:39 37,888 -rahs---- C:\WINDOWS\system32\acelpdecc.exe
2008-04-13 17:39 . 2008-04-13 17:57 32 --a-s---- C:\WINDOWS\system32\2130578575.dat
2008-04-13 17:39 . 2008-04-13 17:39 29 --a------ C:\WINDOWS\system32\ssrfwwpi.tmp
2008-04-13 17:38 . 2008-04-13 17:38 6,672 --a------ C:\WINDOWS\system32\ibudu.dll
2008-04-13 17:38 . 2008-04-13 19:17 2,560 --a------ C:\WINDOWS\system32\itcoe.sys
2008-04-13 17:37 . 2008-04-13 17:37 269,334 --a------ C:\WINDOWS\system32\mtsfilkn.bmp
2008-04-13 17:37 . 2008-04-13 17:56 72,155 --ahs---- C:\Documents and Settings\Compaq_Administrator\cftmon.exe
2008-04-13 17:22 . 2008-04-13 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\krmrshwv
2008-04-13 17:22 . 2008-04-13 17:22 196,096 --a------ C:\WINDOWS\zujmnsrs.dll
2008-04-13 17:22 . 2008-04-13 17:22 118,784 --a------ C:\WINDOWS\system32\arcbcnsh.exe
2008-04-13 17:22 . 2008-04-13 17:22 70,144 --a------ C:\WINDOWS\pkjutetg.dll
2008-04-13 17:22 . 2008-04-13 17:22 70,144 --a------ C:\Documents and Settings\All Users\Application Data\ujavgbur.dll
2008-04-13 17:21 . 2008-04-13 17:23 <DIR> d-------- C:\Program Files\Bat
2008-04-13 17:20 . 2008-04-13 17:20 6,656 --a------ C:\WINDOWS\ns.dll
2008-04-12 18:46 . 2008-04-12 18:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-12 14:55 . 2008-04-12 14:55 <DIR> d-------- C:\Program Files\CCleaner
2008-04-12 14:41 . 2008-04-12 14:55 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-12 13:25 . 2008-04-12 13:25 3,370 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-12 13:19 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-12 13:19 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-12 13:19 . 2008-04-12 17:34 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-12 13:19 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-12 13:19 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-12 13:19 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-12 13:19 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 12:47 . 2008-04-13 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-12 12:46 . 2008-04-12 18:50 <DIR> d-------- C:\WINDOWS\cuawsppw
2008-04-12 12:46 . 2008-04-12 23:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rubsbwpk
2008-04-12 12:46 . 2008-04-12 12:46 70,144 --a------ C:\WINDOWS\mzcxcjel.dll
2008-04-12 12:46 . 2008-04-12 12:46 70,144 --a------ C:\Documents and Settings\All Users\Application Data\pyvgjupy.dll
2008-04-12 12:44 . 2008-04-12 12:44 6,656 --a------ C:\WINDOWS\ons.dll
2008-04-07 19:59 . 2008-04-07 19:59 402 --a------ C:\WINDOWS\system32\LE347.tmp
2008-04-07 19:59 . 2008-04-07 19:59 402 --a------ C:\WINDOWS\system32\LE24D.tmp
2008-04-07 19:59 . 2008-04-07 19:59 402 --a------ C:\WINDOWS\system32\LE153.tmp
2008-04-07 17:27 . 2008-04-08 07:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-07 17:27 . 2008-04-07 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 17:07 . 2008-04-07 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-30 16:10 . 2008-03-30 16:10 <DIR> d-------- C:\Program Files\Screenshot Utility
2008-03-30 08:02 . 2008-03-30 08:02 190,464 --a------ C:\WINDOWS\system32\luapvs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 21:38 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-04-07 22:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 22:52 --------- d-----w C:\Program Files\Viewpoint
2008-04-07 22:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-07 21:45 --------- d-----w C:\Program Files\Common Files\Real
2008-03-30 03:16 --------- d-----w C:\Program Files\EA GAMES
2008-03-29 18:24 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-28 21:39 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\FileZilla
2008-03-27 23:00 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-03-12 18:33 --------- d-----w C:\Program Files\MMRR Software
2008-03-12 00:23 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-03-12 00:23 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-03-12 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-09 17:31 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-09 17:30 --------- d-----w C:\Program Files\Intuit
2008-03-09 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-03-09 17:28 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-03-06 02:50 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-25 22:03 --------- d-----w C:\Program Files\NewSoft
2008-02-25 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 21:59 --------- d-----w C:\Program Files\DSC Driver
2008-02-20 19:31 --------- d-----w C:\Program Files\LimeWire
2008-02-11 00:08 6,144 ----a-w C:\WINDOWS\ictions.dll
2008-01-26 22:06 5,120 ----a-w C:\WINDOWS\rictions.dll
.

------- Sigcheck -------

2005-03-14 03:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
2005-03-14 02:55 359808 1898df9a9d550da97c2ed41ae3c76a25 C:\WINDOWS\system32\dllcache\tcpip.sys
2005-03-14 02:55 359808 1898df9a9d550da97c2ed41ae3c76a25 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_17.23.31.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-13 00:16:39 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-12 23:46:16 6,758,400 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-12 23:46:17 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-13 00:16:39 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-12 23:46:15 6,758,400 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-12 23:46:15 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2004-08-10 04:00:00 1,032,192 ------w C:\WINDOWS\explorer.exe
+ 2004-08-10 04:00:00 1,034,752 ----a-w C:\WINDOWS\explorer.exe
- 2007-09-27 19:52:53 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-13 22:55:58 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-09-27 19:52:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-13 22:55:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-13 22:55:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-10 11:00:00 18,688 ----a-w C:\WINDOWS\system32\dllcache\cdaudio.sys
+ 2004-08-10 04:00:00 16,896 ----a-w C:\WINDOWS\system32\ehsjml.dll
+ 2008-04-14 00:18:30 118,784 ----a-w C:\WINDOWS\system32\hmxupqrc.exe
+ 2006-04-14 22:38:05 13,824 ----a-w C:\WINDOWS\system32\icasServ.exe
+ 2004-08-10 04:00:00 32,768 ----a-w C:\WINDOWS\system32\kbl.dll
+ 2004-08-10 04:00:00 77,824 ----a-w C:\WINDOWS\system32\kdzzg.exe
+ 2004-08-10 04:00:00 113,664 ----a-w C:\WINDOWS\system32\lgfitgfqp.drv
- 2004-08-10 04:00:00 13,312 ----a-w C:\WINDOWS\system32\lsass.exe
+ 2004-08-10 04:00:00 14,848 ----a-w C:\WINDOWS\system32\lsass.exe
- 2004-08-10 04:00:00 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2004-08-10 04:00:00 58,880 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2004-08-10 04:00:00 113,664 ----a-w C:\WINDOWS\system32\sradgnehcf.sys
- 2004-08-10 04:00:00 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2008-04-13 22:37:58 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2008-04-13 22:38:13 26,112 ----a-w C:\WINDOWS\system32\wbem\csrss.exe
- 2004-08-10 04:00:00 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
+ 2004-08-10 04:00:00 506,368 ----a-w C:\WINDOWS\system32\winlogon.exe
+ 2008-04-14 00:18:33 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_1dc.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BC7FC20-CFB1-489A-8BFF-4E285C3E1F62}]
C:\WINDOWS\system32\qoMcbBQg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF26FAC0-7D4E-46D8-AE64-B277B11443AC}]
2008-03-30 08:02 190464 --a------ C:\WINDOWS\system32\luapvs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 17:03 1481968]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
"QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [ ]
"Tcu"="C:\Documents and Settings\Compaq_Administrator\Application Data\?asks\?explore.exe" [ ]
"sswwphwe"="C:\WINDOWS\system32\arcbcnsh.exe" [2008-04-13 17:22 118784]
"srcezlqz"="C:\WINDOWS\system32\hmxupqrc.exe" [2008-04-13 19:18 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"ftutil2"="rundll32.exe" [2004-08-09 23:00 33280 C:\WINDOWS\system32\rundll32.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 22:05 16239616 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-02-26 14:41 14348]
"PCDrProfiler"="" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-02-26 14:41 14348]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 14:41 14348]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 02:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-02-26 14:41 14348]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-09 23:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-09 23:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-02-26 14:41 14348]
"AntiVirusPro"="C:\Program Files\AntiVirusPro\AntiVirusPro.exe" [ ]
"icasServ"="C:\WINDOWS\system32\icasServ.exe" [2006-04-14 17:38 13824]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"hinhbril"="C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\qkbcrn.sys WLEntryPoint" [ ]
"csrss"="C:\WINDOWS\system32\wbem\csrss.exe" [2008-04-13 17:38 26112]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [2008-02-25 16:59:38 65536]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-06 19:40:54 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Qo6VtiKILJ"= C:\Documents and Settings\All Users\Application Data\krmrshwv\cvgrudej.exe
"ratgn"= rundll32.exe "C:\WINDOWS\system32\lgfitgfqp.drv" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DKvupD"= {242949B7-8E83-E31D-5CAB-E61E5BAAA7AD} - C:\WINDOWS\system32\kbl.dll [2004-08-09 23:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibudu]
ibudu.dll 2008-04-13 17:38 6672 C:\WINDOWS\system32\ibudu.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56597:TCP"= 56597:TCP:@xpsp2res.dll,-22005
"48448:TCP"= 48448:TCP:@xpsp2res.dll,-22005
"15607:TCP"= 15607:TCP:@xpsp2res.dll,-22005
"9538:TCP"= 9538:TCP:@xpsp2res.dll,-22005

R1 itcoe;itcoe adapter;C:\WINDOWS\system32\itcoe.sys [2008-04-13 19:17]
S2 ARSVCdmserver;ARSVC ARSVCdmserver;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\4.tmp []
S2 RemoteRegistryNetDDEdsdm;Remote Registry RemoteRegistryNetDDEdsdm;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\10.tmp []
S2 TapiSrvclr_optimization_v2.0.50727_32;Telephony TapiSrvclr_optimization_v2.0.50727_32;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\490411199.exe []
S2 TermServiceMSIServer;Terminal Services TermServiceMSIServer;C:\WINDOWS\system32\alrsvcu.exe [2008-04-13 17:39]
S2 ThemesTrkWks;Themes ThemesTrkWks;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\C.tmp []

*Newly Created Service* - ARSVCDMSERVER
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 19:18:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\Wfky49.sys 167936 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wfky49]


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ARSVCdmserver]
"ImagePath"="C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\4.tmp srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistryNetDDEdsdm]
"ImagePath"="C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\10.tmp srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThemesTrkWks]
"ImagePath"="C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\C.tmp srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ibudu.dll
-> C:\WINDOWS\system32\ehsjml.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-04-13 19:20:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 00:20:08
ComboFix2.txt 2008-04-12 22:24:00
ComboFix3.txt 2008-04-12 18:45:34
Pre-Run: 124,921,438,208 bytes free
Post-Run: 125,208,006,656 bytes free
.
2007-09-27 20:18:08 --- E O F ---
----------------------------------

and the mbam log.

Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 147120
Time elapsed: 27 minute(s), 42 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 16
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 88

Memory Processes Infected:
c:\WINDOWS\system32\icasServ.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\WINDOWS\system32\wbem\csrss.exe (Heuristic.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\ehsjml.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\IQSoftware (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\luapvs.TCHONGABHO (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\icasServ (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hinhbril (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ratgn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\ehsjml.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\icasServ.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\eobmrr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lgfitgfqp.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\afjboaknrma.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\oiabmetisnk.nls (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Administrator\Application Data\printer.exe.vir (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\findfast.exe.vir (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\BraveSentry\BraveSentry0.dll.vir (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\BraveSentry\BraveSentry2.dll.vir (Rogue.Brave.Sentry) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\BraveSentry\BraveSentry3.dll.vir (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whagent.exe.vir (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whiehlpr.dll.vir (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whinstaller.exe.vir (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\desktop.html.vir (Hijacker.Wallpaper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\shell.exe.vir (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\printer.exe.vir (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga4me1.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP191\A0042043.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP191\A0042044.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP191\A0042045.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP191\A0042046.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP191\A0042047.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\A0042055.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\A0042056.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\A0042057.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\A0042058.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\A0042059.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-10.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-11.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-12.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-13.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-14.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-15.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-16.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-17.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-18.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-19.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-2.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-20.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-21.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-22.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-23.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-24.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-25.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-26.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-27.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-28.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-29.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-3.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-30.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-31.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-32.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-34.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-35.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-36.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-37.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-38.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-39.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-4.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-40.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-41.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-42.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-43.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-44.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-45.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-46.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-47.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-48.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-49.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-5.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-50.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-51.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-52.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-6.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-7.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-8.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP192\snapshot\MFEX-9.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bihcf.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sradgnehcf.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\n.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\csrss.exe (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
  • 0

#18
ohsocarlyx3

ohsocarlyx3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
and lastly, the hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:17 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\krmrshwv\cvgrudej.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\arcbcnsh.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: (no name) - {2BC7FC20-CFB1-489A-8BFF-4E285C3E1F62} - C:\WINDOWS\system32\qoMcbBQg.dll (file missing)
O2 - BHO: QuickTalk 2.1 - {CF26FAC0-7D4E-46D8-AE64-B277B11443AC} - C:\WINDOWS\system32\luapvs.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [kipikctk] rundll32.exe "C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jghrnjsaoo.nls" WLEntryPoint
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [Tcu] "C:\Documents and Settings\Compaq_Administrator\Application Data\?asks\?explore.exe"
O4 - HKCU\..\Run: [sswwphwe] C:\WINDOWS\system32\arcbcnsh.exe
O4 - HKCU\..\Run: [srcezlqz] C:\WINDOWS\system32\hmxupqrc.exe
O4 - HKLM\..\Policies\Explorer\Run: [Qo6VtiKILJ] C:\Documents and Settings\All Users\Application Data\krmrshwv\cvgrudej.exe
O4 - HKLM\..\Policies\Explorer\Run: [nmdoilch] rundll32.exe "C:\WINDOWS\system32\gbaiqrmffrj.drv" WLEntryPoint
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38BDF3BA-A86C-45E8-95EC-A6FEE54B6AC6}: NameServer = 85.255.113.126,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A751F35-426A-493E-B079-1E77E637DEF9}: NameServer = 85.255.113.126,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D9CD1CB-961C-4C4F-B40A-131FEFE24524}: NameServer = 85.255.113.126,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5CBB95-3766-4B9A-8325-B11F575ADCBC}: NameServer = 85.255.113.126,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{831D048A-20A0-47DF-80C7-CA77D178CCB1}: NameServer = 85.255.113.126,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC7B0FA-EE93-48AD-9DF5-24589A4BD5FE}: NameServer = 85.255.113.126,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.126 85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{38BDF3BA-A86C-45E8-95EC-A6FEE54B6AC6}: NameServer = 85.255.113.126,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.126 85.255.112.84
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ibudu - C:\WINDOWS\SYSTEM32\ibudu.dll
O21 - SSODL: DKvupD - {242949B7-8E83-E31D-5CAB-E61E5BAAA7AD} - C:\WINDOWS\system32\kbl.dll
O21 - SSODL: zip - {9bffcd6d-45aa-49bf-835c-bec81c0d191c} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ARSVC ARSVCdmserver (ARSVCdmserver) - Unknown owner - C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\4.tmp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Registry RemoteRegistryNetDDEdsdm (RemoteRegistryNetDDEdsdm) - Unknown owner - C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\10.tmp.exe (file missing)
O23 - Service: Telephony TapiSrvclr_optimization_v2.0.50727_32 (TapiSrvclr_optimization_v2.0.50727_32) - Unknown owner - C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\490411199.exe (file missing)
O23 - Service: Terminal Services TermServiceMSIServer (TermServiceMSIServer) - Unknown owner - C:\WINDOWS\system32\alrsvcu.exe
O23 - Service: Themes ThemesTrkWks (ThemesTrkWks) - Unknown owner - C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\C.tmp.exe (file missing)

--
End of file - 9571 bytes
  • 0

#19
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
your SUPERantispyware program has most likely been compromised by the AWF infection, but we will get an anti virus program onto your machine and run it as a matter of priority.

we will also run SDFIX again and gather information on another infection i think you have.

====STEP 1====
This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer.

Please go http://www.avast.com.../down_home.html and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial http://www.schmahl.n...astbootscan.htm it may make it easier to you to follow the steps.

Next, choose
Scan all local disks
scan archive files
click on Schedule
On the next dialog Operating system restart needed select Yes
Now avast! will restart your computer and start to scan before Windows fully loads.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

On completion of the boot scan there will be a report at this location C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt Please post that in your next reply.


====STEP 2====
we will run SDFix again:

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

====STEP 3====
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


In your next reply could i see:
1. the AswBoot.txt log
2. the Report.txt log
3. the smitfraudfix log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#20
ohsocarlyx3

ohsocarlyx3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I installed avast! and then restarted, whenever it turned on nothing came up except the desktop background, no icons, no taskbar. So i'm not really sure what to do. I'm on my other computer to write this.
  • 0

#21
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
lets see if we can do 2 things:

firstly, see if you can get into safe mode.

if you can, then run !Avast from safe mode and also run combofix from safe mode.

tell me how it goes.......our aim here is to get you back into normal mode or at least get your internet connection back.

also, could you let me know if you are able to download programs onto your good machine and transfer them to your bad machine? (dont try to transfer anything yet, just let me know if you think you can do it).

andrewuk

[edit]added question on transfering programs[/edit]

Edited by andrewuk, 14 April 2008 - 06:27 AM.

  • 0

#22
ohsocarlyx3

ohsocarlyx3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Well I was able to get into safe mode, I ran avast and it said it had to scan before the computer could turn on or whatever so it scanned before it came on, it deleted some things and then some things it could not delete when it was done I was able to go back normally onto the computer, I did as you said to do before with avast and was scheduling a boot time scan it restarted and began, i stopped it because I had just done it and didn't realize that before. So it said "continue with boot" it went to the windows xp screen as if it were going to load, and then when it was done, the screen went black and my monitor just flashed as if it wasn't going to come on, so now all that happens is
when i turn it on, it begins to load. then stops and restarts itself over and over.. i guess i'll just have to get it fixed or start it over i don't really know.
  • 0

#23
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
can you get into safe mode?
  • 0

#24
ohsocarlyx3

ohsocarlyx3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No.
  • 0

#25
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
are you able to get any menu up by pressing the F8 key when the computer is booting up?
  • 0

Advertisements


#26
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
also, if you believe it is a software problem then try the Windows XP built in repair feature http://www.geekstogo...ws-XP-t138.html

andrewuk
  • 0

#27
ohsocarlyx3

ohsocarlyx3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Yes, I get the full menu but when I select any option nothing happens.
Okay, i'll try that. Thanks.
  • 0

#28
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP