Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Multiple viruses eating my computer..


  • Please log in to reply

#1
Doriane

Doriane

    New Member

  • Member
  • Pip
  • 8 posts
I'm exasperated.
This computer seems to be riddled with viruses.. probably because it's my mother's and hasn't been maintained in a year.

I wanted to upload some screenshots of windows folders, but when I hit the 'Browse' button nothing happened.. same on file/image uploading websites.

Anyway, this is how it started--
Booted my computer one day; noticed the control panel was gone, there were icons (internet shortcuts) on the desktop for various bogus spyware programs. Oh, and Norton was gone. And there were constant popups telling me my computer was infected, to download this or that. I googled a bit, and managed to fix a small part of the problem by running Smitfraudfix.

There were not any other anti virus/malware/spyware etc programs installed beforehand..which is probably what caused this in the first place. So of course I immediately downloaded a few, including: AVG antivirus, Amira AntiVir, CCCleaner, Malware Bytes' Anti Malware, Ad Aware, ATF Cleaner, StartupOptimizer, and HijackThis. The antivirus and malware/adware programs wouldn't install.. the other programs installed fine, but couldn't remove the viruses and things in startup (since they seemed to just reappear immediately after, no matter what).. Like in msconfig, or when using StartupOptimizer.

At this point I noticed that google was acting strangely. Certain things I typed in the address bar wouldn't work.. I'd hit enter and nothing would happen. Same thing happened when I would try to go to altavista or other search engines instead.. other websites worked fine though.

So, I started to poke around various folders, looking for anything suspicious. While doing this I got lots of IE popups and other fake popups.. Trying to distract me I guess.
In the C: folder (or whatever) there was an odd looking folder with a gibberish title (just a string of random letters and numbers). So I clicked on it and immediately I got even MORE popups-- IE pages of a fake virus scan. Clearly the virus did NOT want me in that folder, or something. In the folder was one text file.. I opened it and it was like a log file. Stuff like "disable installed antivirus"..and so on. So I deleted that folder, went back online (I use Firefox) and google was running fine again.

Then I looked in the 'WINDOWS' folder.. lots of suspicious looking folders and things.

Went back and opened the 'WINDOWS2' folder--is there supposed to be a Windows2 folder? Anyway, this one was pretty much the same-- the System32 folder was especially worrying..I couldn't see what was in it since the files were hidden, but when hovering over it you can see that bad things are in it, like 'bootvid.dll' and others.

And I'm sure there's plenty of others scattered throughout my computer.. I'm just worried my computer (or brain) will explode at any moment if I try to look.. =/
I'm guessing these viruses and stuff will have to be removed manually, yes? Since there's so many of them, and since they've prevented all programs from removing them (they just reappear, as I said)

Here's my HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:51:31, on 6/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\System32\wdfmgr.exe
C:\WINDOWS2\system32\drivers\spools.exe
C:\WINDOWS2\explorer.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [C:\WINDOWS2\System32\kdctn.exe] C:\WINDOWS2\system32\kdctn.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS2\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS2\System32\jfiehayd.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe

--
End of file - 3627 bytes



If you've read this, thank you... I'll be watching this thread like a hawk all day, so I'll be waiting and ready to do whatever I may need to do..
  • 0

Advertisements


#2
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Hello Doriane, Welcome to Geeks-To-Go.


My name is Gravity Gripp and I will be assisting you with your issues. I will be reviewing your log and will post a reply soon. Please note that I am still in training and there may be a slight delay in my response as I am working with an expert.

You will hear from me soon. :)
  • 0

#3
Doriane

Doriane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you thank you! I appreciate it. =)
  • 0

#4
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Doriane,
I've looked over your log and I believe I can help you out. Just follow my steps one by one and we'll get this taken care of.

STEP ONE
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

STEP TWO
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Logs to post in your next reply:
  • SDFix log
  • Deckards System Scanner

  • 0

#5
Doriane

Doriane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I'm afraid I'm having some problems..

I downloaded SDFix and completed the scan. It claimed to to have removed some viruses.
But during the final scan (I had restarted about 3 times, and each time it did a final scan)... I kept getting a popup message saying "Registry editing has been disabled". It would pop up multiple times, until the scan finished. I'm wondering if this prevented Sdfix from finishing its job.

And every time I tried to post this report-- I couldn't. I couldn't use google or any other search engines, or this website--even from a bookmark, or any other similar websites... (nothing would happen, it would just say "loading" forever) Yet I could go to other websites without a problem.
So because of this, I haven't been able to download the DSS (until now)

I cannot post the SDFix report, because the Start bar/task bar thing at the bottom of the screen keeps disappearing... So I can't minimize to go get the logfile (if I did I'd have to restart Firefox, and I'm worried I may not be able to get back to this website.)

Do you know what may be causing this? Is there any way to get around it? I don't know why this is happening..

So for now I'm going to just install DSS, reboot, and try to post it here tomorrow.. Hopefully I can get back on the website. If not I'll have to use someone else's computer..I'm sorry this is taking so long.
  • 0

#6
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Doriane,
Sorry to hear that you're having so many issues here, but we can get through this :)


STEP ONE

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

STEP TWO

Now, rerun SDFix. You shouldn't have the problems you did before. Once it has completed, please post the Deckards System Scanner log.
  • 0

#7
Doriane

Doriane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I did actually try that.. (including fixing the regedit thing in HJT) Many times, when I was able to still run programs. And I would run SDFix afterwards and after restarting it would do its "final check" once again.. And the same problems would persist, unfortunately. (I'll post my original DSS log below)

Now (as of yesterday I think---after doing the SDFix/DSS, but before running any new programs) I can't open any programs.
I can't go into any folders in the control panel, can't run msconfig, and I can't even open things by going in to their folders and clicking on them there.. I just get "Windows cannot find..." etc. I can open Firefox/IE but that's about it. Still can't use google, gmail, yahoo or go to the geekstogo forums-- but I was able to get to this thread by clicking on a link that I had posted at another forum (non computer related) I go to.

Last night I managed to download Avast and Spyware Terminator. I ran both. After installing Avast and rebooting, it scanned and deleted some stuff before restarting. And today it scanned the C drive for hours today and apparently removed/moved a LOT (like 30+) of viruses/adware. Still...same problems. I can't even run those anymore, since I rebooted after that last scan and so they weren't already running..couldn't open them.

Anyway, I'll post the original logs now.

SDFix:

SDFix: Version 1.194
Run by Brenda St.John on Tue 06/17/2008 at 15:01

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
narqwe

Path :
\??\C:\WINDOWS2\system32\narqwe.sys

narqwe - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS2\system32\khfFXopq.dll - Deleted
C:\WINDOWS2\system32\WINZQE32.dll - Deleted
C:\WINDOWS2\system32\jfiehayd.dll - Deleted
C:\WINDOWS2\system32\kdctn.exe - Deleted
C:\694886~1 - Deleted
C:\WINDOWS2\system32\drivers\spools.exe - Deleted
C:\WINDOWS2\system32\narqwe.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 15:36:05
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 11 Jun 2001 1,678 ..SHR --- "C:\MSDOS.BAK"
Mon 14 Oct 2002 246 ..SH. --- "C:\AUTOEXEC.BAK"
Tue 17 Jun 2008 1,656,323 A.SH. --- "C:\WINDOWS2\system32\kedkrrmv.tmp"
Tue 18 Mar 2008 401 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS2\DRM\DRMv13.bak"
Tue 18 Mar 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS2\DRM\DRMv1.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 17 Jun 2008 15,505 ...H. --- "C:\Documents and Settings\Brenda St.John\Local Settings\Temp\csrssc.exe"
Sat 22 May 2004 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!


Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS2\system32\drivers\spools.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 15:42:42
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 11 Jun 2001 1,678 ..SHR --- "C:\MSDOS.BAK"
Mon 14 Oct 2002 246 ..SH. --- "C:\AUTOEXEC.BAK"
Tue 17 Jun 2008 1,656,323 A.SH. --- "C:\WINDOWS2\system32\kedkrrmv.tmp"
Tue 18 Mar 2008 401 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS2\DRM\DRMv13.bak"
Tue 18 Mar 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS2\DRM\DRMv1.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 17 Jun 2008 15,505 ...H. --- "C:\Documents and Settings\Brenda St.John\Local Settings\Temp\csrssc.exe"
Sat 22 May 2004 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!


Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS2\system32\drivers\spools.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 19:38:23
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 11 Jun 2001 1,678 ..SHR --- "C:\MSDOS.BAK"
Mon 14 Oct 2002 246 ..SH. --- "C:\AUTOEXEC.BAK"
Tue 17 Jun 2008 1,656,323 A.SH. --- "C:\WINDOWS2\system32\kedkrrmv.tmp"
Tue 18 Mar 2008 401 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS2\DRM\DRMv13.bak"
Tue 18 Mar 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS2\DRM\DRMv1.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 22 May 2004 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!



And the DSS log:

Deckard's System Scanner v20071014.68
Run by Brenda St.John on 2008-06-18 02:37:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-06-18 07:38:00 UTC - RP296 - Deckard's System Scanner Restore Point
4: 2008-06-17 21:46:31 UTC - RP295 - System Checkpoint
3: 2008-06-15 19:26:51 UTC - RP294 - Avira AntiVir Personal - 6/15/2008 14:26
2: 2008-06-15 05:01:10 UTC - RP293 - Avira AntiVir Personal - 6/15/2008 00:00
1: 2008-06-14 20:17:54 UTC - RP292 - SpyHunter


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 192 MiB (512 MiB recommended).
System Drive C: has 0.68 GiB (less than 15%) free.


-- HijackThis (run as Brenda St.John.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:39:37, on 6/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\System32\rundll32.exe
C:\WINDOWS2\system32\drivers\spools.exe
C:\WINDOWS2\System32\Rundll32.exe
C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\System32\alg.exe
C:\WINDOWS2\System32\wdfmgr.exe
C:\Documents and Settings\Brenda St.John\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Brenda St.John.exe
C:\WINDOWS2\System32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {09547C1F-0FA9-47C2-9172-ABCF8D2E076E} - C:\WINDOWS2\System32\ljJBrQkL.dll
O4 - HKLM\..\Run: [C:\WINDOWS2\System32\kdctn.exe] C:\WINDOWS2\system32\kdctn.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [296b1e43] rundll32.exe "C:\WINDOWS2\System32\vmrrkdek.dll",b
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
O4 - HKLM\..\Run: [BM2a582ddf] Rundll32.exe "C:\WINDOWS2\System32\xqpbxhxg.dll",s
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe

--
End of file - 4160 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080614-230012-978 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080614-230012-895 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe

backup-20080614-230012-675 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080614-230012-885 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe (User 'Default user')
backup-20080614-230012-707 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080614-230012-974 O17 - HKLM\System\CCS\Services\Tcpip\..\{EFEB2643-8F5F-49E3-AE74-9CA8C3CC04C0}: NameServer = 85.255.116.40,85.255.112.101
backup-20080614-230012-173 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.101
backup-20080614-230012-373 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.101
backup-20080614-230012-367 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.101
backup-20080614-230012-121 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080614-230359-766 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080614-230417-502 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080614-232603-127 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
backup-20080614-232603-309 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080614-232603-484 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
backup-20080614-232603-299 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080614-232603-121 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe (User 'SYSTEM')
backup-20080614-232603-654 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe (User 'Default user')
backup-20080614-232603-853 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080615-142914-929 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080615-142914-439 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080615-142914-422 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe (User 'Default user')
backup-20080615-142914-817 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080615-142914-632 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080615-180825-543 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20080615-180825-273 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20080615-180825-256 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe (User 'Default user')
backup-20080615-180825-651 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080615-180825-465 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS2\System32\jfiehayd.dll
backup-20080615-180827-299 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-044703-192 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-044703-968 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
backup-20080616-044703-748 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-044703-143 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
backup-20080616-044703-958 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe (User 'Default user')
backup-20080616-044703-780 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe (User 'Default user')
backup-20080616-044703-437 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS2\System32\jfiehayd.dll
backup-20080616-044704-680 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-044730-781 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080616-044730-518 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-044746-862 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-051205-775 O4 - HKLM\..\Run: [C:\WINDOWS2\System32\kdctn.exe] C:\WINDOWS2\system32\kdctn.exe
backup-20080616-051205-555 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-051205-950 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
backup-20080616-051205-915 O4 - HKLM\..\Run: [BM2a582ddf] Rundll32.exe "C:\WINDOWS2\System32\jcntjqfj.dll",s
backup-20080616-051205-182 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-051205-381 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Brenda St.John\cftmon.exe
backup-20080616-051205-797 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS2\system32\drivers\spools.exe (User 'Default user')
backup-20080616-051205-925 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe (User 'Default user')
backup-20080616-051205-448 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080616-051205-878 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-051221-103 O4 - HKLM\..\Run: [C:\WINDOWS2\System32\kdctn.exe] C:\WINDOWS2\system32\kdctn.exe
backup-20080616-051221-379 O4 - HKLM\..\Run: [BM2a582ddf] Rundll32.exe "C:\WINDOWS2\System32\jcntjqfj.dll",s
backup-20080616-051233-711 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS2\System32\jfiehayd.dll
backup-20080616-051234-770 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS2\system32\drivers\spools.exe
backup-20080616-051251-579 O4 - HKLM\..\Run: [C:\WINDOWS2\System32\kdctn.exe] C:\WINDOWS2\system32\kdctn.exe
backup-20080616-051251-658 O4 - HKLM\..\Run: [BM2a582ddf] Rundll32.exe "C:\WINDOWS2\System32\jcntjqfj.dll",s

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - C:\WINDOWS2\system32\drivers\spools.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\brenda~1.joh\locals~1\temp\catchme.sys (file missing)
S3 sabprocenum - c:\program files\mozilla firefox\sabprocenum.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 antivirscheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" (file missing)
S2 antivirservice (Avira AntiVir Personal – Free Antivirus Guard) - "c:\program files\avira\antivir personaledition classic\avguard.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&2658D0A0&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&2658D0A0&0
Service: i8042prt


-- Files created between 2008-05-18 and 2008-06-18 -----------------------------

2008-06-18 00:12:18 7680 --a------ C:\WINDOWS2\System32\drivers\spools.exe
2008-06-17 14:50:15 0 d-------- C:\WINDOWS2\ERUNT
2008-06-17 06:26:49 1656564 ---hs---- C:\WINDOWS2\System32\kedkrrmv.ini2
2008-06-17 06:25:12 0 d--hs---- C:\FOUND.031
2008-06-17 03:32:16 86528 --a------ C:\WINDOWS2\System32\vmrrkdek.dll
2008-06-17 03:29:30 101376 --a------ C:\WINDOWS2\System32\elwumyhf.dll
2008-06-17 03:29:17 95232 --a------ C:\WINDOWS2\System32\xqpbxhxg.dll
2008-06-16 07:47:31 0 --a------ C:\WINDOWS2\nsreg.dat
2008-06-16 05:25:21 0 dr-h----- C:\Documents and Settings\Brenda St.John\Recent
2008-06-16 05:15:41 47319 --a------ C:\WINDOWS2\xml2u32d.dll <Not Verified; Microsoft Corporation; XML parser library>
2008-06-16 05:15:25 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\sp1
2008-06-16 05:14:08 36352 --a------ C:\WINDOWS2\System32\ssqPiihh.dll
2008-06-16 05:13:53 13824 --a------ C:\WINDOWS2\System32\topdfan.dll <Not Verified; ; Module>
2008-06-16 04:45:09 25600 --a------ C:\WINDOWS2\System32\WS2Fix.exe
2008-06-16 04:45:09 86528 --a------ C:\WINDOWS2\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-16 04:45:09 82944 --a------ C:\WINDOWS2\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-16 04:45:09 82944 --a------ C:\WINDOWS2\System32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-16 04:45:08 289144 --a------ C:\WINDOWS2\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-16 04:45:08 51200 --a------ C:\WINDOWS2\System32\dumphive.exe
2008-06-16 04:45:07 288417 --a------ C:\WINDOWS2\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-16 04:45:06 53248 --a------ C:\WINDOWS2\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-16 03:33:43 101888 --a------ C:\WINDOWS2\System32\cbndujhj.dll
2008-06-16 03:30:44 87040 --a------ C:\WINDOWS2\System32\dgwbfnjd.dll
2008-06-16 03:27:44 94720 --a------ C:\WINDOWS2\System32\jcntjqfj.dll
2008-06-15 03:35:04 86016 --a------ C:\WINDOWS2\System32\sftvkehr.dll
2008-06-15 03:32:20 101376 --a------ C:\WINDOWS2\System32\njldhqss.dll
2008-06-15 03:27:11 94720 --a------ C:\WINDOWS2\System32\newrdgld.dll
2008-06-15 00:04:24 0 d-------- C:\Program Files\Avira
2008-06-15 00:04:24 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Avira
2008-06-14 22:43:45 0 d-------- C:\Program Files\Trend Micro
2008-06-14 22:41:37 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Malwarebytes
2008-06-14 22:39:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Malwarebytes
2008-06-14 22:39:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 20:18:38 0 d-------- C:\Program Files\Startup Optimizer
2008-06-14 20:15:19 0 d-------- C:\WINDOWS2\System32\SuperAdBlocker.com
2008-06-14 20:09:11 0 d-------- C:\WINDOWS2\pss
2008-06-14 15:07:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 14:44:42 0 d--hs---- C:\FOUND.030
2008-06-14 14:22:00 1174 --a------ C:\WINDOWS2\System32\tmp.reg
2008-06-14 13:26:13 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\TmpRecentIcons
2008-06-14 13:26:01 7680 --a------ C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe
2008-06-14 13:20:54 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Digital Album Organizer
2008-06-14 13:15:15 689938 --ahs---- C:\WINDOWS2\System32\LkQrBJjl.ini2
2008-06-14 13:15:10 285696 --a------ C:\WINDOWS2\System32\ljJBrQkL.dll
2008-06-14 13:12:54 29824 --a------ C:\WINDOWS2\System32\cbXNEXNH.dll
2008-06-14 13:12:42 180224 --a------ C:\WINDOWS2\xkefqtgs.dll
2008-06-14 13:12:42 155648 --a------ C:\WINDOWS2\rtsplgob.dll
2008-06-14 13:12:42 81920 --a------ C:\WINDOWS2\pebgkxwq.exe
2008-06-14 13:12:42 245760 --a------ C:\WINDOWS2\kvsdpfeadgl.dll
2008-06-14 13:12:42 94208 --a------ C:\WINDOWS2\elfv.exe
2008-06-14 13:10:51 705 --a------ C:\d1.exe
2008-06-14 13:10:46 93696 --a------ C:\d.exe
2008-06-14 13:10:35 221184 --a------ C:\WINDOWS2\System32\nvrsma.dll
2008-06-14 13:10:33 93696 --a------ C:\WINDOWS2\System32\ntpl.bin
2008-06-14 13:10:31 93696 --a------ C:\flciijjq.exe
2008-06-14 13:10:28 7680 --a------ C:\Documents and Settings\Brenda St.John\cftmon.exe
2008-06-14 13:10:26 69120 --a------ C:\mxuxc.exe
2008-06-14 13:10:25 7680 --a------ C:\kbvxxo.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-14 20:15:22 1352 --a------ C:\WINDOWS2\mozver.dat
2008-06-14 13:10:38 560128 --a------ C:\WINDOWS2\System32\user32.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-07 10:07:18 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Motive
2008-04-27 19:25:58 0 d-------- C:\Program Files\Enigma Software Group


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09547C1F-0FA9-47C2-9172-ABCF8D2E076E}]
06/14/2008 13:15 285696 --a------ C:\WINDOWS2\System32\ljJBrQkL.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS2\System32\kdctn.exe"="C:\WINDOWS2\system32\kdctn.exe" []
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [01/23/2008 15:47]
"296b1e43"="C:\WINDOWS2\System32\vmrrkdek.dll" [06/17/2008 03:32]
"SDFix"="C:\SDFix\RunThis.bat /second" []
"ntuser"="C:\WINDOWS2\system32\drivers\spools.exe" [06/14/2008 13:10]
"autoload"="C:\Documents and Settings\Brenda St.John\cftmon.exe" [06/14/2008 13:10]
"BM2a582ddf"="C:\WINDOWS2\System32\xqpbxhxg.dll" [06/17/2008 03:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ntuser"="C:\WINDOWS2\system32\drivers\spools.exe" [06/14/2008 13:10]
"autoload"="C:\Documents and Settings\Brenda St.John\cftmon.exe" [06/14/2008 13:10]
"Jnskdfmf9eldfd"="C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS2\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService.NT AUTHORITY.000\cftmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdctn.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS2\System32\ljJBrQkL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\296b1e43]
rundll32.exe "C:\WINDOWS2\System32\sftvkehr.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Brenda St.John\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bm2a582ddf]
Rundll32.exe "C:\WINDOWS2\System32\jcntjqfj.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32\kdctn.exe]
C:\WINDOWS2\system32\kdctn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS2\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\run]
regsvr32.exe /s "C:\Documents and Settings\Brenda St.John\Application Data\sp1\qtfinal.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"C:\WINDOWS2\System32\kdctn.exe"=C:\WINDOWS2\system32\kdctn.exe




-- End of Deckard's System Scanner: finished at 2008-06-18 02:41:32 ------------


  • 0

#8
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Doriane,

STEP ONE
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

STEP TWO
Please re-run Deckard's System Scanner.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Logs to post in your next reply:
  • ComboFix log
  • Deckards System Scanner log

  • 0

#9
Doriane

Doriane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I cannot run any programs, like I said. I downloaded ComboFix and the same thing happened; I click on it, but then get the popup saying that windows can't find it. I can't run any programs by opening them from their folders, or by clicking on Start<Run, either.

Is there any way to get around this, or does this basically mean I can't do anything about it? No programs I can download will help me at this time if I can't even run them. Even when I was still able to, they couldn't remove all of the viruses..

And for some reason I can still only get to this website (and google and gmail/yahoo) occasionally. Thank you for sticking around though.
  • 0

#10
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Doriane,
I was hoping that Combofix could get around that issue, but it looks like it couldn't. So what we need to do now is to make it so that you can run exe's. What I'm going to have you do is download a registry script that should take care of this so that we can proceed to fix your problems.

STEP ONE

First, download this file: exefix.reg
  • Download the file to your Desktop.
  • You should now have a file on your desktop called exefix.reg
  • Double click the file and when it asks if you want to import, say yes.

Once you have done this, try to open Combofix again.

Let me know the results.
  • 0

Advertisements


#11
Doriane

Doriane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you, that fixed it.
Here are my logs...

ComboFix -

ComboFix 08-06-15.4 - Brenda St.John 2008-06-23 13:30:17.1 - FAT32x86
Running from: C:\Documents and Settings\Brenda St.John\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Brenda St.John\Application Data\sp1
C:\WINDOWS2\BM2a582ddf.xml
C:\WINDOWS2\cookies.ini
C:\WINDOWS2\Downloaded Program Files\setup.inf
C:\WINDOWS2\pskt.ini
C:\WINDOWS2\system32\aqsifhgv.ini
C:\WINDOWS2\system32\bmf.cs
C:\WINDOWS2\system32\cbndujhj.dll
C:\WINDOWS2\system32\ccs.so
C:\WINDOWS2\system32\dfpbconh.dll
C:\WINDOWS2\system32\dfydsskd.ini
C:\WINDOWS2\system32\djnfbwgd.ini
C:\WINDOWS2\system32\dojhbibb.ini
C:\WINDOWS2\system32\elwumyhf.dll
C:\WINDOWS2\system32\fysiahxs.dll
C:\WINDOWS2\system32\hnpftoho.dll
C:\WINDOWS2\system32\ho.ln
C:\WINDOWS2\system32\ibnhrajs.dll
C:\WINDOWS2\system32\jcntjqfj.dll
C:\WINDOWS2\system32\jyungyeb.dll
C:\WINDOWS2\system32\kcuhrinf.ini
C:\WINDOWS2\system32\kedkrrmv.ini
C:\WINDOWS2\system32\ko.o
C:\WINDOWS2\system32\ljJBrQkL.dll
C:\WINDOWS2\system32\LkQrBJjl.ini
C:\WINDOWS2\system32\LkQrBJjl.ini2
C:\WINDOWS2\system32\lwwcqkfp.ini
C:\WINDOWS2\system32\mcrh.tmp
C:\WINDOWS2\system32\mn.n
C:\WINDOWS2\system32\newrdgld.dll
C:\WINDOWS2\system32\njldhqss.dll
C:\WINDOWS2\system32\ntpl.bin
C:\WINDOWS2\system32\ntxjptej.ini
C:\WINDOWS2\system32\nvrsma.dll
C:\WINDOWS2\system32\rhekvtfs.ini
C:\WINDOWS2\system32\sftvkehr.dll
C:\WINDOWS2\system32\tulijeno.ini
C:\WINDOWS2\system32\vggpmjnl.dll
C:\WINDOWS2\system32\xqpbxhxg.dll
C:\WINDOWS2\system32\yjabofel.ini
C:\WINDOWS2\xkefqtgs.dll
C:\WINDOWS2\xml2u32d.dll

----- BITS: Possible infected sites -----

hxxp://updatecube.com
.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-23 12:58 . 2008-06-23 12:58 86,528 --a------ C:\WINDOWS2\system32\onejilut.dll
2008-06-23 09:56 . 2008-06-23 09:56 106,496 --a------ C:\WINDOWS2\system32\jsawxdaj.dll
2008-06-23 09:56 . 2008-06-23 09:56 95,232 --a------ C:\WINDOWS2\system32\xeialdhk.dll
2008-06-23 09:52 . 2008-06-23 09:52 <DIR> d--hs---- C:\FOUND.032
2008-06-22 04:30 . 2008-06-22 04:30 86,528 --a------ C:\WINDOWS2\system32\bbibhjod.dll
2008-06-22 04:27 . 2008-06-22 04:27 101,888 --a------ C:\WINDOWS2\system32\fyloahlo.dll
2008-06-22 04:24 . 2008-06-22 04:24 95,232 --a------ C:\WINDOWS2\system32\xgmchkin.dll
2008-06-21 04:29 . 2008-06-21 04:29 101,888 --a------ C:\WINDOWS2\system32\rgcxbaqi.dll
2008-06-21 04:26 . 2008-06-21 04:26 86,528 --a------ C:\WINDOWS2\system32\pfkqcwwl.dll
2008-06-21 04:23 . 2008-06-21 04:23 94,208 --a------ C:\WINDOWS2\system32\yjvhiadv.dll
2008-06-19 13:43 . 2008-06-19 13:43 <DIR> d-------- C:\Program Files\Crawler
2008-06-19 13:39 . 2008-06-19 13:39 141,312 --a------ C:\WINDOWS2\system32\drivers\sp_rsdrv2.sys
2008-06-19 13:38 . 2008-06-19 13:38 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-19 13:38 . 2008-06-19 13:38 <DIR> d-------- C:\Documents and Settings\Brenda St.John\Application Data\Spyware Terminator
2008-06-19 13:38 . 2008-06-19 13:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Spyware Terminator
2008-06-19 02:39 . 2008-06-19 02:39 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-19 02:39 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS2\system32\MFC71.dll
2008-06-18 02:37 . 2008-06-18 02:37 <DIR> d-------- C:\Deckard
2008-06-17 23:27 . 2008-06-17 23:27 754 --a------ C:\WINDOWS2\WORDPAD.INI
2008-06-17 14:50 . 2008-06-17 14:50 <DIR> d-------- C:\WINDOWS2\ERUNT
2008-06-17 14:39 . 2008-06-17 13:12 <DIR> d-------- C:\SDFix
2008-06-17 06:26 . 2008-06-17 08:15 1,656,323 --ahs---- C:\WINDOWS2\system32\kedkrrmv.tmp
2008-06-17 06:25 . 2008-06-17 06:25 <DIR> d--hs---- C:\FOUND.031
2008-06-16 07:47 . 2008-06-16 07:47 0 --a------ C:\WINDOWS2\nsreg.dat
2008-06-16 04:45 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS2\system32\VCCLSID.exe
2008-06-16 04:45 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS2\system32\SrchSTS.exe
2008-06-16 04:45 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS2\system32\VACFix.exe
2008-06-16 04:45 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS2\system32\IEDFix.exe
2008-06-16 04:45 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS2\system32\404Fix.exe
2008-06-16 04:45 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS2\system32\Process.exe
2008-06-16 04:45 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS2\system32\dumphive.exe
2008-06-16 04:45 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS2\system32\WS2Fix.exe
2008-06-15 00:04 . 2008-06-15 00:04 <DIR> d-------- C:\Program Files\Avira
2008-06-15 00:04 . 2008-06-15 00:04 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Avira
2008-06-14 22:43 . 2008-06-14 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 22:41 . 2008-06-14 22:41 <DIR> d-------- C:\Documents and Settings\Brenda St.John\Application Data\Malwarebytes
2008-06-14 22:39 . 2008-06-14 22:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 22:39 . 2008-06-14 22:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Malwarebytes
2008-06-14 22:39 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS2\system32\drivers\mbamcatchme.sys
2008-06-14 22:39 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS2\system32\drivers\mbam.sys
2008-06-14 20:18 . 2008-06-14 20:18 <DIR> d-------- C:\Program Files\Startup Optimizer
2008-06-14 20:15 . 2008-06-14 20:15 <DIR> d-------- C:\WINDOWS2\system32\SuperAdBlocker.com
2008-06-14 15:07 . 2008-06-14 15:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 14:44 . 2008-06-14 14:44 <DIR> d--hs---- C:\FOUND.030
2008-06-14 14:22 . 2008-06-17 19:01 1,174 --a------ C:\WINDOWS2\system32\tmp.reg
2008-06-14 13:20 . 2008-06-14 13:20 <DIR> d-------- C:\Documents and Settings\Brenda St.John\Application Data\Digital Album Organizer
2008-06-14 13:12 . 2008-06-14 12:23 81,920 --a------ C:\WINDOWS2\pebgkxwq.exe
2008-06-14 13:10 . 2008-06-14 13:10 93,696 --a------ C:\flciijjq.exe
2008-06-14 13:10 . 2008-06-14 13:10 93,696 --a------ C:\d.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 18:10 560,128 ----a-w C:\WINDOWS2\system32\user32.DLL
2008-06-14 18:10 560,128 ----a-w C:\WINDOWS2\system32\dllcache\user32.dll
2008-05-07 15:07 --------- d-----w C:\Documents and Settings\Brenda St.John\Application Data\Motive
2008-04-28 00:25 --------- d-----w C:\Program Files\Enigma Software Group
2004-12-31 22:54 114,048 ----a-w C:\Documents and Settings\Bob\Application Data\GDIPFONTCACHEV1.DAT
2001-06-12 06:55 271 --sh--w C:\Program Files\desktop.ini
2001-06-12 06:55 23,357 ---h--w C:\Program Files\folder.htt
.
C:\WINDOWS2\system32\user32.dll ... is infected !! (additional data below)
560,128 2008-06-14 18:10:38 C:\WINDOWS2\system32\user32.DLL
560,128 2008-06-14 18:10:38 C:\WINDOWS2\system32\dllcache\user32.dll


------- Sigcheck -------

2008-06-14 13:10 560128 c5a2fbc08ef310bd65406601fe977ad4 C:\WINDOWS2\system32\user32.DLL
2008-06-14 13:10 560128 c5a2fbc08ef310bd65406601fe977ad4 C:\WINDOWS2\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1391289e-8230-4d1b-8166-f845ae076164}]
2008-06-23 09:56 106496 --a------ C:\WINDOWS2\System32\jsawxdaj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]
"296b1e43"="C:\WINDOWS2\System32\onejilut.dll" [2008-06-23 12:58 86528]
"BM2a582ddf"="C:\WINDOWS2\System32\xeialdhk.dll" [2008-06-23 09:56 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jsawxdaj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\296b1e43]
C:\WINDOWS2\System32\sftvkehr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Brenda St.John\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bm2a582ddf]
C:\WINDOWS2\System32\jcntjqfj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32\kdctn.exe]
C:\WINDOWS2\system32\kdctn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS2\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\run]
--a------ 2003-03-31 12:00 9728 C:\WINDOWS2\system32\regsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"C:\WINDOWS2\System32\kdctn.exe"=C:\WINDOWS2\system32\kdctn.exe

R0 avgntmgr;avgntmgr;C:\WINDOWS2\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS2\System32\drivers\aswSP.sys [2008-05-15 18:20]
R1 avgntdd;avgntdd;C:\WINDOWS2\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS2\System32\drivers\crtaud.sys [2001-08-17 12:19]
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS2\System32\drivers\rpfun.sys [2001-08-17 12:19]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS2\System32\drivers\rthwcls.sys [2001-08-17 12:19]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 13:44:01
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS2\explorer.exe
-> C:\WINDOWS2\System32\onejilut.dll
-> C:\WINDOWS2\System32\xeialdhk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS2\System32\wdfmgr.exe
C:\WINDOWS2\System32\rundll32.exe
C:\WINDOWS2\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-06-23 13:52:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-23 18:51:54

Pre-Run: 511,983,616 bytes free
Post-Run: 984,317,952 bytes free

197



DSS main.txt (It didn't give me an extra.txt this time?) -

Deckard's System Scanner v20071014.68
Run by Brenda St.John on 2008-06-23 21:36:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 192 MiB (512 MiB recommended).
System Drive C: has 0.9 GiB (less than 15%) free.


-- HijackThis (run as Brenda St.John.exe) --------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-23 21:37:01
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS2\system32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\system32\alg.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS2\system32\wdfmgr.exe
C:\WINDOWS2\system32\rundll32.exe
C:\WINDOWS2\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS2\explorer.exe
C:\Documents and Settings\Brenda St.John\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Brenda St.John.exe
C:\WINDOWS2\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crawler.com/?tbid=60327
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: {461670ea-548f-6618-b1d4-0328e9821931} - {1391289e-8230-4d1b-8166-f845ae076164} - C:\WINDOWS2\system32\jsawxdaj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\system32\msdxm.ocx
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [296b1e43] rundll32.exe "C:\WINDOWS2\System32\onejilut.dll",b
O4 - HKLM\..\Run: [BM2a582ddf] Rundll32.exe "C:\WINDOWS2\System32\xeialdhk.dll",s
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\Web\related.htm
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Program Files\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: jsawxdaj.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


--
End of file - 5781 bytes

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 13:38:50 53248 --a------ C:\WINDOWS2\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-06-23 13:27:53 68096 --a------ C:\WINDOWS2\zip.exe
2008-06-23 13:27:53 49152 --a------ C:\WINDOWS2\VFind.exe
2008-06-23 13:27:53 212480 --a------ C:\WINDOWS2\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 13:27:53 136704 --a------ C:\WINDOWS2\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 13:27:53 161792 --a------ C:\WINDOWS2\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 13:27:53 98816 --a------ C:\WINDOWS2\sed.exe
2008-06-23 13:27:53 80412 --a------ C:\WINDOWS2\grep.exe
2008-06-23 13:27:53 89504 --a------ C:\WINDOWS2\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 12:58:12 86528 --a------ C:\WINDOWS2\System32\onejilut.dll
2008-06-23 09:56:47 106496 --a------ C:\WINDOWS2\System32\jsawxdaj.dll
2008-06-23 09:56:19 95232 --a------ C:\WINDOWS2\System32\xeialdhk.dll
2008-06-23 09:52:46 0 d--hs---- C:\FOUND.032
2008-06-22 04:30:25 86528 --a------ C:\WINDOWS2\System32\bbibhjod.dll
2008-06-22 04:27:25 101888 --a------ C:\WINDOWS2\System32\fyloahlo.dll
2008-06-22 04:24:25 95232 --a------ C:\WINDOWS2\System32\xgmchkin.dll
2008-06-21 04:29:16 101888 --a------ C:\WINDOWS2\System32\rgcxbaqi.dll
2008-06-21 04:26:16 86528 --a------ C:\WINDOWS2\System32\pfkqcwwl.dll
2008-06-21 04:23:17 94208 --a------ C:\WINDOWS2\System32\yjvhiadv.dll
2008-06-19 13:43:12 0 d-------- C:\Program Files\Crawler
2008-06-19 13:39:04 141312 --a------ C:\WINDOWS2\System32\drivers\sp_rsdrv2.sys
2008-06-19 13:38:56 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Spyware Terminator
2008-06-19 13:38:55 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Spyware Terminator
2008-06-19 13:38:15 0 d-------- C:\Program Files\Spyware Terminator
2008-06-19 02:39:44 0 d-------- C:\Program Files\Alwil Software
2008-06-17 14:50:15 0 d-------- C:\WINDOWS2\ERUNT
2008-06-17 06:25:12 0 d--hs---- C:\FOUND.031
2008-06-16 07:47:31 0 --a------ C:\WINDOWS2\nsreg.dat
2008-06-16 05:25:21 0 dr-h----- C:\Documents and Settings\Brenda St.John\Recent
2008-06-16 04:45:09 25600 --a------ C:\WINDOWS2\System32\WS2Fix.exe
2008-06-16 04:45:09 86528 --a------ C:\WINDOWS2\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-16 04:45:09 82944 --a------ C:\WINDOWS2\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-16 04:45:09 82944 --a------ C:\WINDOWS2\System32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-16 04:45:08 289144 --a------ C:\WINDOWS2\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-16 04:45:08 51200 --a------ C:\WINDOWS2\System32\dumphive.exe
2008-06-16 04:45:07 288417 --a------ C:\WINDOWS2\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-16 04:45:06 53248 --a------ C:\WINDOWS2\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-15 00:04:24 0 d-------- C:\Program Files\Avira
2008-06-15 00:04:24 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Avira
2008-06-14 22:43:45 0 d-------- C:\Program Files\Trend Micro
2008-06-14 22:41:37 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Malwarebytes
2008-06-14 22:39:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Malwarebytes
2008-06-14 22:39:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 20:18:38 0 d-------- C:\Program Files\Startup Optimizer
2008-06-14 20:15:19 0 d-------- C:\WINDOWS2\System32\SuperAdBlocker.com
2008-06-14 20:09:11 0 d-------- C:\WINDOWS2\pss
2008-06-14 15:07:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 14:44:42 0 d--hs---- C:\FOUND.030
2008-06-14 14:22:00 1174 --a------ C:\WINDOWS2\System32\tmp.reg
2008-06-14 13:20:54 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Digital Album Organizer
2008-06-14 13:12:42 81920 --a------ C:\WINDOWS2\pebgkxwq.exe
2008-06-14 13:10:46 93696 --a------ C:\d.exe
2008-06-14 13:10:31 93696 --a------ C:\flciijjq.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-14 20:15:22 1352 --a------ C:\WINDOWS2\mozver.dat
2008-06-14 13:10:38 560128 --a------ C:\WINDOWS2\System32\user32.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-07 10:07:18 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Motive
2008-04-27 19:25:58 0 d-------- C:\Program Files\Enigma Software Group


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1391289e-8230-4d1b-8166-f845ae076164}]
06/23/2008 09:56 106496 --a------ C:\WINDOWS2\System32\jsawxdaj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [01/23/2008 15:47]
"296b1e43"="C:\WINDOWS2\System32\onejilut.dll" [06/23/2008 12:58]
"BM2a582ddf"="C:\WINDOWS2\System32\xeialdhk.dll" [06/23/2008 09:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=jsawxdaj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\296b1e43]
rundll32.exe "C:\WINDOWS2\System32\sftvkehr.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Brenda St.John\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bm2a582ddf]
Rundll32.exe "C:\WINDOWS2\System32\jcntjqfj.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32\kdctn.exe]
C:\WINDOWS2\system32\kdctn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS2\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\run]
regsvr32.exe /s "C:\Documents and Settings\Brenda St.John\Application Data\sp1\qtfinal.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"C:\WINDOWS2\System32\kdctn.exe"=C:\WINDOWS2\system32\kdctn.exe

-- End of Deckard's System Scanner: finished at 2008-06-23 21:39:11 ------------


  • 0

#12
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Doriane,
Good to hear that worked for you. Now lets get in there and take care of the rest of the bad stuff.

STEP ONE
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crawler.com/?tbid=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: {461670ea-548f-6618-b1d4-0328e9821931} - {1391289e-8230-4d1b-8166-f845ae076164} - C:\WINDOWS2\system32\jsawxdaj.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [296b1e43] rundll32.exe "C:\WINDOWS2\System32\onejilut.dll",b
O4 - HKLM\..\Run: [BM2a582ddf] Rundll32.exe "C:\WINDOWS2\System32\xeialdhk.dll",s
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\Web\related.htm
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Program Files\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: jsawxdaj.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Now, please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS2\system32\onejilut.dll
    C:\WINDOWS2\system32\jsawxdaj.dll
    C:\WINDOWS2\system32\xeialdhk.dll
    C:\WINDOWS2\system32\bbibhjod.dll
    C:\WINDOWS2\system32\fyloahlo.dll
    C:\WINDOWS2\system32\xgmchkin.dll
    C:\WINDOWS2\system32\rgcxbaqi.dll
    C:\WINDOWS2\system32\pfkqcwwl.dll
    C:\WINDOWS2\system32\yjvhiadv.dll
    C:\WINDOWS2\system32\kedkrrmv.tmp
    C:\WINDOWS2\system32\tmp.reg
    C:\WINDOWS2\pebgkxwq.exe
    C:\flciijjq.exe
    C:\d.exe
    C:\Documents and Settings\Brenda St.John\cftmon.exe
    C:\WINDOWS2\System32\sftvkehr.dll
    C:\WINDOWS2\System32\jcntjqfj.dll
    C:\WINDOWS2\system32\kdctn.exe
    C:\WINDOWS2\system32\drivers\spools.exe
    C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe
    C:\WINDOWS2\Web\related.htm
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP TWO
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

STEP THREE

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the jre-6u6-windows-i586-p.exe and select "Run as an Administrator.")

  • 0

#13
Doriane

Doriane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK, I finished everything finally. The kapersky scan took an entire 8 hours to complete.

OTMoveIt2 log:

File/Folder C:\WINDOWS2\system32\onejilut.dll not found.
File/Folder C:\WINDOWS2\system32\jsawxdaj.dll not found.
File/Folder C:\WINDOWS2\system32\xeialdhk.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS2\system32\bbibhjod.dll
C:\WINDOWS2\system32\bbibhjod.dll NOT unregistered.
C:\WINDOWS2\system32\bbibhjod.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS2\system32\fyloahlo.dll
C:\WINDOWS2\system32\fyloahlo.dll NOT unregistered.
C:\WINDOWS2\system32\fyloahlo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS2\system32\xgmchkin.dll
C:\WINDOWS2\system32\xgmchkin.dll NOT unregistered.
C:\WINDOWS2\system32\xgmchkin.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS2\system32\rgcxbaqi.dll
C:\WINDOWS2\system32\rgcxbaqi.dll NOT unregistered.
C:\WINDOWS2\system32\rgcxbaqi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS2\system32\pfkqcwwl.dll
C:\WINDOWS2\system32\pfkqcwwl.dll NOT unregistered.
C:\WINDOWS2\system32\pfkqcwwl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS2\system32\yjvhiadv.dll
C:\WINDOWS2\system32\yjvhiadv.dll NOT unregistered.
C:\WINDOWS2\system32\yjvhiadv.dll moved successfully.
C:\WINDOWS2\system32\kedkrrmv.tmp moved successfully.
C:\WINDOWS2\system32\tmp.reg moved successfully.
File/Folder C:\WINDOWS2\pebgkxwq.exe not found.
File/Folder C:\flciijjq.exe not found.
File/Folder C:\d.exe not found.
File/Folder C:\Documents and Settings\Brenda St.John\cftmon.exe not found.
File/Folder C:\WINDOWS2\System32\sftvkehr.dll not found.
File/Folder C:\WINDOWS2\System32\jcntjqfj.dll not found.
File/Folder C:\WINDOWS2\system32\kdctn.exe not found.
File/Folder C:\WINDOWS2\system32\drivers\spools.exe not found.
File/Folder C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe not found.
C:\WINDOWS2\Web\related.htm moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06252008_191505



Kapersky:

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 05:43:09
Records in database: 893938
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 128731
Threat name: 18
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 05:58:57

File name / Threat name / Threats count
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp Infected: not-a-virus:AdWare.Win32.EZula.be 1
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp Infected: not-a-virus:AdWare.Win32.EZula.ae 1
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp Infected: not-a-virus:AdWare.Win32.EZula.be 1
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp Infected: not-a-virus:AdWare.Win32.EZula.aw 1
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp Infected: not-a-virus:AdWare.Win32.EZula.ak 1
C:\Program Files\Mozilla Firefox\readme.bat Infected: Trojan-Downloader.Win32.Small.xpe 1
C:\Program Files\Weather Studio\bin\WeatherStudio.dll Infected: not-a-virus:AdWare.Win32.Comet.ay 1
C:\SDFix\backups\backups.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.ytj 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Obfuscated.cix 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\nvrsma.dll.vir Infected: Trojan.Win32.Agent.qrb 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\ntpl.bin.vir Infected: Trojan-Dropper.Win32.Agent.sbe 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\dfpbconh.dll.vir Infected: Trojan.Win32.Pakes.dfj 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\fysiahxs.dll.vir Infected: Trojan.Win32.Pakes.dfj 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\hnpftoho.dll.vir Infected: Trojan.Win32.Pakes.dfi 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\ibnhrajs.dll.vir Infected: Trojan.Win32.Pakes.dfi 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\jyungyeb.dll.vir Infected: Trojan.Win32.Pakes.dfi 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\ljJBrQkL.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yti 1
C:\QooBox\Quarantine\C\WINDOWS2\system32\vggpmjnl.dll.vir Infected: Trojan.Win32.Pakes.dfj 1
C:\QooBox\Quarantine\C\WINDOWS2\xkefqtgs.dll.vir Infected: Trojan.Win32.Vapsup.gru 1
C:\QooBox\Quarantine\C\WINDOWS2\xml2u32d.dll.vir Infected: Trojan.Win32.BHO.cxn 1
C:\Documents and Settings\Brenda St.John\My Documents\My Music\Blur - Think Tank.wma Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Brenda St.John\Desktop\IRELAND2\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\FOUND.013\FILE0003.CHK Infected: not-a-virus:AdWare.Win32.EZula.ak 1
C:\FOUND.013\FILE0008.CHK Infected: not-a-virus:AdWare.Win32.EZula.x 1

The selected area was scanned.


  • 0

#14
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Doriane,
The good news is that it looks like we are getting close to the end here, but we still have a few more steps to go through.

STEP ONE
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp
    C:\Program Files\Mozilla Firefox\readme.bat
    C:\Program Files\Weather Studio\
    C:\Documents and Settings\Brenda St.John\My Documents\My Music\Blur - Think Tank.wma
    C:\FOUND.013\FILE0003.CHK
    C:\FOUND.013\FILE0008.CHK
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP TWO
  • Now, please re-run Deckards System Scanner by Double-clicking on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#15
Doriane

Doriane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OTMoveIt2:

C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp moved successfully.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp moved successfully.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp moved successfully.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp moved successfully.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp moved successfully.
C:\Program Files\Mozilla Firefox\readme.bat moved successfully.
C:\Program Files\Weather Studio\icons moved successfully.
C:\Program Files\Weather Studio\bin moved successfully.
C:\Program Files\Weather Studio moved successfully.
C:\Documents and Settings\Brenda St.John\My Documents\My Music\Blur - Think Tank.wma moved successfully.
C:\FOUND.013\FILE0003.CHK moved successfully.
C:\FOUND.013\FILE0008.CHK moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07012008_151116



DSS main.txt:

Deckard's System Scanner v20071014.68
Run by Brenda St.John on 2008-07-01 15:13:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 90% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).
System Drive C: has 1.02 GiB (less than 15%) free.


-- HijackThis (run as Brenda St.John.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:14:21, on 7/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS2\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brenda St.John\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BRENDA~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: {461670ea-548f-6618-b1d4-0328e9821931} - {1391289e-8230-4d1b-8166-f845ae076164} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4540 bytes

-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-06-28 15:16:34 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-28 15:16:25 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\SystemRequirementsLab
2008-06-26 18:57:49 0 dr-h----- C:\Documents and Settings\Brenda St.John\Recent
2008-06-25 23:47:35 1636 --a------ C:\WINDOWS2\System32\d3d9caps.dat
2008-06-25 23:07:20 1227776 --a------ C:\WINDOWS2\System32\quartz.dll
2008-06-25 23:07:16 1689600 --a------ C:\WINDOWS2\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-25 23:07:15 1769472 --a------ C:\WINDOWS2\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-25 23:06:56 80896 --a------ C:\WINDOWS2\System32\dxdllreg.exe <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-06-25 23:04:44 0 d--h----- C:\WINDOWS2\msdownld.tmp
2008-06-25 23:04:04 0 d-------- C:\WINDOWS2\Logs
2008-06-25 22:21:48 0 d-------- C:\Program Files\Sony
2008-06-25 15:11:26 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Windows Genuine Advantage
2008-06-25 04:03:45 0 d-------- C:\Program Files\VS Revo Group
2008-06-25 03:48:09 0 d--h----- C:\Documents and Settings\All Users.WINDOWS2\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-06-25 03:29:41 0 d-------- C:\Program Files\SequoiaView
2008-06-25 01:21:14 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Leadertech
2008-06-24 05:14:02 0 d--hs---- C:\FOUND.033
2008-06-24 04:24:14 0 d-------- C:\WINDOWS2\System32\bits
2008-06-24 04:23:18 0 d-------- C:\WINDOWS2\System32\PreInstall
2008-06-24 04:23:04 0 d--h----- C:\WINDOWS2\$hf_mig$
2008-06-23 21:58:01 0 d-------- C:\WINDOWS2\System32\SoftwareDistribution
2008-06-23 21:55:59 0 d-------- C:\WINDOWS2\SoftwareDistribution
2008-06-23 21:53:46 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Spybot - Search & Destroy
2008-06-23 13:38:50 53248 --a------ C:\WINDOWS2\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-06-23 13:27:53 68096 --a------ C:\WINDOWS2\zip.exe
2008-06-23 13:27:53 49152 --a------ C:\WINDOWS2\VFind.exe
2008-06-23 13:27:53 212480 --a------ C:\WINDOWS2\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 13:27:53 136704 --a------ C:\WINDOWS2\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 13:27:53 161792 --a------ C:\WINDOWS2\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 13:27:53 98816 --a------ C:\WINDOWS2\sed.exe
2008-06-23 13:27:53 80412 --a------ C:\WINDOWS2\grep.exe
2008-06-23 13:27:53 89504 --a------ C:\WINDOWS2\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 09:52:46 0 d--hs---- C:\FOUND.032
2008-06-19 13:39:04 141312 --a------ C:\WINDOWS2\System32\drivers\sp_rsdrv2.sys
2008-06-19 13:38:56 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Spyware Terminator
2008-06-19 13:38:55 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Spyware Terminator
2008-06-19 13:38:15 0 d-------- C:\Program Files\Spyware Terminator
2008-06-19 02:39:44 0 d-------- C:\Program Files\Alwil Software
2008-06-17 14:50:15 0 d-------- C:\WINDOWS2\ERUNT
2008-06-17 06:25:12 0 d--hs---- C:\FOUND.031
2008-06-16 07:47:31 0 --a------ C:\WINDOWS2\nsreg.dat
2008-06-16 04:45:09 25600 --a------ C:\WINDOWS2\System32\WS2Fix.exe
2008-06-16 04:45:09 86528 --a------ C:\WINDOWS2\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-16 04:45:09 82944 --a------ C:\WINDOWS2\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-16 04:45:09 82944 --a------ C:\WINDOWS2\System32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-16 04:45:08 289144 --a------ C:\WINDOWS2\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-16 04:45:08 51200 --a------ C:\WINDOWS2\System32\dumphive.exe
2008-06-16 04:45:07 288417 --a------ C:\WINDOWS2\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-16 04:45:06 53248 --a------ C:\WINDOWS2\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-15 00:04:24 0 d-------- C:\Program Files\Avira
2008-06-15 00:04:24 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Avira
2008-06-14 22:43:45 0 d-------- C:\Program Files\Trend Micro
2008-06-14 22:41:37 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Malwarebytes
2008-06-14 22:39:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Malwarebytes
2008-06-14 22:39:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 20:18:38 0 d-------- C:\Program Files\Startup Optimizer
2008-06-14 20:15:19 0 d-------- C:\WINDOWS2\System32\SuperAdBlocker.com
2008-06-14 20:09:11 0 d-------- C:\WINDOWS2\pss
2008-06-14 15:07:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 14:44:42 0 d--hs---- C:\FOUND.030
2008-06-14 13:20:54 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Digital Album Organizer


-- Find3M Report ---------------------------------------------------------------

2008-06-28 15:20:30 1524 --a------ C:\WINDOWS2\System32\d3d8caps.dat
2008-06-14 20:15:22 1352 --a------ C:\WINDOWS2\mozver.dat
2008-05-07 10:07:18 0 d-------- C:\Documents and Settings\Brenda St.John\Application Data\Motive


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1391289e-8230-4d1b-8166-f845ae076164}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\296b1e43]
rundll32.exe "C:\WINDOWS2\System32\sftvkehr.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Brenda St.John\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bm2a582ddf]
Rundll32.exe "C:\WINDOWS2\System32\jcntjqfj.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows2\system32\kdctn.exe]
C:\WINDOWS2\system32\kdctn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\BRENDA~1.JOH\LOCALS~1\Temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS2\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\run]
regsvr32.exe /s "C:\Documents and Settings\Brenda St.John\Application Data\sp1\qtfinal.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"C:\WINDOWS2\System32\kdctn.exe"=C:\WINDOWS2\system32\kdctn.exe

-- End of Deckard's System Scanner: finished at 2008-07-01 15:16:31 ------------


I still didn't get an extra.txt though.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP