Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help with Virus Removal [RESOLVED]


  • This topic is locked This topic is locked

#1
cervada

cervada

    Member

  • Member
  • PipPip
  • 37 posts
Hi, I have received great help here before and thought I was safe. I've gotten a new virus that is preventing me from doing a whole heck of a lot. I am posting my Hijack This log and my SuperAniSpyware log. I would post a log from Panda Activescan & Malwarebytes' Anti-Malware, but the virus is preventing me from running both of those programs. It won't even allow me to visit geekstogo.com. I am posting this on a different PC. I've tried doing search engine searches and everytime I click on a search result it automaticaly takes me to a different site for a number of things, i.e. - www.findstuff.com. At first I thought I had the Outerinfo virus and went through the removal steps, but without any success. Also my SpywareGaurd gives me an immediate Browser Protection Alert after startup saying WARNING! A BHO has been added. I tried clicking on Remove the BHO, but it is continuously open up wihthout ever stopping. Please let me know what other details I need to post. Any help would be greatly appreciated!

Thank you,

David Cervantes
Houston, TX

Hijack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:50 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\xwusuhzh.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\18906.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Software by Design\Calendar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2DAAB5C1-3664-461E-97CB-883BFA6CAA4B} - C:\WINDOWS\system32\ddcYoMDV.dll (file missing)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {2EF9D289-834A-4749-8FCC-BDB7ADF66519} - C:\WINDOWS\system32\hgGayyxV.dll (file missing)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {BE7DCE10-31BA-46CE-A454-E325EF2509F6} - C:\WINDOWS\system32\ddcApmml.dll (file missing)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\hgGwVOig.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: {de7dab19-cf39-324a-5b24-08e40fa6b06d} - {d60b6af0-4e80-42b5-a423-93fc91bad7ed} - C:\WINDOWS\system32\lxeqeuix.dll (file missing)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SWKSrv] C:\Program Files\SpywareKill\SWKSrv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [5cb16573] rundll32.exe "C:\WINDOWS\system32\ysqctefm.dll",b
O4 - HKLM\..\Run: [BM5f8256ef] Rundll32.exe "C:\WINDOWS\system32\ssktsfff.dll",s
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\18906.exe
O4 - HKCU\..\Run: [A00FCC603.exe] C:\DOCUME~1\DCERVA~1\LOCALS~1\Temp\_A00FCC603.exe
O4 - HKCU\..\Run: [A00FF1966.exe] C:\DOCUME~1\DCERVA~1\LOCALS~1\Temp\_A00FF1966.exe
O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Support - {44B33957-091D-45DA-9E91-CD5224B6BA17} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kelly.kellys...0CQu76,CT=java
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://kelly.kellys...va iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.c...eX/wlaninfo.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} (TeleVoxAudioPlayer2.TVoxAudioPlayer) - https://www.mytelevo...udioPlayer2.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://kelly.kellys...perSetupSP1.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yah...tionControl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: hgGwVOig - C:\WINDOWS\SYSTEM32\hgGwVOig.dll
O20 - Winlogon Notify: __c00A7E71 - C:\WINDOWS\system32\__c00A7E71.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 12505 bytes


SUPERAntiSpyware Log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/02/2008 at 08:34 PM

Application Version : 4.0.1154

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 01:33:05

Memory items scanned : 435
Memory threats detected : 6
Registry items scanned : 5674
Registry threats detected : 15
File items scanned : 62347
File threats detected : 16

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\HGGAYYXV.DLL
C:\WINDOWS\SYSTEM32\HGGAYYXV.DLL
C:\WINDOWS\SYSTEM32\DDCYOMDV.DLL
C:\WINDOWS\SYSTEM32\DDCYOMDV.DLL
C:\WINDOWS\SYSTEM32\VTUONMMC.DLL
C:\WINDOWS\SYSTEM32\VTUONMMC.DLL
C:\WINDOWS\SYSTEM32\DDCAPMML.DLL
C:\WINDOWS\SYSTEM32\DDCAPMML.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\HPPGBMIU.DLL
C:\WINDOWS\SYSTEM32\HPPGBMIU.DLL
C:\WINDOWS\SYSTEM32\LXEQEUIX.DLL
C:\WINDOWS\SYSTEM32\LXEQEUIX.DLL

Parasite.CoolWebSearch Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}
C:\WINDOWS\OLEHELP.EXE

HTMLCore Module BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38930334-E978-4493-9A5B-1C8DA8EB315C}
HKCR\CLSID\{38930334-E978-4493-9A5B-1C8DA8EB315C}
HKCR\CLSID\{38930334-E978-4493-9A5B-1C8DA8EB315C}\InprocServer32
HKCR\CLSID\{38930334-E978-4493-9A5B-1C8DA8EB315C}\InprocServer32#ThreadingModel

CoolWebSearch Parasite Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}

Adware.CoolWebSearch
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}

Browser Hijacker.Tubby
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}

ClientMan BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}

EXPLORER32.EXE Worm
C:\WINDOWS\EXPLORER32.EXE

Trojan.Downloader-Gen/Win
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\WIN32E.EXE

Trojan.IEXPLORER
C:\WINDOWS\IEXPLORER.EXE

Trojan.Unclassifed/Loader-Suspicious
C:\WINDOWS\LOADER.EXE

RUNDLL16.EXE
C:\WINDOWS\RUNDLL16.EXE

Worm.Rbot Variant
C:\WINDOWS\SVCHOST32.EXE

Trojan.Downloader-Systeem
C:\WINDOWS\SYSTEEM.EXE

Trojan.Downloader-SystemCritcial/Fake Alert
C:\WINDOWS\SYSTEMCRITICAL.EXE
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
cervada

cervada

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I've tried over and over to run the ComboFix Exec file, but everytime I double click on it nothing happens. My infected laptop will not allow me to even access the websites listed to download ComboFix. I had to save the file on to my flash drive using my other PC. That didn't work. I even tried emailing to myself because I can still access my email online on my infected laptop. That did not work either. I had this same problem trying to install and run Malwarebytes' Anti-Malware. Please let me know if there is anything I can do! Thanks!

David Cervantes
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Try renaming combo fix per these instructions, an please delete your current version of combofix. Let me know

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#5
cervada

cervada

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi, I changed the name as instructed. After clicking on Combo-Fix.exe I am receiving the following error message: "You cannot rename ComboFix as Combo-Fix. Please use another name, preferably made up of alphanumeric characters"
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
please do that then
  • 0

#7
cervada

cervada

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Success! Thank you for your help. I was able to finally run Combo-Fix. Below are the report details. Also, thanks for your patience as I slowly follow through on your instructions!

David Cervantes
Houston, TX

ComboFix 08-06-10.1 - DCervantes 2008-06-10 19:44:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.235 [GMT -5:00]
Running from: C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc
C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\17624.dll
C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\18906.exe
C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\19696.dll
C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\32321.dll
C:\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc\id
C:\kmd.exe
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Temporary
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\BM5f8256ef.xml
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\SYSTEM32\000060.exe
C:\WINDOWS\SYSTEM32\000090.exe
C:\WINDOWS\system32\aaaadjls.dll
C:\WINDOWS\system32\acrbsokj.dll
C:\WINDOWS\system32\afivjesa.exe
C:\WINDOWS\system32\anicsxvj.dll
C:\WINDOWS\system32\aoldralb.dll
C:\WINDOWS\system32\awhcmvym.ini
C:\WINDOWS\system32\axuvnell.dll
C:\WINDOWS\system32\aybwevsu.exe
C:\WINDOWS\system32\baejemnc.dll
C:\WINDOWS\system32\bmwwkryd.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\SYSTEM32\CMmnoUtv.ini
C:\WINDOWS\SYSTEM32\CMmnoUtv.ini2
C:\WINDOWS\system32\crlysrin.dll
C:\WINDOWS\system32\ctxiqhjx.dll
C:\WINDOWS\system32\dagcqgqv.exe
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\dutdwadi.dll
C:\WINDOWS\system32\efsxjbfn.dll
C:\WINDOWS\system32\egxrhkod.ini
C:\WINDOWS\system32\emmahbgx.exe
C:\WINDOWS\system32\enaeapqn.dll
C:\WINDOWS\system32\fakvygww.dll
C:\WINDOWS\system32\fdqcwwrk.dll
C:\WINDOWS\SYSTEM32\fejlwxio.ini
C:\WINDOWS\SYSTEM32\FNUxwyay.ini
C:\WINDOWS\SYSTEM32\FNUxwyay.ini2
C:\WINDOWS\system32\fpjhcicg.ini
C:\WINDOWS\system32\fqcjmsfg.exe
C:\WINDOWS\system32\gesnjplr.dll
C:\WINDOWS\system32\glvcanaa.dll
C:\WINDOWS\system32\hgGwVOig.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\hltmjdyr.dll
C:\WINDOWS\system32\iafbdpgf.exe
C:\WINDOWS\system32\ibvkcvlm.ini
C:\WINDOWS\system32\ifpxstwm.dll
C:\WINDOWS\system32\iplsypeq.dll
C:\WINDOWS\system32\iulunwif.dll
C:\WINDOWS\system32\iwbsqayu.exe
C:\WINDOWS\system32\jkosbrca.ini
C:\WINDOWS\SYSTEM32\jsuokyeb.ini
C:\WINDOWS\system32\kcktybab.dll
C:\WINDOWS\system32\khfCsrpq.dll
C:\WINDOWS\system32\kmd.exe
C:\WINDOWS\system32\ktcnuuii.dll
C:\WINDOWS\system32\kwmxnncb.dll
C:\WINDOWS\system32\lmbabllc.dll
C:\WINDOWS\SYSTEM32\lmmpAcdd.ini
C:\WINDOWS\SYSTEM32\lmmpAcdd.ini2
C:\WINDOWS\system32\mfetcqsy.ini
C:\WINDOWS\system32\mlvampok.ini
C:\WINDOWS\system32\mlvckvbi.dll
C:\WINDOWS\system32\mmvcetaj.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nnnoOiIY.dll
C:\WINDOWS\system32\oixwljef.dll
C:\WINDOWS\system32\opnonkHY.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmcdsmly.ini
C:\WINDOWS\system32\prhmssxu.dll
C:\WINDOWS\system32\qibjsabf.dll
C:\WINDOWS\system32\qoovofkt.exe
C:\WINDOWS\SYSTEM32\qprsCfhk.ini
C:\WINDOWS\SYSTEM32\qprsCfhk.ini2
C:\WINDOWS\system32\qrwuslvf.ini
C:\WINDOWS\system32\qtwsxkmg.exe
C:\WINDOWS\system32\rdwrrymg.ini
C:\WINDOWS\system32\ssktsfff.dll
C:\WINDOWS\system32\teyshbyv.dll
C:\WINDOWS\system32\tgcgeblo.dll
C:\WINDOWS\SYSTEM32\tlyqmlxm.ini
C:\WINDOWS\system32\tuemoekq.dll
C:\WINDOWS\system32\ubcleusa.exe
C:\WINDOWS\system32\unpduwet.dll
C:\WINDOWS\system32\upcutxan.exe
C:\WINDOWS\SYSTEM32\VDMoYcdd.ini
C:\WINDOWS\SYSTEM32\VDMoYcdd.ini2
C:\WINDOWS\system32\volgxybe.exe
C:\WINDOWS\SYSTEM32\VxyyaGgh.ini
C:\WINDOWS\SYSTEM32\VxyyaGgh.ini2
C:\WINDOWS\system32\wihlybhl.ini
C:\WINDOWS\system32\wmixpqjv.dll
C:\WINDOWS\system32\wxcjmfql.dll
C:\WINDOWS\system32\xjdngvej.dll
C:\WINDOWS\system32\yaywxUNF.dll
C:\WINDOWS\system32\YHknonpo.ini
C:\WINDOWS\SYSTEM32\YHknonpo.ini2
C:\WINDOWS\SYSTEM32\YIiOonnn.ini
C:\WINDOWS\SYSTEM32\YIiOonnn.ini2
C:\WINDOWS\system32\yngeiscm.ini
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-10 19:24 . 2008-06-10 19:24 37,888 --a------ C:\WINDOWS\SYSTEM32\phhdyvck.exe
2008-06-10 19:24 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0087895.dat
2008-06-08 17:20 . 2008-06-08 17:20 37,888 --a------ C:\WINDOWS\SYSTEM32\svefolwu.exe
2008-06-08 17:20 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00202CA.dat
2008-06-08 12:02 . 2008-06-08 12:02 37,888 --a------ C:\WINDOWS\SYSTEM32\apquolmf.exe
2008-06-08 12:02 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c001D66A.dat
2008-06-08 11:35 . 2008-06-08 11:37 <DIR> d-------- C:\Combo-Fix
2008-06-07 09:39 . 2008-06-10 21:04 <DIR> d-------- C:\Documents and Settings\DCervantes\Application Data\uTorrent
2008-06-05 21:35 . 2008-06-05 21:35 37,888 --a------ C:\WINDOWS\SYSTEM32\svfnceaq.exe
2008-06-05 21:35 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0033498.dat
2008-06-05 21:21 . 2008-06-05 21:21 37,888 --a------ C:\WINDOWS\SYSTEM32\gimbdeck.exe
2008-06-05 21:21 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0085117.dat
2008-06-05 13:09 . 2008-06-05 13:09 37,888 --a------ C:\WINDOWS\SYSTEM32\pgtbvete.exe
2008-06-05 13:09 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00B3537.dat
2008-06-05 12:37 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0089865.dat
2008-06-05 12:36 . 2008-06-05 12:36 37,888 --a------ C:\WINDOWS\SYSTEM32\pokefeqj.exe
2008-06-05 12:14 . 2008-06-05 12:14 <DIR> d-------- C:\Program Files\Coupons
2008-06-02 21:10 . 2008-06-02 21:10 37,888 --a------ C:\WINDOWS\SYSTEM32\mstuevxu.exe
2008-06-02 21:10 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00A844.dat
2008-06-02 18:58 . 2008-06-02 18:58 37,888 --a------ C:\WINDOWS\SYSTEM32\ongttnlg.exe
2008-06-02 18:58 . 1980-08-16 19:00 24,576 --a------ C:\WINDOWS\SYSTEM32\__c0029B84.dat
2008-06-02 18:35 . 2008-06-02 18:35 37,888 --a------ C:\WINDOWS\SYSTEM32\emufgiox.exe
2008-06-02 18:35 . 2008-06-08 11:45 24,576 --a------ C:\WINDOWS\SYSTEM32\__c00A7E71.dat
2008-05-28 21:14 . 2008-05-28 21:15 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 23:08 . 2008-05-18 23:08 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-05-18 23:08 . 2008-05-18 23:08 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico
2008-05-18 21:59 . 2008-05-18 23:09 <DIR> d-------- C:\Program Files\Vcsron
2008-05-18 19:12 . 2008-05-18 22:58 474 --ahs---- C:\WINDOWS\SYSTEM32\lffetevp.ini
2008-05-18 19:03 . 2001-08-18 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\logXv06
2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\temp\dmpxp32
2008-05-18 19:01 . 2008-05-18 19:01 87,513 --a------ C:\WINDOWS\SYSTEM32\xwusuhzh.exe
2008-05-18 19:01 . 2008-05-18 19:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 19:01 . 2008-05-18 19:01 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 01:50 30,208 ----a-w C:\WINDOWS\winmgnt.exe
2008-06-11 01:50 21,760 ----a-w C:\WINDOWS\window.exe
2008-06-11 01:50 21,760 ----a-w C:\WINDOWS\waol.exe
2008-06-11 01:50 17,152 ----a-w C:\WINDOWS\winajbm.dll
2008-06-11 01:50 14,336 ----a-w C:\WINDOWS\win64.exe
2008-06-11 01:48 31,232 ----a-w C:\WINDOWS\mtwirl32.dll
2008-06-11 01:48 30,720 ----a-w C:\WINDOWS\notepad32.exe
2008-06-11 01:48 30,720 ----a-w C:\WINDOWS\mssys.exe
2008-06-11 01:48 17,920 ----a-w C:\WINDOWS\msupdate.exe
2008-06-11 01:48 17,408 ----a-w C:\WINDOWS\mswsc20.dll
2008-06-11 01:48 14,592 ----a-w C:\WINDOWS\users32.exe
2008-06-11 01:48 13,824 ----a-w C:\WINDOWS\msspi.dll
2008-06-11 01:48 11,776 ----a-w C:\WINDOWS\mswsc10.dll
2008-06-11 01:47 20,480 ----a-w C:\WINDOWS\msconfd.dll
2008-06-11 01:46 9,216 ----a-w C:\WINDOWS\helpcvs.exe
2008-06-11 01:46 8,704 ----a-w C:\WINDOWS\inetinf.exe
2008-06-11 01:46 31,488 ----a-w C:\WINDOWS\internet.exe
2008-06-11 01:46 25,600 ----a-w C:\WINDOWS\editpad.exe
2008-06-11 01:46 16,128 ----a-w C:\WINDOWS\gfmnaaa.dll
2008-06-11 01:46 12,800 ----a-w C:\WINDOWS\funniest.exe
2008-06-11 01:46 11,008 ----a-w C:\WINDOWS\funny.exe
2008-06-11 01:44 8,704 ----a-w C:\WINDOWS\ctrlpan.dll
2008-06-11 01:44 32,000 ----a-w C:\WINDOWS\x.exe
2008-06-11 01:44 29,184 ----a-w C:\WINDOWS\cpan.dll
2008-06-11 01:44 27,136 ----a-w C:\WINDOWS\directx32.exe
2008-06-11 01:44 26,368 ----a-w C:\WINDOWS\clrssn.exe
2008-06-11 01:44 25,088 ----a-w C:\WINDOWS\y.exe
2008-06-11 01:44 20,736 ----a-w C:\WINDOWS\ctfmon32.exe
2008-06-11 01:44 11,008 ----a-w C:\WINDOWS\dnsrelay.dll
2008-06-11 01:43 9,984 ----a-w C:\WINDOWS\avpcc.dll
2008-06-11 01:43 26,368 ----a-w C:\WINDOWS\accesss.exe
2008-06-11 01:42 32,256 ----a-w C:\WINDOWS\searchword.dll
2008-06-11 01:42 30,976 ----a-w C:\WINDOWS\xplugin.dll
2008-06-11 01:42 29,952 ----a-w C:\WINDOWS\svcinit.exe
2008-06-11 01:42 28,928 ----a-w C:\WINDOWS\rundll32.vbe
2008-06-11 01:42 28,416 ----a-w C:\WINDOWS\sistem.exe
2008-06-11 01:42 11,776 ----a-w C:\WINDOWS\time.exe
2008-06-11 01:41 31,744 ----a-w C:\WINDOWS\quicken.exe
2008-06-11 01:41 10,752 ----a-w C:\WINDOWS\qttasks.exe
2008-06-11 01:39 11,008 ----a-w C:\WINDOWS\explore.exe
2008-06-07 14:46 --------- d-----w C:\Program Files\ReGetDx
2008-05-19 01:35 --------- d-----w C:\Program Files\HD Tune
2008-05-11 22:17 --------- d-----w C:\Program Files\Yahoo!
2008-05-08 02:39 --------- d-----w C:\Program Files\ACAD2000
2008-04-24 23:28 --------- d-----w C:\Program Files\SpywareGuard
2008-04-19 15:09 --------- d-----w C:\Program Files\TagScanner
2008-04-12 00:52 --------- d-----w C:\Documents and Settings\DCervantes\Application Data\CDBurnerXP_Soft
2008-04-12 00:51 --------- d-----w C:\Program Files\CDBurnerXP
2008-03-16 01:10 8 ----a-w C:\Documents and Settings\DCervantes\Application Data\usb.dat.bin
2008-02-06 03:39 9,143 -c--a-w C:\Program Files\hijackthis.log
2008-01-30 04:32 10,294 -c--a-w C:\Program Files\startuplist.txt
2008-01-24 04:13 63,896 -c--a-w C:\Documents and Settings\DCervantes\Application Data\GDIPFONTCACHEV1.DAT
2005-06-16 03:16 10,856 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DAAB5C1-3664-461E-97CB-883BFA6CAA4B}]
C:\WINDOWS\system32\ddcYoMDV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF9D289-834A-4749-8FCC-BDB7ADF66519}]
C:\WINDOWS\system32\hgGayyxV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7DCE10-31BA-46CE-A454-E325EF2509F6}]
C:\WINDOWS\system32\ddcApmml.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-07 20:01 1481968]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-10-10 17:14 28672]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 15:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"WorksFUD"="" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00 28739]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-07-27 14:18 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-07-27 14:17 282624]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00 90182]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 05:00 139347]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-16 20:53 98304]
"SWKSrv"="C:\Program Files\SpywareKill\SWKSrv.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

C:\Documents and Settings\DCervantes\Start Menu\Programs\Startup\
Calendar 2000.lnk - C:\Program Files\Software by Design\Calendar.exe [2004-04-08 19:54:38 253952]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-28 20:21:51 113664]
Belkin PCMCIA WLAN Monitor.lnk - C:\WINDOWS\SYSTEM32\monitorbk.exe [2003-10-21 21:37:57 462848]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-01-27 16:02:53 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 14:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\xwusuhzh.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-07 20:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A7E71]
C:\WINDOWS\system32\__c00A7E71.dat 2008-06-08 11:45 24576 C:\WINDOWS\SYSTEM32\__c00A7E71.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"VIDC.NTN1"= NUVision.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a--c--- 2000-07-13 14:00 311350 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18:42]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 16:34]
S3 PCMCIABKPCMXP;Belkin 11Mbps Wireless Notebook Network Adapter;C:\WINDOWS\system32\DRIVERS\bkpcmxp.sys [2002-08-29 15:36]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 21:11:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 15

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c00A7E71.dat
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\xwusuhzh.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\LxrJD31s.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Compaq\CPQInet\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
.
**************************************************************************
.
Completion time: 2008-06-10 21:20:41 - machine was rebooted [DCervantes]
ComboFix-quarantined-files.txt 2008-06-11 02:20:23

Pre-Run: 1,537,043,456 bytes free
Post-Run: 1,674,279,424 bytes free

406 --- E O F --- 2008-05-18 04:13:30
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I'm sorry for the delay. Please re run combofix and post the log. We have a lot of cleanup to do
  • 0

#9
cervada

cervada

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
No need to apologize! I know how busy we all are. I really appreciate the help. Below is the log for ComboFix. I am ready to clean up everything I need to. Thanks again!

David C

ComboFix 08-06-10.1 - DCervantes 2008-06-13 18:46:08.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.279 [GMT -5:00]
Running from: C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\__c001D66A.dat
C:\WINDOWS\system32\__c00202CA.dat
C:\WINDOWS\system32\__c0029B84.dat
C:\WINDOWS\system32\__c0033498.dat
C:\WINDOWS\system32\__c0085117.dat
C:\WINDOWS\system32\__c0087895.dat
C:\WINDOWS\system32\__c0089865.dat
C:\WINDOWS\system32\__c00A7E71.dat
C:\WINDOWS\system32\__c00A844.dat
C:\WINDOWS\system32\__c00B3537.dat
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-10 19:24 . 2008-06-10 19:24 37,888 --a------ C:\WINDOWS\SYSTEM32\phhdyvck.exe
2008-06-08 17:20 . 2008-06-08 17:20 37,888 --a------ C:\WINDOWS\SYSTEM32\svefolwu.exe
2008-06-08 12:02 . 2008-06-08 12:02 37,888 --a------ C:\WINDOWS\SYSTEM32\apquolmf.exe
2008-06-08 11:35 . 2008-06-08 11:37 <DIR> d-------- C:\Combo-Fix
2008-06-07 09:39 . 2008-06-10 21:04 <DIR> d-------- C:\Documents and Settings\DCervantes\Application Data\uTorrent
2008-06-05 21:35 . 2008-06-05 21:35 37,888 --a------ C:\WINDOWS\SYSTEM32\svfnceaq.exe
2008-06-05 21:21 . 2008-06-05 21:21 37,888 --a------ C:\WINDOWS\SYSTEM32\gimbdeck.exe
2008-06-05 13:09 . 2008-06-05 13:09 37,888 --a------ C:\WINDOWS\SYSTEM32\pgtbvete.exe
2008-06-05 12:36 . 2008-06-05 12:36 37,888 --a------ C:\WINDOWS\SYSTEM32\pokefeqj.exe
2008-06-05 12:14 . 2008-06-05 12:14 <DIR> d-------- C:\Program Files\Coupons
2008-06-02 21:10 . 2008-06-02 21:10 37,888 --a------ C:\WINDOWS\SYSTEM32\mstuevxu.exe
2008-06-02 18:58 . 2008-06-02 18:58 37,888 --a------ C:\WINDOWS\SYSTEM32\ongttnlg.exe
2008-06-02 18:35 . 2008-06-02 18:35 37,888 --a------ C:\WINDOWS\SYSTEM32\emufgiox.exe
2008-05-28 21:14 . 2008-05-28 21:15 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 23:08 . 2008-05-18 23:08 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-05-18 23:08 . 2008-05-18 23:08 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico
2008-05-18 21:59 . 2008-05-18 23:09 <DIR> d-------- C:\Program Files\Vcsron
2008-05-18 19:12 . 2008-05-18 22:58 474 --ahs---- C:\WINDOWS\SYSTEM32\lffetevp.ini
2008-05-18 19:03 . 2001-08-18 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\logXv06
2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\temp\dmpxp32
2008-05-18 19:01 . 2008-05-18 19:01 87,513 --a------ C:\WINDOWS\SYSTEM32\xwusuhzh.exe
2008-05-18 19:01 . 2008-05-18 19:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 19:01 . 2008-05-18 19:01 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 14:46 --------- d-----w C:\Program Files\ReGetDx
2008-05-19 01:35 --------- d-----w C:\Program Files\HD Tune
2008-05-11 22:17 --------- d-----w C:\Program Files\Yahoo!
2008-05-08 02:39 --------- d-----w C:\Program Files\ACAD2000
2008-04-24 23:28 --------- d-----w C:\Program Files\SpywareGuard
2008-04-19 15:09 --------- d-----w C:\Program Files\TagScanner
2008-03-16 01:10 8 ----a-w C:\Documents and Settings\DCervantes\Application Data\usb.dat.bin
2008-02-06 03:39 9,143 -c--a-w C:\Program Files\hijackthis.log
2008-01-30 04:32 10,294 -c--a-w C:\Program Files\startuplist.txt
2008-01-24 04:13 63,896 -c--a-w C:\Documents and Settings\DCervantes\Application Data\GDIPFONTCACHEV1.DAT
2005-06-16 03:16 10,856 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_21.19.13.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-11 02:08:00 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-13 23:53:01 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DAAB5C1-3664-461E-97CB-883BFA6CAA4B}]
C:\WINDOWS\system32\ddcYoMDV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF9D289-834A-4749-8FCC-BDB7ADF66519}]
C:\WINDOWS\system32\hgGayyxV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7DCE10-31BA-46CE-A454-E325EF2509F6}]
C:\WINDOWS\system32\ddcApmml.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-07 20:01 1481968]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-10-10 17:14 28672]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 15:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"WorksFUD"="" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00 28739]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-07-27 14:18 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-07-27 14:17 282624]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00 90182]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 05:00 139347]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-16 20:53 98304]
"SWKSrv"="C:\Program Files\SpywareKill\SWKSrv.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

C:\Documents and Settings\DCervantes\Start Menu\Programs\Startup\
Calendar 2000.lnk - C:\Program Files\Software by Design\Calendar.exe [2004-04-08 19:54:38 253952]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-28 20:21:51 113664]
Belkin PCMCIA WLAN Monitor.lnk - C:\WINDOWS\SYSTEM32\monitorbk.exe [2003-10-21 21:37:57 462848]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-01-27 16:02:53 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 14:00:00 24633]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-07 20:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A7E71]
C:\WINDOWS\system32\__c00A7E71.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"VIDC.NTN1"= NUVision.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a--c--- 2000-07-13 14:00 311350 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18:42]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 16:34]
S3 PCMCIABKPCMXP;Belkin 11Mbps Wireless Notebook Network Adapter;C:\WINDOWS\system32\DRIVERS\bkpcmxp.sys [2002-08-29 15:36]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 18:56:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\LxrJD31s.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Compaq\CPQInet\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
.
**************************************************************************
.
Completion time: 2008-06-13 19:06:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 00:06:29
ComboFix2.txt 2008-06-11 02:20:42

Pre-Run: 1,726,950,912 bytes free
Post-Run: 1,712,950,784 bytes free

218 --- E O F --- 2008-05-18 04:13:30
  • 0

#10
cervada

cervada

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thank you so much for all of you help so far! I had not seen any additional instructions since Friday and I am still receiving a Browser Protection Alert from SpywareGaurd after startup saying WARNING! A BHO has been added. I look forward to receiving instructions on how to proceed. Thanks!

David C.
Houston, TX
  • 0

Advertisements


#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
So sorry for the delay. Woerk has been hectic lately.I'm glad I get this weekend off

Open notepad and copy/paste the text in RED below into it:

File::
C:\WINDOWS\SYSTEM32\phhdyvck.exe
C:\WINDOWS\SYSTEM32\svefolwu.exe
C:\WINDOWS\SYSTEM32\apquolmf.exe
C:\WINDOWS\SYSTEM32\svfnceaq.exe
C:\WINDOWS\SYSTEM32\gimbdeck.exe
C:\WINDOWS\SYSTEM32\pgtbvete.exe
C:\WINDOWS\SYSTEM32\mstuevxu.exe
C:\WINDOWS\SYSTEM32\ongttnlg.exe
C:\WINDOWS\SYSTEM32\emufgiox.exe
C:\WINDOWS\SYSTEM32\xwusuhzh.exe
Folder::
C:\Program Files\Coupons


Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt alsoplease post a new hijacklog

Thanks
  • 0

#12
cervada

cervada

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Believe me, I understand things can get very busy at work! I really appreacite the help, so no complaints here. Below are the logs for combofix and hijackthis.

David Cervantes
Houston, TX

ComboFix 08-06-10.1 - DCervantes 2008-06-20 18:48:43.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.277 [GMT -5:00]
Running from: C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe
Command switches used :: C:\Documents and Settings\DCervantes\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\apquolmf.exe
C:\WINDOWS\SYSTEM32\emufgiox.exe
C:\WINDOWS\SYSTEM32\gimbdeck.exe
C:\WINDOWS\SYSTEM32\mstuevxu.exe
C:\WINDOWS\SYSTEM32\ongttnlg.exe
C:\WINDOWS\SYSTEM32\pgtbvete.exe
C:\WINDOWS\SYSTEM32\phhdyvck.exe
C:\WINDOWS\SYSTEM32\svefolwu.exe
C:\WINDOWS\SYSTEM32\svfnceaq.exe
C:\WINDOWS\SYSTEM32\xwusuhzh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Coupons
C:\Program Files\Coupons\Coupons.com.url
C:\Program Files\Coupons\uninstall.exe
C:\Program Files\Coupons\Uninstall\IRIMG1.JPG
C:\Program Files\Coupons\Uninstall\IRIMG2.JPG
C:\Program Files\Coupons\Uninstall\IRIMG3.JPG
C:\Program Files\Coupons\Uninstall\IRIMG4.JPG
C:\Program Files\Coupons\Uninstall\IRIMG5.JPG
C:\Program Files\Coupons\Uninstall\IRIMG6.JPG
C:\Program Files\Coupons\Uninstall\IRIMG7.JPG
C:\Program Files\Coupons\Uninstall\IRIMG8.JPG
C:\Program Files\Coupons\Uninstall\uninstall.dat
C:\Program Files\Coupons\Uninstall\uninstall.xml
C:\WINDOWS\SYSTEM32\apquolmf.exe
C:\WINDOWS\SYSTEM32\emufgiox.exe
C:\WINDOWS\SYSTEM32\gimbdeck.exe
C:\WINDOWS\SYSTEM32\mstuevxu.exe
C:\WINDOWS\SYSTEM32\ongttnlg.exe
C:\WINDOWS\SYSTEM32\pgtbvete.exe
C:\WINDOWS\SYSTEM32\phhdyvck.exe
C:\WINDOWS\SYSTEM32\svefolwu.exe
C:\WINDOWS\SYSTEM32\svfnceaq.exe
C:\WINDOWS\SYSTEM32\xwusuhzh.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-08 11:35 . 2008-06-08 11:37 <DIR> d-------- C:\Combo-Fix
2008-06-07 09:39 . 2008-06-10 21:04 <DIR> d-------- C:\Documents and Settings\DCervantes\Application Data\uTorrent
2008-06-05 12:36 . 2008-06-05 12:36 37,888 --a------ C:\WINDOWS\SYSTEM32\pokefeqj.exe
2008-05-28 21:14 . 2008-05-28 21:15 <DIR> d-------- C:\Program Files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 14:46 --------- d-----w C:\Program Files\ReGetDx
2008-05-19 04:09 --------- d-----w C:\Program Files\Vcsron
2008-05-19 01:35 --------- d-----w C:\Program Files\HD Tune
2008-05-11 22:17 --------- d-----w C:\Program Files\Yahoo!
2008-05-08 02:39 --------- d-----w C:\Program Files\ACAD2000
2008-04-24 23:28 --------- d-----w C:\Program Files\SpywareGuard
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-16 01:10 8 ----a-w C:\Documents and Settings\DCervantes\Application Data\usb.dat.bin
2008-02-06 03:39 9,143 -c--a-w C:\Program Files\hijackthis.log
2008-01-30 04:32 10,294 -c--a-w C:\Program Files\startuplist.txt
2008-01-24 04:13 63,896 -c--a-w C:\Documents and Settings\DCervantes\Application Data\GDIPFONTCACHEV1.DAT
2005-06-16 03:16 10,856 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_21.19.13.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-11 02:08:00 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-20 23:42:59 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DAAB5C1-3664-461E-97CB-883BFA6CAA4B}]
C:\WINDOWS\system32\ddcYoMDV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EF9D289-834A-4749-8FCC-BDB7ADF66519}]
C:\WINDOWS\system32\hgGayyxV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7DCE10-31BA-46CE-A454-E325EF2509F6}]
C:\WINDOWS\system32\ddcApmml.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-07 20:01 1481968]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-10-10 17:14 28672]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 15:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"WorksFUD"="" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 14:00 28739]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-07-27 14:18 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-07-27 14:17 282624]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00 90182]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 05:00 139347]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-16 20:53 98304]
"SWKSrv"="C:\Program Files\SpywareKill\SWKSrv.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

C:\Documents and Settings\DCervantes\Start Menu\Programs\Startup\
Calendar 2000.lnk - C:\Program Files\Software by Design\Calendar.exe [2004-04-08 19:54:38 253952]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-28 20:21:51 113664]
Belkin PCMCIA WLAN Monitor.lnk - C:\WINDOWS\SYSTEM32\monitorbk.exe [2003-10-21 21:37:57 462848]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-01-27 16:02:53 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 14:00:00 24633]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-07 20:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A7E71]
C:\WINDOWS\system32\__c00A7E71.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"VIDC.NTN1"= NUVision.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a--c--- 2000-07-13 14:00 311350 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18:42]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 16:34]
S3 PCMCIABKPCMXP;Belkin 11Mbps Wireless Notebook Network Adapter;C:\WINDOWS\system32\DRIVERS\bkpcmxp.sys [2002-08-29 15:36]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 18:53:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-20 18:57:44
ComboFix-quarantined-files.txt 2008-06-20 23:56:40
ComboFix2.txt 2008-06-14 00:06:37
ComboFix3.txt 2008-06-11 02:20:42

Pre-Run: 1,669,575,680 bytes free
Post-Run: 1,651,291,136 bytes free

156 --- E O F --- 2008-05-18 04:13:30


HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:50 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Software by Design\Calendar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {2DAAB5C1-3664-461E-97CB-883BFA6CAA4B} - C:\WINDOWS\system32\ddcYoMDV.dll (file missing)
O2 - BHO: (no name) - {2EF9D289-834A-4749-8FCC-BDB7ADF66519} - C:\WINDOWS\system32\hgGayyxV.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {BE7DCE10-31BA-46CE-A454-E325EF2509F6} - C:\WINDOWS\system32\ddcApmml.dll (file missing)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SWKSrv] C:\Program Files\SpywareKill\SWKSrv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Support - {44B33957-091D-45DA-9E91-CD5224B6BA17} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kelly.kellys...0CQu76,CT=java
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://kelly.kellys...va iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.c...eX/wlaninfo.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} (TeleVoxAudioPlayer2.TVoxAudioPlayer) - https://www.mytelevo...udioPlayer2.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://kelly.kellys...perSetupSP1.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yah...tionControl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: __c00A7E71 - C:\WINDOWS\system32\__c00A7E71.dat (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9723 bytes
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Thank you for your understanding :)

That looks much better

Please rescan with Hijackthis and place a check next to the following entries:

O2 - BHO: (no name) - {2DAAB5C1-3664-461E-97CB-883BFA6CAA4B} - C:\WINDOWS\system32\ddcYoMDV.dll (file missing)
O2 - BHO: (no name) - {2EF9D289-834A-4749-8FCC-BDB7ADF66519} - C:\WINDOWS\system32\hgGayyxV.dll (file missing)
O2 - BHO: (no name) - {BE7DCE10-31BA-46CE-A454-E325EF2509F6} - C:\WINDOWS\system32\ddcApmml.dll (file missing)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O20 - Winlogon Notify: __c00A7E71 - C:\WINDOWS\system32\__c00A7E71.dat (file missing)

Now click "Fix Checked" and close Hijackthis

Browse forand delete this file:
C:\WINDOWS\SYSTEM32\pokefeqj.exe

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Please post the log with a new Hijack log

  • 0

#14
cervada

cervada

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Here are the logs for Dr Web Cure it and for HijackThis.

Dr Web Cure it
15E.tmp\data002;C:\15E.tmp;Adware.SearchAid.38;;
15E.tmp\data003;C:\15E.tmp;Adware.SearchAid.38;;
15E.tmp\data004;C:\15E.tmp;Adware.SearchAid.54;;
15E.tmp\data005;C:\15E.tmp;Adware.SearchAid.origin;;
15E.tmp;C:\;Archive contains infected objects;Moved.;
Combo-2Fix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe;Probably SCRIPT.Virus;;
Combo-2Fix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\DCervantes\Desktop\Combo-2Fix.exe;Program.PsExec.171;;
Combo-2Fix.exe;C:\Documents and Settings\DCervantes\Desktop;Archive contains infected objects;Moved.;
17624.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc;Trojan.Uploader.24577;Deleted.;
18906.exe.vir;C:\QooBox\Quarantine\C\Documents and Settings\DCervantes\Application Data\Microsoft\dtsc;Trojan.DownLoader.61691;Deleted.;
afivjesa.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
aybwevsu.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
dagcqgqv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
emmahbgx.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
fqcjmsfg.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
iafbdpgf.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.882;Deleted.;
iwbsqayu.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
qoovofkt.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
qtwsxkmg.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.882;Deleted.;
ubcleusa.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
upcutxan.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
volgxybe.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.LowZones.884;Deleted.;
xwusuhzh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Fakealert.678;Deleted.;
A0107599.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Adware.MediaTicket.81;Incurable.Moved.;
A0107607.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Trojan.Click.origin;Incurable.Moved.;
A0107613.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Trojan.DownLoader.59887;Deleted.;
A0107615.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1534;Adware.ClickSpring - read error;;
A0109751.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Trojan.MulDrop.16568;Deleted.;
A0110777.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Adware.ClickSpring.origin;Incurable.Moved.;
A0110778.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Trojan.PurityAd.origin;Incurable.Moved.;
A0110821.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Trojan.Uploader.24578;Deleted.;
A0110872.exe\data002;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536\A0110872.exe;Adware.MediaTicket.81;;
A0110872.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1536;Archive contains infected objects;Moved.;
A0112884.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1537;Trojan.DownLoader.61691;Deleted.;
A0114988.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1539;Trojan.Uploader.24579;Deleted.;
A0117269.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Probably SCRIPT.Virus;Incurable.Moved.;
A0117288.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117288.exe;Probably SCRIPT.Virus;;
A0117288.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117288.exe;Program.PsExec.171;;
A0117288.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0117292.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117292.exe;Probably SCRIPT.Virus;;
A0117292.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117292.exe;Program.PsExec.171;;
A0117292.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0117314.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117314.exe;Probably SCRIPT.Virus;;
A0117314.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117314.exe;Program.PsExec.171;;
A0117314.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0118365.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0118365.exe;Probably SCRIPT.Virus;;
A0118365.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0118365.exe;Program.PsExec.171;;
A0118365.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0118434.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118438.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118443.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118446.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118450.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118455.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.882;Deleted.;
A0118459.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118471.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118472.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.882;Deleted.;
A0118477.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118479.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.LowZones.884;Deleted.;
A0118506.dll;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.Uploader.24577;Deleted.;
A0118507.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Trojan.DownLoader.61691;Deleted.;
A0118587.EXE;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Program.PsExec.170;Incurable.Moved.;
A0118597.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Probably SCRIPT.Virus;Incurable.Moved.;
A0118730.EXE;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Program.PsExec.170;Incurable.Moved.;
A0118741.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1541;Probably SCRIPT.Virus;Incurable.Moved.;
A0118792.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Trojan.Fakealert.678;Deleted.;
A0118804.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Probably SCRIPT.Virus;Incurable.Moved.;
A0118823.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118823.exe;Probably SCRIPT.Virus;;
A0118823.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118823.exe;Program.PsExec.171;;
A0118823.exe;C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Archive contains infected objects;Moved.;
logXv061083.exe;C:\WINDOWS\SYSTEM32\logXv06;Trojan.DownLoader.56730;Deleted.;
Combo 1 Fix.exe\327882R2FWJFW\FIND3M.bat;F:\Combo 1 Fix.exe;Probably SCRIPT.Virus;;
Combo 1 Fix.exe\327882R2FWJFW\psexec.cfexe;F:\Combo 1 Fix.exe;Program.PsExec.171;;
Combo 1 Fix.exe;F:\;Archive contains infected objects;Moved.;
Combo-2Fix.exe\327882R2FWJFW\FIND3M.bat;F:\Combo-2Fix.exe;Probably SCRIPT.Virus;;
Combo-2Fix.exe\327882R2FWJFW\psexec.cfexe;F:\Combo-2Fix.exe;Program.PsExec.171;;
Combo-2Fix.exe;F:\;Archive contains infected objects;Moved.;
A0117060.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117060.exe;Probably SCRIPT.Virus;;
A0117060.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117060.exe;Program.PsExec.171;;
A0117060.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0117258.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117258.exe;Probably SCRIPT.Virus;;
A0117258.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117258.exe;Program.PsExec.171;;
A0117258.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0117259.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117259.exe;Probably SCRIPT.Virus;;
A0117259.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117259.exe;Program.PsExec.171;;
A0117259.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0117261.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117261.exe;Probably SCRIPT.Virus;;
A0117261.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117261.exe;Program.PsExec.171;;
A0117261.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0117317.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117317.exe;Probably SCRIPT.Virus;;
A0117317.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540\A0117317.exe;Program.PsExec.171;;
A0117317.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1540;Archive contains infected objects;Moved.;
A0118825.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118825.exe;Probably SCRIPT.Virus;;
A0118825.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118825.exe;Program.PsExec.171;;
A0118825.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Archive contains infected objects;Moved.;
A0118826.exe\327882R2FWJFW\FIND3M.bat;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118826.exe;Probably SCRIPT.Virus;;
A0118826.exe\327882R2FWJFW\psexec.cfexe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543\A0118826.exe;Program.PsExec.171;;
A0118826.exe;F:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP1543;Archive contains infected objects;Moved.;



HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:42 AM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Software by Design\Calendar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SWKSrv] C:\Program Files\SpywareKill\SWKSrv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKUS\S-1-5-21-3569660965-1238661117-741939197-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3569660965-1238661117-741939197-1003\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe (User '?')
O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Support - {44B33957-091D-45DA-9E91-CD5224B6BA17} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://kelly.kellys...0CQu76,CT=java
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://kelly.kellys...va iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.c...eX/wlaninfo.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} (TeleVoxAudioPlayer2.TVoxAudioPlayer) - https://www.mytelevo...udioPlayer2.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://kelly.kellys...perSetupSP1.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yah...tionControl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9484 bytes
  • 0

#15
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Looks much better

Most are harmless, before we begin the final clean up, how are things running?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP