Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Unknown virus but I have random websites popping up. [CLOSED]

Started by basstwo , Jul 15 2008 01:07 AM

This topic is locked

#1
basstwo

Posted 15 July 2008 - 01:07 AM

Member

Member
12 posts

I have blocked IE with a reg fix to stop it from filling my screen with windows. I am using Firefox. But I still get new tabs/windows sometimes. Normally they suggest that they are trying to fix my problem. I am not falling for it.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:42 AM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{25-56-6A-A5-DW}] C:\WINDOWS\system32\cdTMP\cdrev132.exe DWram
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [a892560a] rundll32.exe "C:\WINDOWS\system32\naiqclou.dll",b
O4 - HKLM\..\Run: [BMaba16596] Rundll32.exe "C:\WINDOWS\system32\bccjvmcu.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6446 bytes

#2
Ltangelic

Posted 15 July 2008 - 04:11 AM

Angel Annihilator of Malware

Retired Staff
2,008 posts

Hey basstwo,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides.

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT

#3
basstwo

Posted 15 July 2008 - 08:32 AM

Member

Topic Starter
Member
12 posts

Thanks! Don't worry, I am very patient. This is not my main computer, just a gaming rig I built for fun. So I won't rush you.

#4
Ltangelic

Posted 16 July 2008 - 07:22 AM

Angel Annihilator of Malware

Retired Staff
2,008 posts

Hey basstwo,

From your log(s), you do not seem to have an active anti-virus resident protection running. This is extremely dangerous as your computer is vunerable to all kinds of infections. Before we go on to clean up your computer, please go to the following links provided below, download and install ONE of the anti-virus protection.

Avira Antivir (recommended)
Avast! Home Edition
AVG 8 Free

Your log is showing signs of infection, we'll need to run a few tools to remove them.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Update Java

Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")

2) Run VundoFix

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

3) Fix entries with HijackThis

Please rename HijackThis.exe to Flipper.exe first.

Then re-open HijackThis and Do a System Scan Only. Check the boxes next to all the entries listed below.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

Now close all windows other than HijackThis, then click Fix Checked. Close HijackThis.

4) Run Deckard's System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Next reply (please include):

Fresh HijackThis log
VundoFix.txt
DSS scan log

#5
basstwo

Posted 19 July 2008 - 09:55 AM

Member

Topic Starter
Member
12 posts

VundoFix log

VundoFix V7.0.6

Scan started at 8:05:54 PM 7/18/2008

Listing files found while scanning....

C:\Windows\system32\acdJknmp.ini
C:\Windows\system32\acdJknmp.ini2
C:\Windows\system32\acsxdxxj.dll
C:\Windows\system32\afmybxch.dll
C:\Windows\system32\asoqdoel.dll
C:\Windows\system32\atwxrbau.dll
C:\Windows\system32\ayxreheu.dll
C:\Windows\system32\bbrvjmur.dll
C:\Windows\system32\bfjfrghp.dll
C:\Windows\system32\bqjoxvwt.dll
C:\Windows\system32\bylustug.dll
C:\Windows\system32\cbavimkt.dll
C:\Windows\system32\cjjlvmcd.dll
C:\Windows\system32\clspcf.dll
C:\Windows\system32\cmdrha.dll
C:\Windows\system32\ctpebmgt.dll
C:\Windows\system32\donojqbo.dll
C:\Windows\system32\eajeccww.dll
C:\Windows\system32\ebpkjyix.dll
C:\Windows\system32\ehicvoxk.dll
C:\Windows\system32\eifchpqi.dll
C:\Windows\system32\eqkjitho.dll
C:\Windows\system32\etaospxq.dll
C:\Windows\system32\evtucici.dll
C:\Windows\system32\fcgnhonv.dll
C:\Windows\system32\fiolntxw.dll
C:\Windows\system32\fjifrhbu.dll
C:\Windows\system32\fktbxfcm.dll
C:\Windows\system32\frwqvjly.dll
C:\Windows\system32\fvdagssc.dll
C:\Windows\system32\fxqtxbjd.dll
C:\Windows\system32\fyivkhil.dll
C:\Windows\system32\gcreukgg.dll
C:\Windows\system32\gntcldca.dll
C:\Windows\system32\gwwyqkbf.dll
C:\Windows\system32\hlgtjb.dll
C:\Windows\system32\hplrnnmt.dll
C:\Windows\system32\hrefuihk.dll
C:\Windows\system32\icwgtakr.dll
C:\Windows\system32\igindctj.dll
C:\Windows\system32\jooixjhi.dll
C:\Windows\system32\jowdvmqk.dll
C:\Windows\system32\jvoicadx.dll
C:\Windows\system32\jvypoqji.dll
C:\Windows\system32\kbbxtufv.dll
C:\Windows\system32\llicshjq.dll
C:\Windows\system32\llpgyvxc.dll
C:\Windows\system32\llsrir.dll
C:\Windows\system32\ltqfuimt.dll
C:\Windows\system32\lypfcsgh.dll
C:\Windows\system32\mlhsfvkc.dll
C:\Windows\system32\nbzjfh.dll
C:\Windows\system32\neomeccv.dll
C:\Windows\system32\nfkqeq.dll
C:\Windows\system32\nmgarfej.dll
C:\Windows\system32\nnqdqqml.dll
C:\Windows\system32\ntctfeei.dll
C:\Windows\system32\nylxpble.dll
C:\Windows\system32\ojlsvvnw.dll
C:\Windows\system32\owsqbk.dll
C:\Windows\system32\owtpojqm.dll
C:\Windows\system32\ozevew.dll
C:\Windows\system32\plqnmfoy.dll
C:\Windows\system32\pmnkJdca.dll
C:\Windows\system32\pqhwtrou.dll
C:\Windows\system32\pvimskik.dll
C:\Windows\system32\pvnqvhex.dll
C:\Windows\system32\qhceltxd.dll
C:\Windows\system32\qnuejmmd.dll
C:\Windows\system32\qvkwcmhu.dll
C:\Windows\system32\rluuptxj.dll
C:\Windows\system32\rnpqmtjv.dll
C:\Windows\system32\rrqolhlv.dll
C:\Windows\system32\sfnnihdh.dll
C:\Windows\system32\shfefnbh.dll
C:\Windows\system32\smjesaba.dll
C:\Windows\system32\stxkqxpr.dll
C:\Windows\system32\sudpnlkb.dll
C:\Windows\system32\sxtsmbeb.dll
C:\Windows\system32\tligto.dll
C:\Windows\system32\tmqmdvcf.dll
C:\Windows\system32\uekmgktk.dll
C:\Windows\system32\uruaciup.dll
C:\Windows\system32\uvytfphs.dll
C:\Windows\system32\uwacuirw.dll
C:\Windows\system32\uxfsduny.dll
C:\Windows\system32\uygibiel.dll
C:\Windows\system32\vccemoen.ini
C:\Windows\system32\vmojtttl.dll
C:\Windows\system32\vnmmakeb.dll
C:\Windows\system32\wcdyoddt.dll
C:\Windows\system32\wdnqmxiw.dll
C:\Windows\system32\whapjict.dll
C:\Windows\system32\wkcgcxih.dll
C:\Windows\system32\wuvogd.dll
C:\Windows\system32\xcbyyqhk.dll
C:\Windows\system32\xfcqjhfr.dll
C:\Windows\system32\xfdiiton.dll
C:\Windows\system32\xptnhpen.dll
C:\Windows\system32\xqgnqfip.dll
C:\Windows\system32\xrbcifwv.dll
C:\Windows\system32\xsyneykn.dll
C:\Windows\system32\xuahntpq.dll
C:\Windows\system32\xxolnbiu.dll
C:\Windows\system32\ylsxveui.dll
C:\Windows\system32\zhphoi.dll

Beginning removal...

Attempting to delete C:\Windows\system32\acdJknmp.ini
C:\Windows\system32\acdJknmp.ini Has been deleted!

Attempting to delete C:\Windows\system32\acdJknmp.ini2
C:\Windows\system32\acdJknmp.ini2 Has been deleted!

Attempting to delete C:\Windows\system32\acsxdxxj.dll
C:\Windows\system32\acsxdxxj.dll Has been deleted!

Attempting to delete C:\Windows\system32\afmybxch.dll
C:\Windows\system32\afmybxch.dll Has been deleted!

Attempting to delete C:\Windows\system32\asoqdoel.dll
C:\Windows\system32\asoqdoel.dll Has been deleted!

Attempting to delete C:\Windows\system32\atwxrbau.dll
C:\Windows\system32\atwxrbau.dll Has been deleted!

Attempting to delete C:\Windows\system32\ayxreheu.dll
C:\Windows\system32\ayxreheu.dll Has been deleted!

Attempting to delete C:\Windows\system32\bbrvjmur.dll
C:\Windows\system32\bbrvjmur.dll Has been deleted!

Attempting to delete C:\Windows\system32\bfjfrghp.dll
C:\Windows\system32\bfjfrghp.dll Has been deleted!

Attempting to delete C:\Windows\system32\bqjoxvwt.dll
C:\Windows\system32\bqjoxvwt.dll Has been deleted!

Attempting to delete C:\Windows\system32\bylustug.dll
C:\Windows\system32\bylustug.dll Has been deleted!

Attempting to delete C:\Windows\system32\cbavimkt.dll
C:\Windows\system32\cbavimkt.dll Has been deleted!

Attempting to delete C:\Windows\system32\cjjlvmcd.dll
C:\Windows\system32\cjjlvmcd.dll Has been deleted!

Attempting to delete C:\Windows\system32\clspcf.dll
C:\Windows\system32\clspcf.dll Has been deleted!

Attempting to delete C:\Windows\system32\cmdrha.dll
C:\Windows\system32\cmdrha.dll Has been deleted!

Attempting to delete C:\Windows\system32\ctpebmgt.dll
C:\Windows\system32\ctpebmgt.dll Has been deleted!

Attempting to delete C:\Windows\system32\donojqbo.dll
C:\Windows\system32\donojqbo.dll Has been deleted!

Attempting to delete C:\Windows\system32\eajeccww.dll
C:\Windows\system32\eajeccww.dll Has been deleted!

Attempting to delete C:\Windows\system32\ebpkjyix.dll
C:\Windows\system32\ebpkjyix.dll Has been deleted!

Attempting to delete C:\Windows\system32\ehicvoxk.dll
C:\Windows\system32\ehicvoxk.dll Has been deleted!

Attempting to delete C:\Windows\system32\eifchpqi.dll
C:\Windows\system32\eifchpqi.dll Has been deleted!

Attempting to delete C:\Windows\system32\eqkjitho.dll
C:\Windows\system32\eqkjitho.dll Has been deleted!

Attempting to delete C:\Windows\system32\etaospxq.dll
C:\Windows\system32\etaospxq.dll Has been deleted!

Attempting to delete C:\Windows\system32\evtucici.dll
C:\Windows\system32\evtucici.dll Has been deleted!

Attempting to delete C:\Windows\system32\fcgnhonv.dll
C:\Windows\system32\fcgnhonv.dll Has been deleted!

Attempting to delete C:\Windows\system32\fiolntxw.dll
C:\Windows\system32\fiolntxw.dll Has been deleted!

Attempting to delete C:\Windows\system32\fjifrhbu.dll
C:\Windows\system32\fjifrhbu.dll Has been deleted!

Attempting to delete C:\Windows\system32\fktbxfcm.dll
C:\Windows\system32\fktbxfcm.dll Has been deleted!

Attempting to delete C:\Windows\system32\frwqvjly.dll
C:\Windows\system32\frwqvjly.dll Has been deleted!

Attempting to delete C:\Windows\system32\fvdagssc.dll
C:\Windows\system32\fvdagssc.dll Has been deleted!

Attempting to delete C:\Windows\system32\fxqtxbjd.dll
C:\Windows\system32\fxqtxbjd.dll Has been deleted!

Attempting to delete C:\Windows\system32\fyivkhil.dll
C:\Windows\system32\fyivkhil.dll Has been deleted!

Attempting to delete C:\Windows\system32\gcreukgg.dll
C:\Windows\system32\gcreukgg.dll Has been deleted!

Attempting to delete C:\Windows\system32\gntcldca.dll
C:\Windows\system32\gntcldca.dll Has been deleted!

Attempting to delete C:\Windows\system32\gwwyqkbf.dll
C:\Windows\system32\gwwyqkbf.dll Has been deleted!

Attempting to delete C:\Windows\system32\hlgtjb.dll
C:\Windows\system32\hlgtjb.dll Has been deleted!

Attempting to delete C:\Windows\system32\hplrnnmt.dll
C:\Windows\system32\hplrnnmt.dll Has been deleted!

Attempting to delete C:\Windows\system32\hrefuihk.dll
C:\Windows\system32\hrefuihk.dll Has been deleted!

Attempting to delete C:\Windows\system32\icwgtakr.dll
C:\Windows\system32\icwgtakr.dll Has been deleted!

Attempting to delete C:\Windows\system32\igindctj.dll
C:\Windows\system32\igindctj.dll Has been deleted!

Attempting to delete C:\Windows\system32\jooixjhi.dll
C:\Windows\system32\jooixjhi.dll Has been deleted!

Attempting to delete C:\Windows\system32\jowdvmqk.dll
C:\Windows\system32\jowdvmqk.dll Has been deleted!

Attempting to delete C:\Windows\system32\jvoicadx.dll
C:\Windows\system32\jvoicadx.dll Could not be deleted.

Attempting to delete C:\Windows\system32\jvypoqji.dll
C:\Windows\system32\jvypoqji.dll Has been deleted!

Attempting to delete C:\Windows\system32\kbbxtufv.dll
C:\Windows\system32\kbbxtufv.dll Has been deleted!

Attempting to delete C:\Windows\system32\llicshjq.dll
C:\Windows\system32\llicshjq.dll Has been deleted!

Attempting to delete C:\Windows\system32\llpgyvxc.dll
C:\Windows\system32\llpgyvxc.dll Has been deleted!

Attempting to delete C:\Windows\system32\llsrir.dll
C:\Windows\system32\llsrir.dll Has been deleted!

Attempting to delete C:\Windows\system32\ltqfuimt.dll
C:\Windows\system32\ltqfuimt.dll Has been deleted!

Attempting to delete C:\Windows\system32\lypfcsgh.dll
C:\Windows\system32\lypfcsgh.dll Has been deleted!

Attempting to delete C:\Windows\system32\mlhsfvkc.dll
C:\Windows\system32\mlhsfvkc.dll Has been deleted!

Attempting to delete C:\Windows\system32\nbzjfh.dll
C:\Windows\system32\nbzjfh.dll Has been deleted!

Attempting to delete C:\Windows\system32\neomeccv.dll
C:\Windows\system32\neomeccv.dll Could not be deleted.

Attempting to delete C:\Windows\system32\nfkqeq.dll
C:\Windows\system32\nfkqeq.dll Has been deleted!

Attempting to delete C:\Windows\system32\nmgarfej.dll
C:\Windows\system32\nmgarfej.dll Has been deleted!

Attempting to delete C:\Windows\system32\nnqdqqml.dll
C:\Windows\system32\nnqdqqml.dll Has been deleted!

Attempting to delete C:\Windows\system32\ntctfeei.dll
C:\Windows\system32\ntctfeei.dll Has been deleted!

Attempting to delete C:\Windows\system32\nylxpble.dll
C:\Windows\system32\nylxpble.dll Has been deleted!

Attempting to delete C:\Windows\system32\ojlsvvnw.dll
C:\Windows\system32\ojlsvvnw.dll Has been deleted!

Attempting to delete C:\Windows\system32\owsqbk.dll
C:\Windows\system32\owsqbk.dll Has been deleted!

Attempting to delete C:\Windows\system32\owtpojqm.dll
C:\Windows\system32\owtpojqm.dll Has been deleted!

Attempting to delete C:\Windows\system32\ozevew.dll
C:\Windows\system32\ozevew.dll Has been deleted!

Attempting to delete C:\Windows\system32\plqnmfoy.dll
C:\Windows\system32\plqnmfoy.dll Has been deleted!

Attempting to delete C:\Windows\system32\pmnkJdca.dll
C:\Windows\system32\pmnkJdca.dll Has been deleted!

Attempting to delete C:\Windows\system32\pqhwtrou.dll
C:\Windows\system32\pqhwtrou.dll Has been deleted!

Attempting to delete C:\Windows\system32\pvimskik.dll
C:\Windows\system32\pvimskik.dll Has been deleted!

Attempting to delete C:\Windows\system32\pvnqvhex.dll
C:\Windows\system32\pvnqvhex.dll Has been deleted!

Attempting to delete C:\Windows\system32\qhceltxd.dll
C:\Windows\system32\qhceltxd.dll Has been deleted!

Attempting to delete C:\Windows\system32\qnuejmmd.dll
C:\Windows\system32\qnuejmmd.dll Has been deleted!

Attempting to delete C:\Windows\system32\qvkwcmhu.dll
C:\Windows\system32\qvkwcmhu.dll Has been deleted!

Attempting to delete C:\Windows\system32\rluuptxj.dll
C:\Windows\system32\rluuptxj.dll Has been deleted!

Attempting to delete C:\Windows\system32\rnpqmtjv.dll
C:\Windows\system32\rnpqmtjv.dll Has been deleted!

Attempting to delete C:\Windows\system32\rrqolhlv.dll
C:\Windows\system32\rrqolhlv.dll Has been deleted!

Attempting to delete C:\Windows\system32\sfnnihdh.dll
C:\Windows\system32\sfnnihdh.dll Has been deleted!

Attempting to delete C:\Windows\system32\shfefnbh.dll
C:\Windows\system32\shfefnbh.dll Has been deleted!

Attempting to delete C:\Windows\system32\smjesaba.dll
C:\Windows\system32\smjesaba.dll Has been deleted!

Attempting to delete C:\Windows\system32\stxkqxpr.dll
C:\Windows\system32\stxkqxpr.dll Has been deleted!

Attempting to delete C:\Windows\system32\sudpnlkb.dll
C:\Windows\system32\sudpnlkb.dll Has been deleted!

Attempting to delete C:\Windows\system32\sxtsmbeb.dll
C:\Windows\system32\sxtsmbeb.dll Has been deleted!

Attempting to delete C:\Windows\system32\tligto.dll
C:\Windows\system32\tligto.dll Has been deleted!

Attempting to delete C:\Windows\system32\tmqmdvcf.dll
C:\Windows\system32\tmqmdvcf.dll Has been deleted!

Attempting to delete C:\Windows\system32\uekmgktk.dll
C:\Windows\system32\uekmgktk.dll Has been deleted!

Attempting to delete C:\Windows\system32\uruaciup.dll
C:\Windows\system32\uruaciup.dll Has been deleted!

Attempting to delete C:\Windows\system32\uvytfphs.dll
C:\Windows\system32\uvytfphs.dll Has been deleted!

Attempting to delete C:\Windows\system32\uwacuirw.dll
C:\Windows\system32\uwacuirw.dll Has been deleted!

Attempting to delete C:\Windows\system32\uxfsduny.dll
C:\Windows\system32\uxfsduny.dll Has been deleted!

Attempting to delete C:\Windows\system32\uygibiel.dll
C:\Windows\system32\uygibiel.dll Has been deleted!

Attempting to delete C:\Windows\system32\vccemoen.ini
C:\Windows\system32\vccemoen.ini Has been deleted!

Attempting to delete C:\Windows\system32\vmojtttl.dll
C:\Windows\system32\vmojtttl.dll Has been deleted!

Attempting to delete C:\Windows\system32\vnmmakeb.dll
C:\Windows\system32\vnmmakeb.dll Has been deleted!

Attempting to delete C:\Windows\system32\wcdyoddt.dll
C:\Windows\system32\wcdyoddt.dll Has been deleted!

Attempting to delete C:\Windows\system32\wdnqmxiw.dll
C:\Windows\system32\wdnqmxiw.dll Has been deleted!

Attempting to delete C:\Windows\system32\whapjict.dll
C:\Windows\system32\whapjict.dll Has been deleted!

Attempting to delete C:\Windows\system32\wkcgcxih.dll
C:\Windows\system32\wkcgcxih.dll Has been deleted!

Attempting to delete C:\Windows\system32\wuvogd.dll
C:\Windows\system32\wuvogd.dll Has been deleted!

Attempting to delete C:\Windows\system32\xcbyyqhk.dll
C:\Windows\system32\xcbyyqhk.dll Could not be deleted.

Attempting to delete C:\Windows\system32\xfcqjhfr.dll
C:\Windows\system32\xfcqjhfr.dll Has been deleted!

Attempting to delete C:\Windows\system32\xfdiiton.dll
C:\Windows\system32\xfdiiton.dll Has been deleted!

Attempting to delete C:\Windows\system32\xptnhpen.dll
C:\Windows\system32\xptnhpen.dll Has been deleted!

Attempting to delete C:\Windows\system32\xqgnqfip.dll
C:\Windows\system32\xqgnqfip.dll Has been deleted!

Attempting to delete C:\Windows\system32\xrbcifwv.dll
C:\Windows\system32\xrbcifwv.dll Has been deleted!

Attempting to delete C:\Windows\system32\xsyneykn.dll
C:\Windows\system32\xsyneykn.dll Has been deleted!

Attempting to delete C:\Windows\system32\xuahntpq.dll
C:\Windows\system32\xuahntpq.dll Has been deleted!

Attempting to delete C:\Windows\system32\xxolnbiu.dll
C:\Windows\system32\xxolnbiu.dll Has been deleted!

Attempting to delete C:\Windows\system32\ylsxveui.dll
C:\Windows\system32\ylsxveui.dll Has been deleted!

Attempting to delete C:\Windows\system32\zhphoi.dll
C:\Windows\system32\zhphoi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.6

Scan started at 8:35:36 PM 7/18/2008

Listing files found while scanning....

No infected files were found.

#6
basstwo

Posted 19 July 2008 - 10:00 AM

Member

Topic Starter
Member
12 posts

Here is main.txt there was no extra.txt

Deckard's System Scanner v20071014.68
Run by Erik on 2008-07-19 08:57:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Erik.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:08 AM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Erik\Desktop\dss(2).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Erik.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: (no name) - {4E00DC0B-4B10-4359-B9AE-E82CF31136FC} - C:\WINDOWS\system32\pmnkJdca.dll (file missing)
O2 - BHO: (no name) - {4F96CCB9-01EC-419E-AAEA-C2C913F2A236} - C:\WINDOWS\system32\qoMdEWno.dll (file missing)
O2 - BHO: {ff331ba8-1373-4e4a-3194-00dca43771a5} - {5a17734a-cd00-4913-a4e4-37318ab133ff} - C:\WINDOWS\system32\cmdrha.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{25-56-6A-A5-DW}] C:\WINDOWS\system32\cdTMP\cdrev132.exe DWram
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BMaba16596] Rundll32.exe "C:\WINDOWS\system32\jvoicadx.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [a892560a] rundll32.exe "C:\WINDOWS\system32\xcbyyqhk.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O20 - Winlogon Notify: qoMdEWno - qoMdEWno.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7892 bytes

-- Files created between 2008-06-19 and 2008-07-19 -----------------------------

2008-07-18 20:05:54 0 d-------- C:\VundoFix Backups
2008-07-18 19:53:36 0 d-------- C:\Program Files\Avira
2008-07-18 19:53:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-07-15 19:45:39 113216 --a------ C:\WINDOWS\system32\hbfuye.dll
2008-07-15 19:45:37 113216 --a------ C:\WINDOWS\system32\lunmdqtv.dll

-- Find3M Report ---------------------------------------------------------------

2008-07-19 08:53:26 4294 --a------ C:\Documents and Settings\Erik\Application Data\.googlewebacchosts
2008-07-18 19:46:42 0 d-------- C:\Program Files\Java
2008-07-10 09:38:30 50 --a----c- C:\WINDOWS\popcinfot.dat
2008-06-08 09:01:17 2624 --a------ C:\WINDOWS\system32\gvdvsqdd.exe
2008-06-07 09:04:17 2624 --a------ C:\WINDOWS\system32\rwyreciw.exe
2008-06-06 09:04:17 2624 --a------ C:\WINDOWS\system32\iixbyjpj.exe
2008-06-05 09:04:17 2624 --a------ C:\WINDOWS\system32\xirkarun.exe
2008-06-04 09:01:16 2624 --a------ C:\WINDOWS\system32\nbrinpty.exe
2008-06-03 09:04:17 2624 --a------ C:\WINDOWS\system32\pwndbbge.exe
2008-06-02 09:01:10 2624 --a------ C:\WINDOWS\system32\xroitmgw.exe
2008-06-01 09:02:13 2624 --a------ C:\WINDOWS\system32\ottjpekl.exe
2008-05-31 08:57:13 2624 --a------ C:\WINDOWS\system32\anmlbdvv.exe
2008-05-30 08:57:14 2624 --a------ C:\WINDOWS\system32\rwywddwl.exe
2008-05-19 21:31:33 0 d-------- C:\Program Files\Enigma Software Group
2008-05-19 21:26:16 2624 --a------ C:\WINDOWS\system32\qyhkmkyo.exe
2008-05-18 11:41:33 2112 --a------ C:\WINDOWS\system32\pkuuxvko.exe
2008-05-18 11:38:52 3648 --a------ C:\WINDOWS\system32\gsxlcxvh.dll
2008-05-17 11:44:33 2112 --a------ C:\WINDOWS\system32\dlvyxhkv.exe
2008-05-17 11:38:40 3648 --a------ C:\WINDOWS\system32\xmjvlprv.dll
2008-05-16 11:41:33 2112 --a------ C:\WINDOWS\system32\okyrknrp.exe
2008-05-16 11:38:31 3648 --a------ C:\WINDOWS\system32\veeylayn.dll
2008-05-15 11:44:33 2112 --a------ C:\WINDOWS\system32\ljyujnip.exe
2008-05-15 11:38:39 3648 --a------ C:\WINDOWS\system32\fmrcrmht.dll
2008-05-14 11:47:32 2112 --a------ C:\WINDOWS\system32\whyjuwad.exe
2008-05-14 11:38:42 3648 --a------ C:\WINDOWS\system32\gxfkifbw.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E00DC0B-4B10-4359-B9AE-E82CF31136FC}]
C:\WINDOWS\system32\pmnkJdca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}]
C:\WINDOWS\system32\qoMdEWno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5a17734a-cd00-4913-a4e4-37318ab133ff}]
C:\WINDOWS\system32\cmdrha.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
C:\Program Files\dbar\Deskbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 01:22 PM C:\WINDOWS\system32\nwiz.exe]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [11/11/2004 10:00 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 01:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"{25-56-6A-A5-DW}"="C:\WINDOWS\system32\cdTMP\cdrev132.exe" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/01/2008 09:15 PM]
"BMaba16596"="C:\WINDOWS\system32\jvoicadx.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"a892560a"="C:\WINDOWS\system32\xcbyyqhk.dll" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/27/2007 08:58 PM]
"Steam"="f:\program files\steam\steam.exe" [04/06/2008 08:25 PM]
"Toggler"="F:\Program Files\togglr10\toggler.exe" [01/20/2001 10:01 AM]
"WinUpdater"="C:\Program Files\winvi\update.exe" []
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" []
"mount.exe"="C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe" [04/11/2008 04:17 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=F:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Erik\Start Menu\Programs\Startup\
DW_Start.lnk - C:\WINDOWS\system32\taskmgr.exe [8/23/2001 5:00:00 AM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 10:24:38 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}"= C:\WINDOWS\system32\qoMdEWno.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdEWno]
qoMdEWno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnkJdca

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter]
C:\Documents and Settings\Erik\Application Data\Deskbar_{CA7D006D-67C7-4c04-BB9C-3027876AADF3}\starter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04c17e8-76e8-11dc-b1d9-0020ed21c526}]
AutoRun\command- H:\system\viewer\Viewer.exe
View your videos\command- H:\system\viewer\Viewer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb83f91-8e44-11db-b1b5-0020ed21c526}]
AutoRun\command- G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - SSMDRV

-- End of Deckard's System Scanner: finished at 2008-07-19 08:57:40 ------------

#7
basstwo

Posted 19 July 2008 - 10:01 AM

Member

Topic Starter
Member
12 posts

New Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:13 AM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Flipper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: (no name) - {4E00DC0B-4B10-4359-B9AE-E82CF31136FC} - C:\WINDOWS\system32\pmnkJdca.dll (file missing)
O2 - BHO: (no name) - {4F96CCB9-01EC-419E-AAEA-C2C913F2A236} - C:\WINDOWS\system32\qoMdEWno.dll (file missing)
O2 - BHO: {ff331ba8-1373-4e4a-3194-00dca43771a5} - {5a17734a-cd00-4913-a4e4-37318ab133ff} - C:\WINDOWS\system32\cmdrha.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{25-56-6A-A5-DW}] C:\WINDOWS\system32\cdTMP\cdrev132.exe DWram
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BMaba16596] Rundll32.exe "C:\WINDOWS\system32\jvoicadx.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [a892560a] rundll32.exe "C:\WINDOWS\system32\xcbyyqhk.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O20 - Winlogon Notify: qoMdEWno - qoMdEWno.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7854 bytes

#8
Ltangelic

Posted 20 July 2008 - 08:32 AM

Angel Annihilator of Malware

Retired Staff
2,008 posts

Hey basstwo,

Looks like VundoFix took out quite a lot of junk, but there are still many leftovers.

1) Uninstall programs

Please go to Add or Remove Programs in Control Panel and remove the following (if present):

dbar

Reboot your computer.

2) Fix entries with HijackThis

Please re-open HijackThis and Do a System Scan Only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {4E00DC0B-4B10-4359-B9AE-E82CF31136FC} - C:\WINDOWS\system32\pmnkJdca.dll (file missing)
O2 - BHO: (no name) - {4F96CCB9-01EC-419E-AAEA-C2C913F2A236} - C:\WINDOWS\system32\qoMdEWno.dll (file missing)
O2 - BHO: {ff331ba8-1373-4e4a-3194-00dca43771a5} - {5a17734a-cd00-4913-a4e4-37318ab133ff} - C:\WINDOWS\system32\cmdrha.dll (file missing)
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing)
O4 - HKLM\..\Run: [{25-56-6A-A5-DW}] C:\WINDOWS\system32\cdTMP\cdrev132.exe DWram
O4 - HKLM\..\Run: [BMaba16596] Rundll32.exe "C:\WINDOWS\system32\jvoicadx.dll",s
O4 - HKLM\..\Run: [a892560a] rundll32.exe "C:\WINDOWS\system32\xcbyyqhk.dll",b
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O20 - Winlogon Notify: qoMdEWno - qoMdEWno.dll (file missing)

Now close all windows other than HijackThis, then click Fix Checked.

3) Use OTMoveIt2 to remove infected entries

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\Program Files\winvi
C:\WINDOWS\system32\pmnkJdca
C:\WINDOWS\system32\cdTMP
C:\Documents and Settings\Erik\Start Menu\Programs\Startup\DW_Start.lnk
C:\Windows\system32\jvoicadx.dll
C:\Windows\system32\neomeccv.dll
C:\Windows\system32\xcbyyqhk.dll
C:\WINDOWS\system32\hbfuye.dll
C:\WINDOWS\system32\lunmdqtv.dll
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\gvdvsqdd.exe
C:\WINDOWS\system32\rwyreciw.exe
C:\WINDOWS\system32\iixbyjpj.exe
C:\WINDOWS\system32\xirkarun.exe
C:\WINDOWS\system32\nbrinpty.exe
C:\WINDOWS\system32\pwndbbge.exe
C:\WINDOWS\system32\xroitmgw.exe
C:\WINDOWS\system32\ottjpekl.exe
C:\WINDOWS\system32\anmlbdvv.exe
C:\WINDOWS\system32\rwywddwl.exe
C:\WINDOWS\system32\qyhkmkyo.exe
C:\WINDOWS\system32\pkuuxvko.exe
C:\WINDOWS\system32\gsxlcxvh.dll
C:\WINDOWS\system32\dlvyxhkv.exe
C:\WINDOWS\system32\xmjvlprv.dll
C:\WINDOWS\system32\okyrknrp.exe
C:\WINDOWS\system32\veeylayn.dll
C:\WINDOWS\system32\ljyujnip.exe
C:\WINDOWS\system32\fmrcrmht.dll
C:\WINDOWS\system32\whyjuwad.exe
C:\WINDOWS\system32\gxfkifbw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04c17e8-76e8-11dc-b1d9-0020ed21c526}
purity
emptytemp
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next reply (please include):

New DSS log
OTMoveIt2 log
A description of how your computer is doing

#9
basstwo

Posted 21 July 2008 - 09:24 AM

Member

Topic Starter
Member
12 posts

dss log

Deckard's System Scanner v20071014.68
Run by Erik on 2008-07-21 08:21:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Erik.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:43 AM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Erik\Desktop\dss(2).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Erik.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6911 bytes

-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-18 20:05:54 0 d-------- C:\VundoFix Backups
2008-07-18 19:53:36 0 d-------- C:\Program Files\Avira
2008-07-18 19:53:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira

-- Find3M Report ---------------------------------------------------------------

2008-07-21 08:16:57 3234 --a------ C:\Documents and Settings\Erik\Application Data\.googlewebacchosts
2008-07-18 19:46:42 0 d-------- C:\Program Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 01:22 PM C:\WINDOWS\system32\nwiz.exe]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [11/11/2004 10:00 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 01:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/01/2008 09:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/27/2007 08:58 PM]
"Steam"="f:\program files\steam\steam.exe" [04/06/2008 08:25 PM]
"Toggler"="F:\Program Files\togglr10\toggler.exe" [01/20/2001 10:01 AM]
"mount.exe"="C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe" [04/11/2008 04:17 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=F:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 10:24:38 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnkJdca

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb83f91-8e44-11db-b1b5-0020ed21c526}]
AutoRun\command- G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

-- End of Deckard's System Scanner: finished at 2008-07-21 08:22:12 ------------

OTMoveit log

Explorer killed successfully
File/Folder C:\Program Files\winvi not found.
File/Folder C:\WINDOWS\system32\pmnkJdca not found.
File/Folder C:\WINDOWS\system32\cdTMP not found.
C:\Documents and Settings\Erik\Start Menu\Programs\Startup\DW_Start.lnk moved successfully.
File/Folder C:\Windows\system32\jvoicadx.dll not found.
File/Folder C:\Windows\system32\neomeccv.dll not found.
File/Folder C:\Windows\system32\xcbyyqhk.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hbfuye.dll
C:\WINDOWS\system32\hbfuye.dll NOT unregistered.
C:\WINDOWS\system32\hbfuye.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lunmdqtv.dll
C:\WINDOWS\system32\lunmdqtv.dll NOT unregistered.
C:\WINDOWS\system32\lunmdqtv.dll moved successfully.
C:\WINDOWS\popcinfot.dat moved successfully.
C:\WINDOWS\system32\gvdvsqdd.exe moved successfully.
C:\WINDOWS\system32\rwyreciw.exe moved successfully.
C:\WINDOWS\system32\iixbyjpj.exe moved successfully.
C:\WINDOWS\system32\xirkarun.exe moved successfully.
C:\WINDOWS\system32\nbrinpty.exe moved successfully.
C:\WINDOWS\system32\pwndbbge.exe moved successfully.
C:\WINDOWS\system32\xroitmgw.exe moved successfully.
C:\WINDOWS\system32\ottjpekl.exe moved successfully.
C:\WINDOWS\system32\anmlbdvv.exe moved successfully.
C:\WINDOWS\system32\rwywddwl.exe moved successfully.
C:\WINDOWS\system32\qyhkmkyo.exe moved successfully.
C:\WINDOWS\system32\pkuuxvko.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gsxlcxvh.dll
C:\WINDOWS\system32\gsxlcxvh.dll NOT unregistered.
C:\WINDOWS\system32\gsxlcxvh.dll moved successfully.
C:\WINDOWS\system32\dlvyxhkv.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xmjvlprv.dll
C:\WINDOWS\system32\xmjvlprv.dll NOT unregistered.
C:\WINDOWS\system32\xmjvlprv.dll moved successfully.
C:\WINDOWS\system32\okyrknrp.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\veeylayn.dll
C:\WINDOWS\system32\veeylayn.dll NOT unregistered.
C:\WINDOWS\system32\veeylayn.dll moved successfully.
C:\WINDOWS\system32\ljyujnip.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fmrcrmht.dll
C:\WINDOWS\system32\fmrcrmht.dll NOT unregistered.
C:\WINDOWS\system32\fmrcrmht.dll moved successfully.
C:\WINDOWS\system32\whyjuwad.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gxfkifbw.dll
C:\WINDOWS\system32\gxfkifbw.dll NOT unregistered.
C:\WINDOWS\system32\gxfkifbw.dll moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}\ not found.
< HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236} >
Registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04c17e8-76e8-11dc-b1d9-0020ed21c526} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04c17e8-76e8-11dc-b1d9-0020ed21c526}\\ deleted successfully.
< purity >
< emptytemp >
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\googlewebaccclient.exe.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccelerator.pac scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAcceleratorCache scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccWarden.exe.log scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07202008_084443

Files moved on Reboot...
C:\DOCUME~1\Erik\LOCALS~1\Temp\googlewebaccclient.exe.log moved successfully.
File C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccelerator.pac not found!
C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAcceleratorCache moved successfully.
C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccWarden.exe.log moved successfully.

My computer is doing very well. Anything else i should check? Also, I am running Avira. Can I switch to AVG? I remember that program... What makes Avira better?

#10
Ltangelic

Posted 21 July 2008 - 06:51 PM

Angel Annihilator of Malware

Retired Staff
2,008 posts

Hey basstwo,

I would recommend Avira as it has better detection rates and protection than AVG.

Your logs look much better. Let's run some scans to see if there are leftovers.

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Next reply (please include):

Fresh HijackThis log
Kaspersky scan log

#11
basstwo

Posted 22 July 2008 - 08:38 PM

Member

Topic Starter
Member
12 posts

#12
Ltangelic

Posted 23 July 2008 - 07:13 AM

Angel Annihilator of Malware

Retired Staff
2,008 posts

Hey basstwo,

Your log looks much cleaner now. Some more things to fix though.

1) Fix entries with HijackThis and do a registry fix

Please re-open HijackThis and Do a System Scan Only. Check the boxes next to all the entries listed below.

O4 - S-1-5-21-583907252-746137067-1060284298-1004 Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe (User 'Amy')
O4 - S-1-5-21-583907252-746137067-1060284298-1004 User Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe (User 'Amy')

Now close all windows other than HijackThis, then click Fix Checked.

Next

Please open notepad, copy/paste the following text including REGEDIT4 into the notepad window:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save the file as fix.reg. Double click on it.
You will asked if you want to merge it with the registry, click "Yes".
Reboot your computer.

2) Run a scan with Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next reply (please include):

Fresh HijackThis
MBAM scan log
A description of how your computer is doing

#13
basstwo

Posted 23 July 2008 - 07:32 PM

Member

Topic Starter
Member
12 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:08 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\setup.exe
C:\Documents and Settings\Erik\Desktop\gapa\gapa.exe
C:\Program Files\Trend Micro\HijackThis\Flipper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-21-583907252-746137067-1060284298-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Amy')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-21-583907252-746137067-1060284298-1004 Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe (User 'Amy')
O4 - S-1-5-21-583907252-746137067-1060284298-1004 User Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe (User 'Amy')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7338 bytes

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 22, 2008 04:54:52
Records in database: 983112
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 59362
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 02:40:40

No malware has been detected. The scan area is clean.
The selected area was scanned.

Malwarebytes' Anti-Malware 1.22
Database version: 982
Windows 5.1.2600 Service Pack 2

9:12:59 AM 7/23/2008
mbam-log-7-23-2008 (09-12-59).txt

Scan type: Quick Scan
Objects scanned: 50319
Time elapsed: 11 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\dbreg.dbar (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9b7d013b-b2b2-4b95-91ff-b17ab22290bb} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarbho (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarbho.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarenabler (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarenabler.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e2554085-b0bd-4f11-b252-32145d0a9257} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f15b157-40d9-4b20-8d3b-b1f8b475b58d} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a0881aa1-68be-41ac-9c0d-4c8a69c6c72c} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e827ffd9-95d1-4b49-beb3-5d49e688c108} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{80985322-3f89-4873-9bce-9297d217ccad} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DBReg (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\dbar (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\Cache (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\RXToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\12033 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\hidclasss.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\dbar\basis.xml (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\channel.tmpl (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\content.tmpl (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\date.tmpl (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\dbaruninst.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\deskbar.crc (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\deskbar.inf (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\edit_rss.tmpl (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\local.xml (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\nav1.bmp (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\nav2.bmp (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\new_alert.tmpl (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\version.ini (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\dbar\version.txt (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BMaba16596.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMaba16596.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Amy\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.22
Database version: 982
Windows 5.1.2600 Service Pack 2

6:30:59 PM 7/23/2008
mbam-log-7-23-2008 (18-30-59).txt

Scan type: Quick Scan
Objects scanned: 50265
Time elapsed: 11 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\hidclasss.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.

#14
Ltangelic

Posted 23 July 2008 - 07:43 PM

Angel Annihilator of Malware

Retired Staff
2,008 posts

How is your computer doing? Any obvious problems?

#15
basstwo

Posted 23 July 2008 - 08:17 PM

Member

Topic Starter
Member
12 posts

MalwareBytes cannot seem to get rid of these files:

C:\WINDOWS\system32\drivers\hidclasss.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.

i reboot but they are still there. Malware doesn't automatically run on startup though. i have to run in manually. Seems to defeat the purpose of rebooting to delete the files.