Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IE very slow. [RESOLVED]


  • This topic is locked This topic is locked

#1
brute force

brute force

    Member

  • Member
  • PipPipPip
  • 105 posts
hi experts.

i went one day without antivirus and antispyware while reconfiguring my computer and it looks like i got caught. IE very slow. takes forever to load pages when it does load. i think the problem is a file in my system32 directory. huqenhiu.dll.
here is my hijackthis log. thanks for your help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:13 AM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSN Auto-Update Util (MSNAuto-IT) - Unknown owner - C:\WINDOWS\system32\msnins.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 3988 bytes
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi brute force

welcome back to geekstogo :)

in this post we will remove the infections i can see in your logs and do a couple of deeper scan of your system, i suspect there are other infections that are hiding from us.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.

also, could you tell me which antivirus program you are running - i cant see one in your logs?



====STEP 1====
Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop MsaSvc
sc stop MSNAuto-IT
sc delete MsaSvc
sc delete MSNAuto-IT
exit

Double click FixServices.bat. A window will open and close. This is normal.



====STEP 2====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do not run it yet



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSN Auto-Update Util (MSNAuto-IT) - Unknown owner - C:\WINDOWS\system32\msnins.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\huqenhiu.dll
    C:\WINDOWS\system32\msasvc.exe
    C:\WINDOWS\system32\msnins.exe
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 3====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 4====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

====STEP 5====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

In your next reply could i see:
1. the answer to the antivirus question
2. the OTMoveIT log
3. the kaspersky log
4. the DSS logs (though there may only be one log)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#3
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
hi,

here you go. the antivirus is the program i took off and did not install the new version yet (AVG)

Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\huqenhiu.dll
C:\WINDOWS\system32\huqenhiu.dll NOT unregistered.
C:\WINDOWS\system32\huqenhiu.dll moved successfully.
File/Folder C:\WINDOWS\system32\msasvc.exe not found.
File/Folder C:\WINDOWS\system32\msnins.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05042008_160805



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 04, 2008 7:59:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/05/2008
Kaspersky Anti-Virus database records: 739760
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 107264
Number of viruses found: 14
Number of infected objects: 62
Number of suspicious objects: 0
Duration of the scan process: 02:40:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ATI MMC\AtiCCap.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ATI MMC\ATICCDB.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ATI MMC\ATi_MLDB.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ATI MMC\ATi_MLDB.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ATI MMC\ErrorLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ATI MMC\TV-Live.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ATI MMC\TV-Play.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Incomplete\CORRUPT-0-Wicked Remix (mama).wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\vmware-Dad\K3YHUP83\desktop.ini Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\My Documents\Download_1clickdvdcopyprosetuprn3[1].1.3.5.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Dad\My Documents\PC Games-The Sims 2 - University.zip/Sims2 University.exe/username.exe Infected: Trojan-Downloader.Win32.Small.ya skipped
C:\Documents and Settings\Dad\My Documents\PC Games-The Sims 2 - University.zip/Sims2 University.exe/shell32.exe Infected: not-a-virus:AdWare.Win32.WinAD.b skipped
C:\Documents and Settings\Dad\My Documents\PC Games-The Sims 2 - University.zip/Sims2 University.exe Infected: not-a-virus:AdWare.Win32.WinAD.b skipped
C:\Documents and Settings\Dad\My Documents\PC Games-The Sims 2 - University.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\NNSCAA638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\LogMeIn\update\2-30-545.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.c skipped
C:\Program Files\LogMeIn\update\2-30-547.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-547.bak\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-547.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.c skipped
C:\Program Files\LogMeIn\update\2-30-555.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-555.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.c skipped
C:\Program Files\Windows TaskAd\WinProject.dll Infected: not-a-virus:AdWare.Win32.WinAD.b skipped
C:\Program Files\Windows TaskAd\WinSched.exe Infected: not-a-virus:AdWare.Win32.WinAD skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{714AD81B-1B28-4C51-BC39-06358DBB0CE8}\RP244\A0040329.exe Infected: Trojan.Win32.Delf.bur skipped
C:\System Volume Information\_restore{714AD81B-1B28-4C51-BC39-06358DBB0CE8}\RP284\A0043996.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{714AD81B-1B28-4C51-BC39-06358DBB0CE8}\RP287\A0044193.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{714AD81B-1B28-4C51-BC39-06358DBB0CE8}\RP288\A0044221.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{714AD81B-1B28-4C51-BC39-06358DBB0CE8}\RP288\A0044221.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{714AD81B-1B28-4C51-BC39-06358DBB0CE8}\RP288\A0044221.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{714AD81B-1B28-4C51-BC39-06358DBB0CE8}\RP288\change.log Object is locked skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Ad-Aware 2007 Pro 7.0.2.6/Lavasoft Ad-Aware 2007 PRO 7.0.2.6.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Ad-Aware 2007 Pro 7.0.2.6/Lavasoft Ad-Aware 2007 PRO 7.0.2.6.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Ad-Aware 2007 Pro 7.0.2.6/Lavasoft Ad-Aware 2007 PRO 7.0.2.6.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/HijackThis 2.0.2/HijackThis 2.0.2.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/HijackThis 2.0.2/HijackThis 2.0.2.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/HijackThis 2.0.2/HijackThis 2.0.2.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spy Sweeper 5.5.7.48/Webroot Spy Sweeper 5.5.7.48.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spy Sweeper 5.5.7.48/Webroot Spy Sweeper 5.5.7.48.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spy Sweeper 5.5.7.48/Webroot Spy Sweeper 5.5.7.48.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spybot Search & Destroy 1.5.2/Spybot Search & Destroy 1.5.2.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spybot Search & Destroy 1.5.2/Spybot Search & Destroy 1.5.2.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spybot Search & Destroy 1.5.2/Spybot Search & Destroy 1.5.2.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spyware Blaster 3.5.1/Spyware Blaster 3.5.1.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spyware Blaster 3.5.1/Spyware Blaster 3.5.1.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spyware Blaster 3.5.1/Spyware Blaster 3.5.1.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spyware Doctor 5.5.0.204/Spyware Doctor 5.5.0.204.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spyware Doctor 5.5.0.204/Spyware Doctor 5.5.0.204.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/Spyware Doctor 5.5.0.204/Spyware Doctor 5.5.0.204.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/SUPERAntiSpyware Professional 4.0.0.1146/Setup.exe/data0000.cab/is202093.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/SUPERAntiSpyware Professional 4.0.0.1146/Setup.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip/Anti-Spyware/SUPERAntiSpyware Professional 4.0.0.1146/Setup.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Torrents\Anti-Spyware.zip ZIP: infected - 21 skipped
C:\Torrents\Over 300 serials & keygens\over 300 serials & keygen\avast keygen.exe/packed Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Torrents\Over 300 serials & keygens\over 300 serials & keygen\avast keygen.exe GZIP: infected - 1 skipped
C:\Torrents\WGA_Crack_Working_All_Versions.zip/install.exe Infected: Trojan-Downloader.Win32.Agent.ejw skipped
C:\Torrents\WGA_Crack_Working_All_Versions.zip ZIP: infected - 1 skipped
C:\ventfe1.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\ventfe1.exe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\aaawfaqq.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cv3wanv28.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd7213.sys Object is locked skipped
C:\WINDOWS\system32\dsgkugyq.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\iiffFyVL.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\jkkLBtSL.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\khfGYoOe.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\koqslacq.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\ljJDUklL.dll_old Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\mlJCSkhE.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\nnnoPIaw.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\qtawmtqj.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\shell32.exe Infected: not-a-virus:AdWare.Win32.WinAD.b skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\05042008_160805\WINDOWS\system32\huqenhiu.dll Infected: Trojan.Win32.Monder.gen skipped

Scan process completed.





Deckard's System Scanner v20071014.68
Run by Dad on 2008-05-04 20:02:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
109: 2008-05-05 00:02:21 UTC - RP289 - Deckard's System Scanner Restore Point
108: 2008-05-04 14:15:55 UTC - RP288 - System Checkpoint
107: 2008-05-03 13:38:12 UTC - RP287 - Installed Ad-Aware 2007
106: 2008-05-02 20:54:42 UTC - RP286 - Installed AVG 7.5
105: 2008-05-02 20:54:17 UTC - RP285 - Removed AVG 7.5


-- First Restore Point --
1: 2008-05-02 18:06:34 UTC - RP181 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dad.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:50 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\dss.exe
C:\HIJACK~1\Dad.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2D287CBB-F7BB-49A2-9575-64786F7D4D33} - C:\WINDOWS\system32\mlJCSkhE.dll
O2 - BHO: (no name) - {654EDA56-A28C-4882-AAE8-6510FE4D7F82} - C:\WINDOWS\system32\ljJDUklL.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {e90a62eb-4a27-6bb8-b4f4-f1a1d4100cab} - {bac0014d-1a1f-4f4b-8bb6-72a4be26a09e} - C:\WINDOWS\system32\qtawmtqj.dll
O2 - BHO: (no name) - {BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} - C:\WINDOWS\system32\iiffFyVL.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O20 - Winlogon Notify: iiffFyVL - C:\WINDOWS\SYSTEM32\iiffFyVL.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4303 bytes

-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20060820-022332-844 O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
backup-20060820-094918-561 R3 - Default URLSearchHook is missing
backup-20060820-094918-632 O20 - Winlogon Notify: SMDEn - C:\WINDOWS\
backup-20060820-094918-790 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-095056-456 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-100103-399 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060820-100103-490 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060820-100103-544 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-141128-196 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20060820-141128-801 O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
backup-20060820-141128-973 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-141159-241 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20061015-182815-996 O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
backup-20061230-163949-110 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-163949-137 O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels1118.exe
backup-20061230-163949-199 O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINDOWS\system32\nweipeg.dll (file missing)
backup-20061230-163949-398 O4 - HKLM\..\Run: [once balm 64 title] C:\Documents and Settings\All Users\Application Data\Vga audio once balm\axisblah.exe
backup-20061230-163949-523 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-163949-567 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061230-163949-614 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061230-163949-743 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-163949-815 O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
backup-20061230-163949-826 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-163949-932 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-163949-981 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-164023-727 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061230-170622-180 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170622-381 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170622-559 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170622-710 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170622-785 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170622-901 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170622-909 O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
backup-20061230-170711-149 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170711-332 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170711-339 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170711-409 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170711-839 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170711-886 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-232 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-315 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-222635-407 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-222635-450 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-222635-628 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-717 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-222635-916 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061231-023455-254 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-023455-286 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-023455-463 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-023455-474 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-023455-557 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-023455-649 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-256 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-345 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-032204-441 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-032204-522 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-544 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-032204-604 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-150340-156 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-150340-334 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-150340-424 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-150340-520 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-150340-561 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-150340-622 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061231-150340-781 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-150340-864 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-420 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-152645-575 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-687 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-152645-784 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-152645-795 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-152645-878 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-886 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
backup-20061231-152645-970 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-147 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-250 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-161948-627 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-161948-741 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-161948-784 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-161948-848 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-962 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20070119-102704-965 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20070129-181308-492 O4 - HKLM\..\Run: [hrcopul.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Dad\Local Settings\Application Data\hrcopul.dll",vuljcec
backup-20071026-002019-312 O4 - HKLM\..\Run: [close surf mail dupe] C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf\DVD CAKE.exe
backup-20071026-002019-394 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20071026-002019-486 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20071209-173124-352 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071209-173124-384 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20071209-173124-572 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20071209-173124-651 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20071209-173124-655 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
backup-20071209-173124-747 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
backup-20071215-120627-151 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20071215-120627-976 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080219-233558-628 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080219-233558-711 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080504-094051-779 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-094051-999 O4 - HKLM\..\Run: [fcc6b9cc] rundll32.exe "C:\WINDOWS\system32\koqslacq.dll",b
backup-20080504-095910-133 O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
backup-20080504-095910-308 O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
backup-20080504-095910-779 O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
backup-20080504-095910-912 O23 - Service: MSN Auto-Update Util (MSNAuto-IT) - Unknown owner - C:\WINDOWS\system32\msnins.exe (file missing)
backup-20080504-095925-543 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-110434-856 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-160629-491 O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
backup-20080504-160629-512 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync03 (StarForce Protection Synchronization Driver (version 3.x)) - c:\windows\system32\drivers\sfsync03.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 RT2500 (RT2500 Wireless Driver) - c:\windows\system32\drivers\rt2500.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless PCI Adapters>

S3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys (file missing)
S3 ezplay (VSO Software ezplay) - c:\windows\system32\drivers\ezplay.sys <Not Verified; VSO Software; ezplay driver>
S3 Usblink (Usblink Driver) - c:\windows\system32\drivers\ulink.sys <Not Verified; ; USB SUPERLINK ADAPTER>
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys <Not Verified; VMware, Inc.; VMware virtual network adapter driver (32-bit)>
S3 Wdm1 (USB Bridge Cable Driver) - c:\windows\system32\drivers\usbbc.sys <Not Verified; ; PC-Linq Bridge Cable>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe" (file missing)
S2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-04 02:12:00 336 --a------ C:\WINDOWS\Tasks\Ad-Aware SE Professional.job
2008-05-03 06:35:00 324 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-04-04 and 2008-05-04 -----------------------------

2008-05-04 16:20:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:20:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 16:20:38 0 d-------- C:\WINDOWS\LastGood
2008-05-04 11:55:55 41984 --a------ C:\WINDOWS\system32\khfGYoOe.dll
2008-05-04 04:49:54 108096 --a------ C:\WINDOWS\system32\qtawmtqj.dll
2008-05-04 04:47:03 95296 --a------ C:\WINDOWS\system32\koqslacq.dll
2008-05-03 09:38:15 0 d-------- C:\Program Files\Lavasoft
2008-05-03 09:38:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-03 09:37:44 41984 --a------ C:\WINDOWS\system32\nnnoPIaw.dll
2008-05-03 09:29:44 0 d-------- C:\Program Files\SpywareBlaster
2008-05-03 09:29:21 41984 --a------ C:\WINDOWS\system32\jkkLBtSL.dll
2008-05-03 04:47:01 104512 --a------ C:\WINDOWS\system32\dsgkugyq.dll
2008-05-03 04:46:54 103488 --a------ C:\WINDOWS\system32\aaawfaqq.dll
2008-05-02 16:54:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-02 16:43:30 541823 --ahs---- C:\WINDOWS\system32\EhkSCJlm.ini2
2008-05-02 16:43:28 280576 --a------ C:\WINDOWS\system32\mlJCSkhE.dll
2008-05-02 14:06:24 6771 --ahs---- C:\WINDOWS\system32\LlkUDJjl.ini2
2008-05-02 14:01:10 41984 --a------ C:\WINDOWS\system32\iiffFyVL.dll
2008-05-01 18:20:55 0 dr-h----- C:\Documents and Settings\Dad\Recent
2008-04-12 11:30:15 0 d-------- C:\Program Files\SystemRequirementsLab
2008-04-10 18:46:43 0 d-------- C:\Documents and Settings\Lauren\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-04 16:40:43 0 d-------- C:\Documents and Settings\Dad\Application Data\ATI MMC
2008-05-04 09:21:16 0 d-------- C:\Program Files\LogMeIn
2008-05-04 09:13:12 0 d-------- C:\Documents and Settings\Dad\Application Data\Vso
2008-05-03 09:37:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 17:52:07 0 d-------- C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-04-27 22:03:11 0 d-------- C:\Documents and Settings\Dad\Application Data\LimeWire
2008-04-27 21:25:59 0 d-------- C:\Program Files\LimeWire
2008-04-18 09:01:17 0 d-------- C:\Documents and Settings\Dad\Application Data\dvdcss
2008-04-12 11:55:26 0 d-------- C:\Program Files\Java
2008-04-12 11:43:29 0 d-a------ C:\Program Files\Common Files
2008-04-11 20:29:44 0 d-------- C:\Documents and Settings\Dad\Application Data\VMware
2008-03-06 18:08:24 34 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.log
2008-03-06 18:08:19 47360 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-06 18:08:19 1144 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.inf
2008-03-06 18:08:19 7887 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.cat
2008-03-06 18:08:17 0 d-------- C:\Program Files\1Click DVD Copy Pro


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D287CBB-F7BB-49A2-9575-64786F7D4D33}]
05/02/2008 04:43 PM 280576 --a------ C:\WINDOWS\system32\mlJCSkhE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{654EDA56-A28C-4882-AAE8-6510FE4D7F82}]
C:\WINDOWS\system32\ljJDUklL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac0014d-1a1f-4f4b-8bb6-72a4be26a09e}]
05/04/2008 04:49 AM 108096 --a------ C:\WINDOWS\system32\qtawmtqj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}]
05/02/2008 02:01 PM 41984 --a------ C:\WINDOWS\system32\iiffFyVL.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/21/2005 05:42 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"BMfff58a50"="C:\WINDOWS\system32\huqenhiu.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [06/14/2005 09:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}"= C:\WINDOWS\system32\iiffFyVL.dll [05/02/2008 02:01 PM 41984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffFyVL]
iiffFyVL.dll 05/02/2008 02:01 PM 41984 C:\WINDOWS\system32\iiffFyVL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJCSkhE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Zeno.lnk]
path=C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Zeno.lnk
backup=C:\WINDOWS\pss\Zeno.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Z_Start.lnk]
path=C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Z_Start.lnk
backup=C:\WINDOWS\pss\Z_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C.tmp]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]
C:\Program Files\Common Files\VCClient\VCClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]
C:\Program Files\Common Files\VCClient\VCMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIPCMAE]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]
"C:\WINDOWS\system32\dgfgql.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q8lg]
"C:\WINDOWS\system32\slk8x2peu.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
C:\Program Files\SurfSideKick 3\Ssk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ulsthcxA]
C:\WINDOWS\ulsthcxA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6B-B9-96-63-ZN}]
C:\windows\system32\dwdsregt.exe CORN001




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

8301 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-04 20:03:15 ------------
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
this infection could prove to be somewhat hard to clear, so we will go hard from the beginning. i can also see indications of infections you have had in the past, we will check for those also.

try and keep your machine offline as much as possible, it is quite infected.

this is a long post, so be careful in following the structions.

the scan will likely take 2 hours, quite possibly much longer. so just let them run.


====STEP 1====
we will get an antivirus program on your machine immediately, update it and run it. i suggest you download and install AVG , there is a free version for personal use. make sure you also download the latest updates and run a full system scan.



====STEP 2====
First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.



====STEP 3====
Download Brute Force Uninstaller to your desktop.
  • Right click the file on your Desktop, and choose Extract All.
  • Click Next.
  • In the box to choose where to extract the files to:
  • Click Browse.
  • Click on the + sign next to My Computer
  • Click on Local Disk (C:) or whatever your primary drive is.
  • Click Make New Folder
  • Type in BFU
  • Click Next, and uncheck the Show Extracted Files box and then click Finish.
Download sidekickFix.bat (rightclick on that link and choose save as)
  • Place sidekickFix.bat in your C:\BFU - folder. (Important!)
  • Close all browsers and explorer folders.
  • Double-click on sidekickFix.bat
  • Click Yes and follow the prompts, when prompted to restart the PC please do so.


====STEP 4====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {2D287CBB-F7BB-49A2-9575-64786F7D4D33} - C:\WINDOWS\system32\mlJCSkhE.dll
O2 - BHO: (no name) - {654EDA56-A28C-4882-AAE8-6510FE4D7F82} - C:\WINDOWS\system32\ljJDUklL.dll (file missing)
O2 - BHO: {e90a62eb-4a27-6bb8-b4f4-f1a1d4100cab} - {bac0014d-1a1f-4f4b-8bb6-72a4be26a09e} - C:\WINDOWS\system32\qtawmtqj.dll
O2 - BHO: (no name) - {BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} - C:\WINDOWS\system32\iiffFyVL.dll
O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
O20 - Winlogon Notify: iiffFyVL - C:\WINDOWS\SYSTEM32\iiffFyVL.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 5====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Dad\Incomplete\CORRUPT-0-Wicked Remix (mama).wma
    C:\Documents and Settings\Dad\My Documents\Download_1clickdvdcopyprosetuprn3[1].1.3.5.exe
    C:\Documents and Settings\Dad\My Documents\PC Games-The Sims 2 - University.zip
    C:\NNSCAA638.EXE
    C:\Program Files\Windows TaskAd\WinProject.dll
    C:\Program Files\Windows TaskAd\WinSched.exe
    C:\Torrents\Anti-Spyware.zip
    C:\Torrents\Over 300 serials & keygens\over 300 serials & keygen\avast keygen.exe
    C:\Torrents\WGA_Crack_Working_All_Versions.zip
    C:\ventfe1.exe
    C:\WINDOWS\system32\aaawfaqq.dll
    C:\WINDOWS\system32\cv3wanv28.exe
    C:\WINDOWS\system32\dsgkugyq.dll
    C:\WINDOWS\system32\iiffFyVL.dll
    C:\WINDOWS\system32\jkkLBtSL.dll
    C:\WINDOWS\system32\khfGYoOe.dll
    C:\WINDOWS\system32\koqslacq.dll
    C:\WINDOWS\system32\ljJDUklL.dll_old
    C:\WINDOWS\system32\mlJCSkhE.dll
    C:\WINDOWS\system32\nnnoPIaw.dll
    C:\WINDOWS\system32\qtawmtqj.dll
    C:\WINDOWS\system32\shell32.exe
    C:\WINDOWS\system32\ljJDUklL.dll
    C:\WINDOWS\system32\huqenhiu.dll
    C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Zeno.lnk
    C:\WINDOWS\pss\Zeno.lnkStartup
    C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Z_Start.lnk
    C:\WINDOWS\pss\Z_Start.lnkStartup
    C:\Program Files\Common Files\VCClient
    C:\WINDOWS\system32\dgfgql.exe
    C:\WINDOWS\system32\slk8x2peu.exe
    C:\Program Files\SurfSideKick 3
    C:\WINDOWS\ulsthcxA.exe
    C:\windows\system32\dwdsregt.exe
    C:\WINDOWS\system32\nnnoPIaw.dll
    C:\WINDOWS\system32\EhkSCJlm.ini2
    C:\WINDOWS\system32\LlkUDJjl.ini2
    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D287CBB-F7BB-49A2-9575-64786F7D4D33}
    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{654EDA56-A28C-4882-AAE8-6510FE4D7F82}
    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac0014d-1a1f-4f4b-8bb6-72a4be26a09e}
    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMfff58a50
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffFyVL
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Zeno.lnk
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Z_Start.lnk
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q8lg
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ulsthcxA
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6B-B9-96-63-ZN}
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 6====
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications


Registry Modifications
Next, lets remove the unwanted items.

Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
Please copy the contents of the code box below into the notepad. To do this highlight the contents of the box and right click on it.

Save it to your desktop has fixit.reg (filetype = any)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating sysytem


Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

(In case you are unsure how to create a reg file, take a look here with screenshots.)



====STEP 7====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 8====
You may have some infections that target Hijackthis.
I will need you to rename Hijackthis:
To do this:
  • Go to Start
  • Right click and choose Explore
  • Navigate to this location C:\Program Files\TrendMicro\Hijackthis
  • Open the Hijackthis folder
  • Right click on the Hijackthis icon and click rename
  • rename it to Gotcha
do not run hijackthis yet, we will do so after STEP 9.



====STEP 9====
Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



In your next reply could i see:
1. the OTMoveIT log
2. the malwarebytes log
3. the combofix log
4. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Wow. how do you know about past issues? impressive. how can learn more about doing this. very interesting.

ok, i will try everything you said tonite. i can tell you it has been tought to download AVG because i keep getting cutoff by IE. you know..that "lost the server connection " issue. must be the spyware doing this. so i am going into safe mode and see if i can dl that way. if not ill download off another computer and hopefully get it to the infected computer.

Also i did not have that New.Net Applications or New.Net Domains thing. so ill follow the instructions you have for that. but ill try to download first so i dont lose the connection as you had mentioned. i have the LSP file and hopefully can dl AVG. ill get back to you later. thanks again
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
i will be here :)

if push comes to shove, then Step 2 and Step 3 are not that important, i dont think they are active infections, merely clearing out past remnants. but the rest of the steps are important.

andrewuk
  • 0

#7
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
im still in the midst of going thru your instructions. thanks for being patient. i will do some more tonite. i see you have me running some stuff that i never heard of. what are your thoughts on some of these anti-malware programs you have me running. should i use them daily?
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

what are your thoughts on some of these anti-malware programs you have me running. should i use them daily?

we will cover that all at the end, but in summary if you have a working antivirus and anti-spyware running in the background then assuming you have normal computer use then you need only do full system scans once a week.
  • 0

#9
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
here you go. thanks again

Explorer killed successfully
C:\Documents and Settings\Dad\Incomplete\CORRUPT-0-Wicked Remix (mama).wma moved successfully.
< C:\Documents and Settings\Dad\My Documents\Download_1clickdvdcopyprosetuprn3[1].1.3.5.exe >
C:\Documents and Settings\Dad\My Documents\Download_1clickdvdcopyprosetuprn3[1].1.3.5.exe moved successfully.
C:\Documents and Settings\Dad\My Documents\PC Games-The Sims 2 - University.zip moved successfully.
File/Folder C:\NNSCAA638.EXE not found.
File/Folder C:\Program Files\Windows TaskAd\WinProject.dll not found.
File/Folder C:\Program Files\Windows TaskAd\WinSched.exe not found.
File/Folder C:\Torrents\Anti-Spyware.zip not found.
C:\Torrents\Over 300 serials & keygens\over 300 serials & keygen\avast keygen.exe moved successfully.
C:\Torrents\WGA_Crack_Working_All_Versions.zip moved successfully.
File/Folder C:\ventfe1.exe not found.
File/Folder C:\WINDOWS\system32\aaawfaqq.dll not found.
File/Folder C:\WINDOWS\system32\cv3wanv28.exe not found.
File/Folder C:\WINDOWS\system32\dsgkugyq.dll not found.
File/Folder C:\WINDOWS\system32\iiffFyVL.dll not found.
File/Folder C:\WINDOWS\system32\jkkLBtSL.dll not found.
File/Folder C:\WINDOWS\system32\khfGYoOe.dll not found.
File/Folder C:\WINDOWS\system32\koqslacq.dll not found.
C:\WINDOWS\system32\ljJDUklL.dll_old moved successfully.
File/Folder C:\WINDOWS\system32\mlJCSkhE.dll not found.
File/Folder C:\WINDOWS\system32\nnnoPIaw.dll not found.
File/Folder C:\WINDOWS\system32\qtawmtqj.dll not found.
File/Folder C:\WINDOWS\system32\shell32.exe not found.
File/Folder C:\WINDOWS\system32\ljJDUklL.dll not found.
File/Folder C:\WINDOWS\system32\huqenhiu.dll not found.
File/Folder C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Zeno.lnk not found.
C:\WINDOWS\pss\Zeno.lnkStartup moved successfully.
File/Folder C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Z_Start.lnk not found.
C:\WINDOWS\pss\Z_Start.lnkStartup moved successfully.
File/Folder C:\Program Files\Common Files\VCClient not found.
File/Folder C:\WINDOWS\system32\dgfgql.exe not found.
File/Folder C:\WINDOWS\system32\slk8x2peu.exe not found.
File/Folder C:\Program Files\SurfSideKick 3 not found.
File/Folder C:\WINDOWS\ulsthcxA.exe not found.
File/Folder C:\windows\system32\dwdsregt.exe not found.
File/Folder C:\WINDOWS\system32\nnnoPIaw.dll not found.
C:\WINDOWS\system32\EhkSCJlm.ini2 moved successfully.
C:\WINDOWS\system32\LlkUDJjl.ini2 moved successfully.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D287CBB-F7BB-49A2-9575-64786F7D4D33} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D287CBB-F7BB-49A2-9575-64786F7D4D33}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{654EDA56-A28C-4882-AAE8-6510FE4D7F82} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{654EDA56-A28C-4882-AAE8-6510FE4D7F82}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac0014d-1a1f-4f4b-8bb6-72a4be26a09e} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac0014d-1a1f-4f4b-8bb6-72a4be26a09e}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMfff58a50 >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMfff58a50 not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffFyVL >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffFyVL\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Zeno.lnk >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Zeno.lnk\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Z_Start.lnk >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Z_Start.lnk\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q8lg >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q8lg\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ulsthcxA >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ulsthcxA\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6B-B9-96-63-ZN} >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6B-B9-96-63-ZN}\\ deleted successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_191744

Malwarebytes' Anti-Malware 1.12
Database version: 726

Scan type: Full Scan (C:\|)
Objects scanned: 148883
Time elapsed: 36 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\CLSID\{1adbcce8-cf84-441e-9b38-afc7a19c06a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bc7d8de8-ef3d-4f44-8b54-03759fac1367} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\DivoCodec (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\rfwi\rfwid\class-barrel (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\rfwi\rfwid\vocabulary (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.


ComboFix 08-05-01.3 - Dad 2008-05-07 19:59:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.565 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outlook
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acioxkqs.ini
C:\WINDOWS\system32\EhkSCJlm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qcalsqok.ini
C:\WINDOWS\system32\votlyilv.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 19:57 . 2008-05-07 19:57 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 21:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 21:07 . 2008-05-06 21:07 <DIR> d-------- C:\Program Files\ERUNT
2008-05-06 19:07 . 2008-05-06 19:08 <DIR> d-------- C:\bfu
2008-05-05 20:36 . 2008-05-07 19:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-05 20:27 . 2008-05-05 20:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 20:27 . 2008-05-05 20:27 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-05 20:27 . 2008-05-05 20:27 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Program Files\AVG
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-04 20:02 . 2008-05-04 20:02 <DIR> d-------- C:\Deckard
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:08 . 2008-05-04 16:08 <DIR> d-------- C:\_OTMoveIt
2008-05-03 09:38 . 2008-05-03 09:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-03 09:38 . 2008-05-03 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-03 04:46 . 2008-05-05 17:47 109,747 --a------ C:\WINDOWS\BMfff58a50.xml
2008-05-02 15:33 . 2008-05-02 15:33 95 --a------ C:\WINDOWS\wininit.ini
2008-05-02 14:06 . 2008-05-02 16:31 6,771 --ahs---- C:\WINDOWS\system32\LlkUDJjl.ini
2008-05-02 14:03 . 2008-05-02 14:03 1,024 --ah----- C:\Documents and Settings\All Users\ntuser.dat.LOG
2008-04-12 11:30 . 2008-04-12 11:30 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 23:53 --------- d-----w C:\Documents and Settings\Dad\Application Data\ATI MMC
2008-05-07 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-05-07 04:08 --------- d-----w C:\Program Files\LogMeIn
2008-05-06 01:21 --------- d-----w C:\Program Files\Windows TaskAd
2008-05-04 13:13 --------- d-----w C:\Documents and Settings\Dad\Application Data\Vso
2008-05-03 13:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 20:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 21:52 --------- d-----w C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-04-28 02:03 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2008-04-28 01:25 --------- d-----w C:\Program Files\LimeWire
2008-04-18 13:01 --------- d-----w C:\Documents and Settings\Dad\Application Data\dvdcss
2008-04-12 15:55 --------- d-----w C:\Program Files\Java
2008-04-12 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-12 15:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-12 00:29 --------- d-----w C:\Documents and Settings\Dad\Application Data\VMware
2008-03-06 22:08 87,608 ----a-w C:\Documents and Settings\Dad\Application Data\inst.exe
2008-03-06 22:08 47,360 ----a-w C:\Documents and Settings\Dad\Application Data\pcouffin.sys
2007-11-08 00:14 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-10-31 21:35 94,208 ----a-w C:\Documents and Settings\Dad\Application Data\ezplay.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2005-06-14 21:50 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-21 17:42 7311360]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-05 20:26 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C.tmp]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIPCMAE]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"=
"C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 11:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-05 20:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-05 20:26]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R3 atinysxx;ATI USB 2.0 TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinysxx.sys [2005-01-25 21:36]
R3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;C:\WINDOWS\system32\DRIVERS\atinyvxx.sys [2005-01-25 21:36]
R3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;C:\WINDOWS\system32\DRIVERS\atinyuxx.sys [2005-01-25 21:37]
R3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;C:\WINDOWS\system32\Drivers\ATIUTD.sys [2005-01-25 22:37]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-04-17 14:00]
R3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;C:\WINDOWS\system32\DRIVERS\atinyttx.sys [2005-01-25 21:33]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 10:28]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 21:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 06:12:00 C:\WINDOWS\Tasks\Ad-Aware SE Professional.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2008-05-06 10:35:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 21:17:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-07 21:18:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-08 01:18:52

Pre-Run: 37,669,232,640 bytes free
Post-Run: 37,565,943,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

172 --- E O F --- 2008-04-12 07:02:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:11 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4666 bytes
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear the remaining malware and i also want to scan a suspicious looking file. we will also pull down an uninstall list to see if there are any bad programs.

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\BMfff58a50.xml
C:\Documents and Settings\Dad\Application Data\inst.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.



====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\LlkUDJjl.ini

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 3====
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.



In your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. the jotti log
4. the uninstall_list.txt log
5. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements


#11
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
ok. here it is.

machine runing better, although during one of these exercises, i didnt have sound. havent checked sound again


ComboFix 08-05-01.3 - Dad 2008-05-07 22:34:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Dad\Application Data\inst.exe
C:\WINDOWS\BMfff58a50.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dad\Application Data\inst.exe
C:\WINDOWS\BMfff58a50.xml
C:\WINDOWS\keyboard11.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 19:57 . 2008-05-07 19:57 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 21:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 21:07 . 2008-05-06 21:07 <DIR> d-------- C:\Program Files\ERUNT
2008-05-06 19:07 . 2008-05-06 19:08 <DIR> d-------- C:\bfu
2008-05-05 20:36 . 2008-05-07 19:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-05 20:27 . 2008-05-05 20:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 20:27 . 2008-05-05 20:27 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-05 20:27 . 2008-05-05 20:27 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Program Files\AVG
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-04 20:02 . 2008-05-04 20:02 <DIR> d-------- C:\Deckard
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:08 . 2008-05-04 16:08 <DIR> d-------- C:\_OTMoveIt
2008-05-03 09:38 . 2008-05-03 09:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-03 09:38 . 2008-05-03 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 15:33 . 2008-05-02 15:33 95 --a------ C:\WINDOWS\wininit.ini
2008-05-02 14:06 . 2008-05-02 16:31 6,771 --ahs---- C:\WINDOWS\system32\LlkUDJjl.ini
2008-05-02 14:03 . 2008-05-02 14:03 1,024 --ah----- C:\Documents and Settings\All Users\ntuser.dat.LOG
2008-04-12 11:30 . 2008-04-12 11:30 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 23:53 --------- d-----w C:\Documents and Settings\Dad\Application Data\ATI MMC
2008-05-07 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-05-07 04:08 --------- d-----w C:\Program Files\LogMeIn
2008-05-06 01:21 --------- d-----w C:\Program Files\Windows TaskAd
2008-05-04 13:13 --------- d-----w C:\Documents and Settings\Dad\Application Data\Vso
2008-05-03 13:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 20:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 21:52 --------- d-----w C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-04-28 02:03 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2008-04-28 01:25 --------- d-----w C:\Program Files\LimeWire
2008-04-18 13:01 --------- d-----w C:\Documents and Settings\Dad\Application Data\dvdcss
2008-04-12 15:55 --------- d-----w C:\Program Files\Java
2008-04-12 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-12 15:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-12 00:29 --------- d-----w C:\Documents and Settings\Dad\Application Data\VMware
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-06 22:08 47,360 ----a-w C:\Documents and Settings\Dad\Application Data\pcouffin.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-08 00:14 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-10-31 21:35 94,208 ----a-w C:\Documents and Settings\Dad\Application Data\ezplay.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2005-06-14 21:50 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-21 17:42 7311360]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-05 20:26 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C.tmp]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIPCMAE]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"=
"C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 11:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-05 20:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-05 20:26]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R3 atinysxx;ATI USB 2.0 TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinysxx.sys [2005-01-25 21:36]
R3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;C:\WINDOWS\system32\DRIVERS\atinyvxx.sys [2005-01-25 21:36]
R3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;C:\WINDOWS\system32\DRIVERS\atinyuxx.sys [2005-01-25 21:37]
R3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;C:\WINDOWS\system32\Drivers\ATIUTD.sys [2005-01-25 22:37]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-04-17 14:00]
R3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;C:\WINDOWS\system32\DRIVERS\atinyttx.sys [2005-01-25 21:33]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 10:28]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 21:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 06:12:00 C:\WINDOWS\Tasks\Ad-Aware SE Professional.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2008-05-06 10:35:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 22:34:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\8706fab6-e4a6-410c-b309-53037aefb2f2.tmp 0 bytes
C:\WINDOWS\TEMP\aee098f6-f989-4d6a-ba32-beb0c8a5ce83.tmp 0 bytes
C:\WINDOWS\TEMP\dd90d45f-6a34-4825-b343-578181f7641d.tmp 0 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
Completion time: 2008-05-07 22:35:11
ComboFix-quarantined-files.txt 2008-05-08 02:35:07
ComboFix2.txt 2008-05-08 01:18:55

Pre-Run: 44,351,393,792 bytes free
Post-Run: 44,342,771,712 bytes free

153 --- E O F --- 2008-04-12 07:02:25



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:12 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4646 bytes



Scan taken on 08 May 2008 02:41:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Vundo.DVS
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



uninstall_list.txt

1Click DVD Copy Pro 3.1.3.3
3dsmax ancillary install
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player
ATCsimulator2 by AEROSOFT Corporation
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Multimedia Center 9.08
AuthorScript Engine 1.0
AVG Free 8.0
BadCopy Pro
BitTornado 0.3.7
CCleaner (remove only)
ConvertXtoDVD 2.2.3.258g
Curious George v1.0
DAO
Doom 3
EA SPORTS online 2005
ERUNT 1.1j
FEAR
ffdshow [rev 610] [2006-12-01]
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1120
Fraps
GUIDE PLUS+™ for Windows® System - ATI
Hamachi 1.0.2.2
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB904412)
Hotfix for Windows XP (KB926239)
Java™ 6 Update 5
Kaspersky Online Scanner
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire PRO 4.16.0
LogMeIn
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Speech Recognition Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MVP Baseball 2005
NVIDIA Drivers
PE Builder 3.1.10a
PowerISO
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Shockwave
System Requirements Lab
The Sims 2
The Sims2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 H&M® Fashion Stuff
The Sims™ Life Stories
TitanTV Client components for ATI
Total MLB 1.25
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VideoLAN VLC media player 0.8.6d
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Wireless LAN Card
  • 0

#12
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
hi,

sound is back. system better but still slow , choppy when getting websites. went to cnet.com and palyed video. increased sound and choppy, slowed down. usually google.com (home page)comes up quicker. something is still there :)

thanks
  • 0

#13
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
lets remove one last file, see how it is. if things have not improved we will do a final set of scans again to see if this is malware related.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\LlkUDJjl.ini

Folder::
C:\Program Files\Windows TaskAd


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

and let me know how things are now.
  • 0

#14
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
hey, here you go.

still slow but faster than before.

ComboFix 08-05-01.3 - Dad 2008-05-08 17:42:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\LlkUDJjl.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Windows TaskAd
C:\Program Files\Windows TaskAd\Info.txt
C:\WINDOWS\system32\LlkUDJjl.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 19:57 . 2008-05-07 19:57 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 21:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 21:07 . 2008-05-06 21:07 <DIR> d-------- C:\Program Files\ERUNT
2008-05-06 19:07 . 2008-05-06 19:08 <DIR> d-------- C:\bfu
2008-05-05 20:36 . 2008-05-07 19:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-05 20:27 . 2008-05-05 20:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 20:27 . 2008-05-05 20:27 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-05 20:27 . 2008-05-05 20:27 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Program Files\AVG
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-04 20:02 . 2008-05-04 20:02 <DIR> d-------- C:\Deckard
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:08 . 2008-05-04 16:08 <DIR> d-------- C:\_OTMoveIt
2008-05-03 09:38 . 2008-05-03 09:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-03 09:38 . 2008-05-03 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 15:33 . 2008-05-02 15:33 95 --a------ C:\WINDOWS\wininit.ini
2008-05-02 14:03 . 2008-05-02 14:03 1,024 --ah----- C:\Documents and Settings\All Users\ntuser.dat.LOG
2008-04-12 11:30 . 2008-04-12 11:30 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 21:37 --------- d-----w C:\Program Files\LogMeIn
2008-05-08 02:49 --------- d-----w C:\Documents and Settings\Dad\Application Data\ATI MMC
2008-05-08 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-05-04 13:13 --------- d-----w C:\Documents and Settings\Dad\Application Data\Vso
2008-05-03 13:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 20:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 21:52 --------- d-----w C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-04-28 02:03 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2008-04-28 01:25 --------- d-----w C:\Program Files\LimeWire
2008-04-18 13:01 --------- d-----w C:\Documents and Settings\Dad\Application Data\dvdcss
2008-04-12 15:55 --------- d-----w C:\Program Files\Java
2008-04-12 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-12 15:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-12 00:29 --------- d-----w C:\Documents and Settings\Dad\Application Data\VMware
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-06 22:08 47,360 ----a-w C:\Documents and Settings\Dad\Application Data\pcouffin.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-08 00:14 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-10-31 21:35 94,208 ----a-w C:\Documents and Settings\Dad\Application Data\ezplay.sys
.

((((((((((((((((((((((((((((( [email protected]_21.18.43.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-08 00:01:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 21:36:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2005-06-14 21:50 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-21 17:42 7311360]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-05 20:26 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C.tmp]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIPCMAE]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"=
"C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 11:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-05 20:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-05 20:26]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R3 atinysxx;ATI USB 2.0 TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinysxx.sys [2005-01-25 21:36]
R3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;C:\WINDOWS\system32\DRIVERS\atinyvxx.sys [2005-01-25 21:36]
R3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;C:\WINDOWS\system32\DRIVERS\atinyuxx.sys [2005-01-25 21:37]
R3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;C:\WINDOWS\system32\Drivers\ATIUTD.sys [2005-01-25 22:37]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-04-17 14:00]
R3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;C:\WINDOWS\system32\DRIVERS\atinyttx.sys [2005-01-25 21:33]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 10:28]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 21:53]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 06:12:00 C:\WINDOWS\Tasks\Ad-Aware SE Professional.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2008-05-06 10:35:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 17:43:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-08 17:44:46
ComboFix-quarantined-files.txt 2008-05-08 21:44:44
ComboFix2.txt 2008-05-08 02:35:11
ComboFix3.txt 2008-05-08 01:18:55

Pre-Run: 44,319,961,088 bytes free
Post-Run: 44,310,933,504 bytes free

154 --- E O F --- 2008-04-12 07:02:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:10 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4607 bytes
  • 0

#15
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP