Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Downloader.Win32.Agent [CLOSED]


  • This topic is locked This topic is locked

#1
Potatomoto

Potatomoto

    Member

  • Member
  • PipPip
  • 10 posts
Hello, I'm quite new to this and i just found today when i got into my login screen to World of Warcraft of this virus.. and it has a very high chance of me getting hacked if i continued to log in with this threat.

I followed the path from the world of warcraft site to hijack this, and hoping for some help
I have my log right here--


Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\YWRtaW4\command.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ipconfig.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rudolphtech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20FBC8B1-6DDC-464A-A7F5-3CBC32E259EE} - C:\WINDOWS\system32\comui.dll (file missing)
O2 - BHO: (no name) - {3170C42F-5C0A-4AFA-8D42-C1AB0A0AFD58} - C:\WINDOWS\system32\khfFwxVP.dll (file missing)
O2 - BHO: (no name) - {36953122-9F7C-4461-AF35-E23242461FD7} - C:\WINDOWS\system32\urqNETmn.dll (file missing)
O2 - BHO: {6f187941-3c25-f809-6a84-9cd84f6ba415} - {514ab6f4-8dc9-48a6-908f-52c3149781f6} - C:\WINDOWS\system32\llyfjp.dll (file missing)
O2 - BHO: gooochi browser optimizer - {665c7c24-bfc6-8fa7-11d2-8ffeb68c2d48} - C:\WINDOWS\system32\zrvtjoypnqbw.dll
O2 - BHO: (no name) - {7665D216-D7AB-420C-A09E-4220EA0D0570} - C:\WINDOWS\system32\nnnnOhIA.dll (file missing)
O2 - BHO: (no name) - {76781874-9D53-4542-A5FC-BDA49E7418DC} - C:\WINDOWS\system32\awttsQgh.dll (file missing)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\khfETmnn.dll (file missing)
O2 - BHO: (no name) - {9DF9874E-C0ED-478F-B278-854E4BCC19A9} - C:\WINDOWS\system32\vtUlLEWn.dll (file missing)
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\efcBqolj.dll (file missing)
O2 - BHO: (no name) - {B464F6A1-DC41-4F7F-9298-22E256D4FBF6} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinoodo.exe CHD003
O4 - HKLM\..\Run: [DriveCleaner Free] "C:\Program Files\DriveCleaner Free\UDC.exe" /min
O4 - HKLM\..\Run: [UDC6cw] "C:\Program Files\DriveCleaner Free\UDC6cw.exe" -c
O4 - HKLM\..\Run: [dnse] "C:\Program Files\Common Files\DriveCleaner Free\dnse.exe" -c
O4 - HKLM\..\Run: [dcsm] "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"
O4 - HKLM\..\Run: [{01-19-91-1E-ZN}] C:\windows\system32\nndsregk.exe CHD003
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\pwinoodn.exe CHD003
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662EA4EBF
968951185EFC412806867680AEDE604D64C2661377FE13FD97CB77
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\nndsregk.exe CHD003
O4 - HKLM\..\Run: [lphcvhcj0e1bc] C:\WINDOWS\system32\lphcvhcj0e1bc.exe
O4 - HKLM\..\Run: [SMshcphcj0e1bc] C:\Program Files\shcphcj0e1bc\shcphcj0e1bc.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [98b019b1] rundll32.exe "C:\WINDOWS\system32\bqciwrgx.dll",b
O4 - HKLM\..\Run: [BM9b832a2d] Rundll32.exe "C:\WINDOWS\system32\aejnwgao.dll",s
O4 - HKLM\..\Run: [{9e879e42-bc8e-890b-0b3c-960fa76c8c2b}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\zrvtjoypnqbw.dll" DllStart
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdddz.exe] C:\WINDOWS\system32\kdddz.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Wij] "C:\Documents and Settings\jlaxaman\My Documents\??sembly\w?crtupd.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pwinoodn.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\nndsregk.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RTEC.NET
O17 - HKLM\Software\..\Telephony: DomainName = RTEC.NET
O20 - AppInit_DLLs: flyidfuj.dll
O20 - Winlogon Notify: efcBqolj - efcBqolj.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: khfETmnn - khfETmnn.dll (file missing)
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: urqNETmn - urqNETmn.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ovFGmn - {98B0191F-321A-B3B5-2FD0-D96E95EE0F61} - C:\WINDOWS\system32\kfdh.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\YWRtaW4\command.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe




hoping to resolve this issue and welcome to any help

:)
thanks!
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Runscanner to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Upload that file here.

  • 0

#3
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello again, sorry it took me so long to reply.. but sleeping and what not eh?

thanks for giving me this info, I've followed all of the instructions and have my .log file and .run file..
but not exactly sure how to send the .run file through for it is a check list and not on the note pad..
although, i do have the .log file right here at the moment if this is helps :)


Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

000 General info
----------------
Computer name : JLAXAMANA-LT
Creation time : 8/17/2008 10:04:58 AM
Hosts <> 127.0.0.1 : Cannot read hosts file
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.6.3.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
* c:\program files\apoint\hidfind.exe (Alps Electric Co., Ltd.)
* c:\program files\apoint\apoint.exe (Alps Electric Co., Ltd.)
* c:\program files\apoint\apntex.exe (Alps Electric Co., Ltd.)
* c:\program files\cisco systems\vpn client\cvpnd.exe (Cisco Systems, Inc.)
* c:\windows\system32\csrss.exe (Microsoft Corporation)
c:\windows\ywrtaw4\command.exe
* c:\program files\common files\symantec shared\ccevtmgr.exe (Symantec Corporation)
* c:\program files\common files\symantec shared\ccsetmgr.exe (Symantec Corporation)
* c:\program files\common files\symantec shared\ccapp.exe (Symantec Corporation)
c:\program files\cyberlink\powerdvd\dvdlauncher.exe (CyberLink Corp.)
c:\program files\digital line detect\dlg.exe (BVRP Software)
* c:\program files\mozilla firefox\firefox.exe (Mozilla Corporation)
c:\windows\system32\svchost.exe (Microsoft Corporation)
c:\windows\system32\svchost.exe (Microsoft Corporation)
c:\windows\system32\svchost.exe (Microsoft Corporation)
c:\windows\system32\svchost.exe (Microsoft Corporation)
c:\windows\system32\svchost.exe (Microsoft Corporation)
c:\program files\hijackthis\hijackthis.exe (Soeperman Enterprises Ltd.)
* c:\windows\system32\hkcmd.exe (Intel Corporation)
* c:\windows\system32\igfxsrvc.exe (Intel Corporation)
c:\progra~1\intel\wireless\bin\dot1xcfg.exe (Intel Corporation)
c:\program files\intel\wireless\bin\ifrmewrk.exe (Intel Corporation)
c:\program files\intel\wireless\bin\evteng.exe (Intel Corporation)
c:\program files\intel\wireless\bin\regsrvc.exe (Intel Corporation)
c:\program files\dell\quickset\nicconfigsvc.exe (Dell Inc.)
* c:\program files\internet explorer\iexplore.exe (Microsoft Corporation)
c:\program files\java\j2re1.4.2_03\bin\jusched.exe
* c:\program files\logmein\x86\lmiguardian.exe (LogMeIn, Inc.)
* c:\program files\logmein\x86\lmiguardian.exe (LogMeIn, Inc.)
* c:\program files\logmein\x86\logmein.exe (LogMeIn, Inc.)
* c:\program files\logmein\x86\logmeinsystray.exe (LogMeIn, Inc.)
* c:\program files\logmein\x86\ramaint.exe (LogMeIn, Inc.)
c:\windows\system32\lsass.exe (Microsoft Corporation)
* c:\program files\common files\microsoft shared\vs7debug\mdm.exe (Microsoft Corporation)
c:\program files\network monitor\netmon.exe
* c:\windows\system32\notepad.exe (Microsoft Corporation)
* c:\windows\system32\igfxpers.exe (Intel Corporation)
c:\program files\dell\quickset\quickset.exe (Dell Inc)
* c:\windows\system32\rundll32.exe (Microsoft Corporation)
* c:\docume~1\jlaxaman\locals~1\temp\runscanner.exe (Runscanner.net)
* c:\program files\symantec antivirus\savroam.exe (symantec)
c:\windows\system32\services.exe (Microsoft Corporation)
c:\windows\stsystra.exe (SigmaTel, Inc.)
* c:\windows\system32\scardsvr.exe (Microsoft Corporation)
c:\windows\system32\spoolsv.exe (Microsoft Corporation)
* c:\program files\symantec antivirus\rtvscan.exe (Symantec Corporation)
* c:\progra~1\symant~1\vptray.exe (Symantec Corporation)
* c:\program files\symantec antivirus\defwatch.exe (Symantec Corporation)
c:\windows\explorer.exe (Microsoft Corporation)
c:\windows\system32\winlogon.exe (Microsoft Corporation)
c:\program files\intel\wireless\bin\s24evmon.exe (Intel Corporation)
c:\program files\d-link airplus xtreme g\airplus.exe (D-Link)
c:\program files\intel\wireless\bin\wlkeeper.exe (Intel® Corporation)
* c:\windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)
c:\program files\intel\wireless\bin\zcfgsvc.exe (Intel Corporation)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\windows\system32\nndsregk.exe
c:\windows\system32\nndsregk.exe
- c:\windows\system32\bqciwrgx.dll
- c:\windows\system32\aejnwgao.dll
c:\windows\system32\kdddz.exe
- c:\program files\common files\drivecleaner free\dcsm.exe
c:\program files\dell\quickset\quickset.exe (Dell Inc)
- c:\program files\common files\drivecleaner free\dnse.exe
- c:\program files\drivecleaner free\udc.exe
c:\program files\cyberlink\powerdvd\dvdlauncher.exe (CyberLink Corp.)
- c:\windows\system32\pwinoodo.exe
c:\windows\system32\pwinoodn.exe
c:\program files\intel\wireless\bin\ifrmewrk.exe (Intel Corporation)
c:\program files\intel\wireless\bin\zcfgsvc.exe (Intel Corporation)
* c:\program files\logmein\x86\logmeinsystray.exe (LogMeIn, Inc.)
- c:\windows\system32\lphcvhcj0e1bc.exe
- c:\windows\mrofinu572.exe
C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
- c:\program files\shcphcj0e1bc\shcphcj0e1bc.exe
c:\program files\java\j2re1.4.2_03\bin\jusched.exe
- c:\windows\system32\sysrest32.exe
- c:\program files\drivecleaner free\udc6cw.exe

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
- c:\program files\common files\ahead\lib\nmbgmonitor.exe
- c:\program files\svconr\svconr.exe
- c:\documents and settings\jlaxaman\my documents\??sembly\w?crtupd.exe

004 C:\Documents and Settings\jlaxaman\Start Menu\Programs\Startup
------------------------------------------------------------------
c:\windows\system32\nndsregk.exe
c:\windows\system32\pwinoodn.exe

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
* c:\progra~1\ciscos~1\vpncli~1\vpngui.exe (Cisco Systems, Inc.)
c:\progra~1\digita~1\dlg.exe (BVRP Software)
c:\progra~1\micros~2\office\osa9.exe (Microsoft Corporation)
c:\progra~1\d-link~1\airplus.exe (D-Link)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
C:\WINDOWS\system32\svchost.exe (Application Management)
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
C:\WINDOWS\system32\svchost.exe (Background Intelligent Transfer Service)
* c:\program files\cisco systems\vpn client\cvpnd.exe (Cisco Systems, Inc. VPN Service)
c:\windows\system32\svchost.exe (COM+ Event System)
c:\windows\ywrtaw4\command.exe (Command Service)
C:\WINDOWS\system32\svchost.exe (Computer Browser)
C:\WINDOWS\system32\svchost.exe (Cryptographic Services)
C:\WINDOWS\system32\svchost.exe (DCOM Server Process Launcher)
C:\WINDOWS\system32\svchost.exe (DHCP Client)
C:\WINDOWS\system32\svchost.exe (Distributed Link Tracking Client)
C:\WINDOWS\system32\svchost.exe (DNS Client)
C:\WINDOWS\system32\svchost.exe (Error Reporting Service)
C:\WINDOWS\system32\services.exe (Event Log)
C:\WINDOWS\system32\svchost.exe (Fast User Switching Compatibility)
C:\WINDOWS\system32\svchost.exe (Help and Support)
C:\WINDOWS\system32\svchost.exe (HTTP SSL)
c:\program files\intel\wireless\bin\evteng.exe (Intel® PROSet/Wireless Event Log)
c:\program files\intel\wireless\bin\regsrvc.exe (Intel® PROSet/Wireless Registry Service)
c:\program files\intel\wireless\bin\s24evmon.exe (Intel® PROSet/Wireless Service)
c:\program files\intel\wireless\bin\wlkeeper.exe (Intel® PROSet/Wireless SSO Service)
C:\WINDOWS\system32\lsass.exe (IPSEC Services)
C:\WINDOWS\system32\svchost.exe (Logical Disk Manager)
* c:\program files\logmein\x86\logmein.exe (LogMeIn)
* c:\program files\logmein\x86\ramaint.exe (LogMeIn Maintenance Service)
C:\WINDOWS\system32\lsass.exe (Net Logon)
C:\WINDOWS\system32\svchost.exe (Network Location Awareness (NLA))
c:\program files\network monitor\netmon.exe (Network Monitor)
C:\WINDOWS\system32\svchost.exe (Network Provisioning Service)
c:\program files\dell\quickset\nicconfigsvc.exe (NICCONFIGSVC)
C:\WINDOWS\system32\lsass.exe (NT LM Security Support Provider)
C:\WINDOWS\system32\services.exe (Plug and Play)
C:\WINDOWS\system32\svchost.exe (Portable Media Serial Number Service)
C:\WINDOWS\system32\spoolsv.exe (Print Spooler)
C:\WINDOWS\system32\svchost.exe (Remote Access Auto Connection Manager)
C:\WINDOWS\system32\svchost.exe (Remote Access Connection Manager)
C:\WINDOWS\system32\svchost.exe (Remote Procedure Call (RPC))
C:\WINDOWS\system32\svchost.exe (Remote Registry)
C:\WINDOWS\system32\svchost.exe (Removable Storage)
C:\WINDOWS\system32\lsass.exe (Security Accounts Manager)
C:\WINDOWS\system32\svchost.exe (Security Center)
C:\WINDOWS\system32\svchost.exe (Server)
C:\WINDOWS\system32\svchost.exe (Shell Hardware Detection)
C:\WINDOWS\system32\svchost.exe (SSDP Discovery Service)
C:\WINDOWS\system32\svchost.exe (System Event Notification)
C:\WINDOWS\system32\svchost.exe (System Restore Service)
C:\WINDOWS\system32\svchost.exe (Task Scheduler)
C:\WINDOWS\system32\svchost.exe (TCP/IP NetBIOS Helper)
C:\WINDOWS\system32\svchost.exe (Telephony)
C:\WINDOWS\system32\svchost.exe (Terminal Services)
C:\WINDOWS\system32\svchost.exe (Themes)
C:\WINDOWS\system32\svchost.exe (Universal Plug and Play Device Host)
C:\WINDOWS\system32\svchost.exe (WebClient)
C:\WINDOWS\system32\svchost.exe (Windows Audio)
C:\WINDOWS\system32\svchost.exe (Windows Firewall/Internet Connection Sharing (ICS))
C:\WINDOWS\system32\svchost.exe (Windows Image Acquisition (WIA))
C:\WINDOWS\system32\svchost.exe (Windows Management Instrumentation)
C:\WINDOWS\system32\svchost.exe (Windows Management Instrumentation Driver Extensions)
C:\WINDOWS\system32\svchost.exe (Windows Time)
C:\WINDOWS\system32\svchost.exe (Wireless Zero Configuration)
C:\WINDOWS\system32\svchost.exe (Workstation)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
C:\WINDOWS\system32\drivers\aegisp.sys (AEGIS Protocol (IEEE 802.1x) v3.4.9.0)
c:\windows\system32\drivers\appdrv.sys (APPDRV)
- c:\windows\system32\drivers\changer.sys (Changer)
c:\windows\system32\drivers\cvpndrva.sys (Cisco Systems IPsec Driver)
- c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc)
* C:\WINDOWS\system32\drivers\lmimirr.sys (LMImirr)
* c:\program files\logmein\x86\rainfo.sys (LogMeIn Kernel Information Provider)
C:\WINDOWS\system32\drivers\omci.sys (OMCI WDM Device Driver)
- c:\windows\system32\drivers\pcidump.sys (PCIDump)
- c:\windows\system32\drivers\pdcomp.sys (PDCOMP)
- c:\windows\system32\drivers\pdframe.sys (PDFRAME)
- c:\windows\system32\drivers\pdreli.sys (PDRELI)
- c:\windows\system32\drivers\pdrframe.sys (PDRFRAME)
- c:\windows\system32\sysrest.sys (sysrest.sys)
* c:\windows\system32\vsdatant.sys (vsdatant)
- c:\windows\system32\drivers\wdica.sys (WDICA)
C:\WINDOWS\system32\drivers\s24trans.sys (WLAN Transport)
C:\WINDOWS\system32\drivers\mdc8021x.sys (WPA Security Protocol (IEEE 802.1x) v2.2.0.0)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

034 HKLM-HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
-------------------------------------------------------------------------
C:\WINDOWS\explorer.exe (Microsoft Corporation)

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
----------------------------------------------------------------
- http:
- http:
- http:

037 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
---------------------------------------------------------------------
C:\WINDOWS\system32\kdddz.exe

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
-----------------------------------------------------------------------------
- c:\windows\system32\efcbqolj.dll {A6C54318-5AC7-477D-B0A7-49AF5189300C}
- c:\windows\system32\khfetmnn.dll {9C28EAFB-FF50-4F42-8D39-A006129CC907}
- c:\windows\system32\urqnetmn.dll {36953122-9F7C-4461-AF35-E23242461FD7}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
GUID / CLSID not found {02478D38-C3F9-4efb-9B51-7695ECA05670}
- c:\windows\system32\awttsqgh.dll {76781874-9D53-4542-A5FC-BDA49E7418DC}
- c:\windows\system32\comui.dll {20FBC8B1-6DDC-464A-A7F5-3CBC32E259EE}
- c:\windows\system32\efcbqolj.dll {A6C54318-5AC7-477D-B0A7-49AF5189300C}
- c:\windows\system32\khfetmnn.dll {9C28EAFB-FF50-4F42-8D39-A006129CC907}
- c:\windows\system32\khffwxvp.dll {3170C42F-5C0A-4AFA-8D42-C1AB0A0AFD58}
- c:\windows\system32\llyfjp.dll {514ab6f4-8dc9-48a6-908f-52c3149781f6}
- c:\windows\system32\nnnnohia.dll {7665D216-D7AB-420C-A09E-4220EA0D0570}
- c:\windows\system32\pmkhh.dll {B464F6A1-DC41-4F7F-9298-22E256D4FBF6}
- c:\windows\system32\urqnetmn.dll {36953122-9F7C-4461-AF35-E23242461FD7}
- c:\windows\system32\vtullewn.dll {9DF9874E-C0ED-478F-B278-854E4BCC19A9}
c:\windows\system32\zrvtjoypnqbw.dll {665c7c24-bfc6-8fa7-11d2-8ffeb68c2d48}

060 HKLM-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
-----------------------------------------------------------------------------------
- c:\windows\system32\kfdh.dll {98B0191F-321A-B3B5-2FD0-D96E95EE0F61}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
c:\progra~1\micros~2\office\1033\unbind.dll (Microsoft Corporation) {59850401-6664-101B-B21C-00AA004BA90B}
c:\progra~1\micros~2\office\olkfstub.dll (Microsoft Corporation) {0006F045-0000-0000-C000-000000000046}
- c:\program files\common files\ahead\lib\nerodigitalext.dll {B327765E-D724-4347-8B16-78AE18552FC3}
- c:\program files\common files\ahead\lib\nerodigitalext.dll {7F1CF152-04F8-453A-B34C-E609530A9DC8}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79305-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79306-84BE-11CE-9641-444553540000}
* c:\program files\yahoo!\common\ymmapi.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
- c:\program files\common files\ahead\lib\nerodigitalext.dll {7D4D6379-F301-4311-BEBA-E26EB0561882}
c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
- efcbqolj.dll
- khfetmnn.dll
* C:\WINDOWS\system32\lmiinit.dll (LogMeIn, Inc.)
- c:\windows\system32\pmkhh.dll
- urqnetmn.dll

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
* C:\WINDOWS\system32\lmiport.dll (LogMeIn, Inc.)

070 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
---------------------------------------------------------------------
- c:\windows\system32\awttsqgh

100 Internet Explorer settings
------------------------------
Default_Page_URL HKCU : www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
Default_Page_URL HKLM : http://www.yahoo.com/
Default_Search_URL HKLM : http://us.rd.yahoo.c...//www.yahoo.com
Search Page HKCU : http://us.rd.yahoo.c...//www.yahoo.com
Search Page HKLM : http://us.rd.yahoo.c...//www.yahoo.com
SearchUrl HKCU : http://us.rd.yahoo.c...//www.yahoo.com
Start Page HKCU : http://www.rudolphtech.com/
Start Page HKLM : http://www.yahoo.com/

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

120 Domain/DNS hijacking
------------------------
TcpIp Domain : RTEC.NET
Telephony domainname : RTEC.NET

121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
--------------------------------------------------------------------------
- flyidfuj.dll

170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
------------------------------------------------------------------------
{948c1d54-01a2-11dc-a239-0015c54b8ed3} : E:\podcastready.exe

171 HKCU\Control Panel\Desktop\SCRNSAVE.EXE
-------------------------------------------
c:\windows\system32\blphcvhcj0e1bc.scr (Sysinternals)

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
* c:\program files\yahoo!\common\ymmapi.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}

221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
-------------------------------------------------------
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
* c:\program files\yahoo!\common\ymmapi.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}

225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
------------------------------------------------------------
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
---------------------------------------------------------------
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

231 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
-------------------------------------------------------
- c:\program files\common files\ahead\lib\nerodigitalext.dll NeroDigitalExt.NeroDigitalColumnHandler
c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) PDF Column Info


yes i am quite a noob :)
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
When you do a scan with runscanner, there is a button called "save .run file"

Click that, save it to your desktop, upload it here via Browse
  • 0

#5
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
i just uploaded it from my browser, and thanks for that extra note ^.^

got the quote 'upload successful and is available from the 'manage current attachments' menu

Attached Files


  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Download the attachment at the end of this post (this will be your runscanner file fixed by me)

  • Save it to your desktop then double click the runscanner icon this will run the program.
  • You will notice several entries in red and in blue.
  • Click the button at the top called Fix selected items
  • Accept the warning(s) and repeat until they are all gone.
  • Reboot your PC




Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • If the first link fails you can download it from here as well.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#7
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hello again rorshach, i followed your instructions again and here is my report from MBAM

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

12:20:05 PM 8/17/2008
mbam-log-8-17-2008 (12-20-05).txt

Scan type: Quick Scan
Objects scanned: 44904
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 42
Registry Values Infected: 16
Registry Data Items Infected: 3
Folders Infected: 19
Files Infected: 35

Memory Processes Infected:
C:\WINDOWS\YWRtaW4\command.exe (Adware.CommAd) -> Unloaded process successfully.
C:\Program Files\Network Monitor\netmon.exe (Trojan.DNSChanger) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514ab6f4-8dc9-48a6-908f-52c3149781f6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{514ab6f4-8dc9-48a6-908f-52c3149781f6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdservice (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdservice (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cmdservice (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdservice (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{55db983c-bdbf-426f-86f0-187b02dda39b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4b646afb-9341-4330-8fd1-c32485aee619} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\udcpchk.udcpchk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\udcpchk.udcpchk.1 (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{943b96a4-9bf6-42fe-8d0b-4bca71c3632f} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5954b2db-09a7-4023-847c-107539dc560d} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4f43b1f3-0ce8-493b-96d2-990cec05edbb} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shcphcj0e1bc (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\shcphcj0e1bc (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Svconr (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\drivecleaner free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\drivecleaner free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{665c7c24-bfc6-8fa7-11d2-8ffeb68c2d48} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{665c7c24-bfc6-8fa7-11d2-8ffeb68c2d48} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g]eev\mwhjlnspb (Adware.ZeroSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svconr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcvhcj0e1bc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smshcphcj0e1bc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdddz.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pnVes01 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Svconr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\shcphcj0e1bc\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\llyfjp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\YWRtaW4\command.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Program Files\Network Monitor\netmon.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kdddz.exe (Rootkit.DNSChanger) -> Delete on reboot.
C:\WINDOWS\system32\pwinoodn.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\b104.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b152.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\WINDOWS\b156.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Local Settings\Temp\sdexe.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{b1ad4de2-5761-b4aa-29dd-c635160bcfeb}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dwdsregt.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BM9b832a2d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM9b832a2d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcvhcj0e1bc.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Local Settings\Temp\rasesnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\Documents and Settings\jlaxaman\Start Menu\Programs\Startup\TA_Start.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zrvtjoypnqbw.dll (Adware.BHO) -> Delete on reboot.

it encountered only two files that are difficult to destroy out of 112 :)

it rebooted and i had an error popup--

saying about how 1% of the file was not part of winzip or something...
I shall wait for your next reply before i start the second part of your instructions
thanks again for helping, its quite appreciated :)
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Just go and run DSS
  • 0

#9
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
i guess i have to post my new hijack this log version 2... having trouble posting my main txt notepad and extra txt notepad because it would keep bringing up the 'old version detected'
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:49 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rudolphtech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20FBC8B1-6DDC-464A-A7F5-3CBC32E259EE} - C:\WINDOWS\system32\comui.dll (file missing)
O2 - BHO: (no name) - {3170C42F-5C0A-4AFA-8D42-C1AB0A0AFD58} - C:\WINDOWS\system32\khfFwxVP.dll (file missing)
O2 - BHO: (no name) - {36953122-9F7C-4461-AF35-E23242461FD7} - C:\WINDOWS\system32\urqNETmn.dll (file missing)
O2 - BHO: (no name) - {7665D216-D7AB-420C-A09E-4220EA0D0570} - C:\WINDOWS\system32\nnnnOhIA.dll (file missing)
O2 - BHO: (no name) - {76781874-9D53-4542-A5FC-BDA49E7418DC} - C:\WINDOWS\system32\awttsQgh.dll (file missing)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\khfETmnn.dll (file missing)
O2 - BHO: (no name) - {9DF9874E-C0ED-478F-B278-854E4BCC19A9} - C:\WINDOWS\system32\vtUlLEWn.dll (file missing)
O2 - BHO: (no name) - {B464F6A1-DC41-4F7F-9298-22E256D4FBF6} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DriveCleaner Free] "C:\Program Files\DriveCleaner Free\UDC.exe" /min
O4 - HKLM\..\Run: [UDC6cw] "C:\Program Files\DriveCleaner Free\UDC6cw.exe" -c
O4 - HKLM\..\Run: [dnse] "C:\Program Files\Common Files\DriveCleaner Free\dnse.exe" -c
O4 - HKLM\..\Run: [dcsm] "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"
O4 - HKLM\..\Run: [{01-19-91-1E-ZN}] C:\windows\system32\nndsregk.exe CHD003
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\nndsregk.exe CHD003
O4 - HKLM\..\Run: [98b019b1] rundll32.exe "C:\WINDOWS\system32\bqciwrgx.dll",b
O4 - HKLM\..\Run: [BM9b832a2d] Rundll32.exe "C:\WINDOWS\system32\aejnwgao.dll",s
O4 - HKLM\..\Run: [{9e879e42-bc8e-890b-0b3c-960fa76c8c2b}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\zrvtjoypnqbw.dll" DllStart
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdddz.exe] C:\WINDOWS\system32\kdddz.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Wij] "C:\Documents and Settings\jlaxaman\My Documents\??sembly\w?crtupd.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RTEC.NET
O17 - HKLM\Software\..\Telephony: DomainName = RTEC.NET
O20 - AppInit_DLLs: flyidfuj.dll
O20 - Winlogon Notify: efcBqolj - efcBqolj.dll (file missing)
O20 - Winlogon Notify: khfETmnn - khfETmnn.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: urqNETmn - urqNETmn.dll (file missing)
O21 - SSODL: ovFGmn - {98B0191F-321A-B3B5-2FD0-D96E95EE0F61} - C:\WINDOWS\system32\kfdh.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - http://www.browning....s/2004jul_s.jpg
O24 - Desktop Component 1: (no name) - http://www.browning....s/2004jul_l.jpg
O24 - Desktop Component 2: (no name) - http://www.browning....s/2004jul_m.jpg

--
End of file - 10456 bytes
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the DSS logs ?
  • 0

Advertisements


#11
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I've tried to post both of the logs at the time time, but it shows that i have not DL'd the new version oh hijacker.

I just ran DSS again with the new hijacker version installed, but it wont give me another extra.txt notepad

let me see if it will let me post the new main.txt notpad

Deckard's System Scanner v20071014.68
Run by jlaxaman on 2008-08-17 13:13:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as jlaxaman.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:35 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\jlaxaman\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jlaxaman.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rudolphtech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20FBC8B1-6DDC-464A-A7F5-3CBC32E259EE} - C:\WINDOWS\system32\comui.dll (file missing)
O2 - BHO: (no name) - {3170C42F-5C0A-4AFA-8D42-C1AB0A0AFD58} - C:\WINDOWS\system32\khfFwxVP.dll (file missing)
O2 - BHO: (no name) - {36953122-9F7C-4461-AF35-E23242461FD7} - C:\WINDOWS\system32\urqNETmn.dll (file missing)
O2 - BHO: (no name) - {7665D216-D7AB-420C-A09E-4220EA0D0570} - C:\WINDOWS\system32\nnnnOhIA.dll (file missing)
O2 - BHO: (no name) - {76781874-9D53-4542-A5FC-BDA49E7418DC} - C:\WINDOWS\system32\awttsQgh.dll (file missing)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\khfETmnn.dll (file missing)
O2 - BHO: (no name) - {9DF9874E-C0ED-478F-B278-854E4BCC19A9} - C:\WINDOWS\system32\vtUlLEWn.dll (file missing)
O2 - BHO: (no name) - {B464F6A1-DC41-4F7F-9298-22E256D4FBF6} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DriveCleaner Free] "C:\Program Files\DriveCleaner Free\UDC.exe" /min
O4 - HKLM\..\Run: [UDC6cw] "C:\Program Files\DriveCleaner Free\UDC6cw.exe" -c
O4 - HKLM\..\Run: [dnse] "C:\Program Files\Common Files\DriveCleaner Free\dnse.exe" -c
O4 - HKLM\..\Run: [dcsm] "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"
O4 - HKLM\..\Run: [{01-19-91-1E-ZN}] C:\windows\system32\nndsregk.exe CHD003
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\nndsregk.exe CHD003
O4 - HKLM\..\Run: [98b019b1] rundll32.exe "C:\WINDOWS\system32\bqciwrgx.dll",b
O4 - HKLM\..\Run: [BM9b832a2d] Rundll32.exe "C:\WINDOWS\system32\aejnwgao.dll",s
O4 - HKLM\..\Run: [{9e879e42-bc8e-890b-0b3c-960fa76c8c2b}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\zrvtjoypnqbw.dll" DllStart
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdddz.exe] C:\WINDOWS\system32\kdddz.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Wij] "C:\Documents and Settings\jlaxaman\My Documents\??sembly\w?crtupd.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RTEC.NET
O17 - HKLM\Software\..\Telephony: DomainName = RTEC.NET
O20 - AppInit_DLLs: flyidfuj.dll
O20 - Winlogon Notify: efcBqolj - efcBqolj.dll (file missing)
O20 - Winlogon Notify: khfETmnn - khfETmnn.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: urqNETmn - urqNETmn.dll (file missing)
O21 - SSODL: ovFGmn - {98B0191F-321A-B3B5-2FD0-D96E95EE0F61} - C:\WINDOWS\system32\kfdh.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - http://www.browning....s/2004jul_s.jpg
O24 - Desktop Component 1: (no name) - http://www.browning....s/2004jul_l.jpg
O24 - Desktop Component 2: (no name) - http://www.browning....s/2004jul_m.jpg

--
End of file - 10495 bytes

-- Files created between 2008-07-17 and 2008-08-17 -----------------------------

2008-08-17 12:49:34 0 d-------- C:\Program Files\Trend Micro
2008-08-17 11:55:42 0 d-------- C:\Documents and Settings\jlaxaman\Application Data\Malwarebytes
2008-08-17 11:55:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 11:55:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-13 04:35:01 109150 --a------ C:\WINDOWS\system32\drivers\527d489f.sys
2008-08-12 03:08:21 3407872 --a------ C:\Documents and Settings\jlaxaman\ntuser.dat
2008-07-17 18:08:57 64857 --a------ C:\WINDOWS\system32\duofmsrxys.exe


-- Find3M Report ---------------------------------------------------------------

2008-08-17 12:23:03 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-17 01:07:20 0 d-------- C:\Program Files\LogMeIn
2008-08-16 22:11:27 0 d-------- C:\Program Files\Common Files
2008-08-16 22:11:23 0 d-------- C:\Program Files\Common Files\?racle
2008-07-30 22:51:34 0 d-------- C:\Program Files\Warcraft III
2008-07-25 15:35:11 859212 --ahs---- C:\WINDOWS\system32\hgQsttwa.ini2
2008-07-16 20:27:39 0 d-------- C:\Program Files\World of Warcraft
2008-06-23 23:08:11 645222 --ahs--c- C:\WINDOWS\system32\nWELlUtv.ini2
2008-06-22 13:34:54 753744 --ahs--c- C:\WINDOWS\system32\AIhOnnnn.ini2
2008-06-21 00:37:03 0 d-------- C:\Program Files\D-Link AirPlus Xtreme G
2008-06-21 00:37:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-21 00:26:18 0 d-------- C:\Program Files\WebEx
2008-06-21 00:10:58 0 d-------- C:\Program Files\AT&T Global Network Client
2008-06-20 22:00:48 60928 --a----c- C:\WINDOWS\system32\crap1 <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-06-07 15:32:50 76459 --a----c- C:\WINDOWS\War3Unin.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FBC8B1-6DDC-464A-A7F5-3CBC32E259EE}]
C:\WINDOWS\system32\comui.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3170C42F-5C0A-4AFA-8D42-C1AB0A0AFD58}]
C:\WINDOWS\system32\khfFwxVP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36953122-9F7C-4461-AF35-E23242461FD7}]
C:\WINDOWS\system32\urqNETmn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7665D216-D7AB-420C-A09E-4220EA0D0570}]
C:\WINDOWS\system32\nnnnOhIA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76781874-9D53-4542-A5FC-BDA49E7418DC}]
C:\WINDOWS\system32\awttsQgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C28EAFB-FF50-4F42-8D39-A006129CC907}]
C:\WINDOWS\system32\khfETmnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DF9874E-C0ED-478F-B278-854E4BCC19A9}]
C:\WINDOWS\system32\vtUlLEWn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B464F6A1-DC41-4F7F-9298-22E256D4FBF6}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 10:13 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [12/13/2005 02:44 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [12/13/2005 02:41 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [12/13/2005 02:45 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 03:48 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [12/28/2005 09:55 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [12/28/2005 09:56 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/24/2006 02:30 PM C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [12/09/2005 06:29 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [04/06/2006 12:58 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/02/2005 06:00 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [08/18/2005 09:50 AM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [02/28/2008 03:31 PM]
"DriveCleaner Free"="C:\Program Files\DriveCleaner Free\UDC.exe" []
"UDC6cw"="C:\Program Files\DriveCleaner Free\UDC6cw.exe" []
"dnse"="C:\Program Files\Common Files\DriveCleaner Free\dnse.exe" []
"dcsm"="C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe" []
"{01-19-91-1E-ZN}"="C:\windows\system32\nndsregk.exe" [05/17/2007 09:52 PM]
"{ZN}"="C:\WINDOWS\system32\nndsregk.exe" [05/17/2007 09:52 PM]
"98b019b1"="C:\WINDOWS\system32\bqciwrgx.dll" []
"BM9b832a2d"="C:\WINDOWS\system32\aejnwgao.dll" []
"{9e879e42-bc8e-890b-0b3c-960fa76c8c2b}"="C:\WINDOWS\system32\zrvtjoypnqbw.dll" []
"C:\WINDOWS\system32\kdddz.exe"="C:\WINDOWS\system32\kdddz.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Wij"="C:\Documents and Settings\jlaxaman\My Documents\??sembly\w?crtupd.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [8/17/2006 7:37:10 AM]
D-Link AirPlus Xtreme G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe [6/21/2008 12:37:03 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/9/2006 8:13:38 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 1:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9C28EAFB-FF50-4F42-8D39-A006129CC907}"= C:\WINDOWS\system32\khfETmnn.dll [ ]
"{36953122-9F7C-4461-AF35-E23242461FD7}"= C:\WINDOWS\system32\urqNETmn.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ovFGmn"= {98B0191F-321A-B3B5-2FD0-D96E95EE0F61} - C:\WINDOWS\system32\kfdh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcBqolj]
efcBqolj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfETmnn]
khfETmnn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 05/28/2008 12:32 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhh]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNETmn]
urqNETmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=flyidfuj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awttsQgh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948c1d54-01a2-11dc-a239-0015c54b8ed3}]
AutoRun\command- E:\podcastready.exe




-- End of Deckard's System Scanner: finished at 2008-08-17 13:14:11 ------------

ill also try and post the old extra.txt notepad.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1014.11 MiB / 569.31 MiB
Pagefile Memory (total/avail): 2441.76 MiB / 2119.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.49 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.83 GiB total, 29.99 GiB free.

\\.\PHYSICALDRIVE0 - Hitachi HTS721060G9SA00 - 55.89 GiB - 2 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 55.83 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: Symantec AntiVirus Corporate Edition v9.0.5.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jlaxaman\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JLAXAMANA-LT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jlaxaman
LOGONSERVER=\\SOLOMON
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jlaxaman\LOCALS~1\Temp
TMP=C:\DOCUME~1\jlaxaman\LOCALS~1\Temp
USERDOMAIN=RUDOLPH_LAN
USERNAME=jlaxaman
USERPROFILE=C:\Documents and Settings\jlaxaman
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

jlaxaman (admin)
neptune (admin)
rmontoya (new local, admin, net ready)
archie (admin)
admin (new local, admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
AT&T Global Network Client --> C:\Program Files\AT&T Global Network Client\NetUN.exe
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Broadcom Advanced Control Suite --> MsiExec.exe /X{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
D-Link AirPlus Xtreme G Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52A5F706-2FCC-4C14-9E9A-345C2DCB25E9}\Setup.exe" -l0x9
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Enhancement Browser Tools Gooochi --> C:\WINDOWS\system32\duofmsrxys.exe
Eqt32 3.16 --> \UNWISE.EXE C:\PROGRA~1\
FileMaker Pro 8.5 --> MsiExec.exe /I{DC4C464D-416A-4F42-B212-8B744C1BB4AE}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
iBaan Windows --> MsiExec.exe /I{150662E1-E17E-4EDF-897D-7B3CD3FA90E1}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LogMeIn --> MsiExec.exe /I{FCD06104-04F6-45AA-886B-0FB75C7EED3D}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office 2000 SR-1 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Virtual PC 2004 --> MsiExec.exe /X{CCCAFDDE-ECEC-4AE4-BD97-047076BBD4A9}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
PowerDVD 5.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Symantec AntiVirus --> MsiExec.exe /I{2CFECCAA-8CB0-459B-9636-40430DBC8951}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WebEx --> C:\PROGRA~1\WebEx\atcliun.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type27425 / Error
Event Submitted/Written: 08/17/2008 00:40:03 PM
Event ID/Source: 56 / LiveUpdate
Event Description:
6002: LiveUpdate failed because the LiveUpdate package could not be uncompressed.

Make sure your disk is not full and run LiveUpdate again.

Event Record #/Type27422 / Error
Event Submitted/Written: 08/17/2008 00:39:24 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: The data is invalid.

Event Record #/Type27421 / Error
Event Submitted/Written: 08/17/2008 00:23:53 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type27414 / Error
Event Submitted/Written: 08/17/2008 00:22:53 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type27408 / Error
Event Submitted/Written: 08/17/2008 00:02:26 PM / 08/17/2008 00:02:27 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Blusod in File: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\baka[1].ext by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type75283 / Warning
Event Submitted/Written: 08/17/2008 00:38:56 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {5BC98849-3FD5-4874-ABAA-722FDAEC0F67}

Host Name : JLaxamana-LT

Primary Domain Suffix : RTEC.NET

DNS server list :

192.168.0.1

Sent update to server : <?>

IP Address(es) :

192.168.0.5


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type75282 / Error
Event Submitted/Written: 08/17/2008 00:38:28 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type75281 / Warning
Event Submitted/Written: 08/17/2008 00:38:28 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.

Event Record #/Type75280 / Error
Event Submitted/Written: 08/17/2008 00:27:55 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type75278 / Error
Event Submitted/Written: 08/17/2008 00:23:26 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-08-17 12:41:10 ------------
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\drivers\527d489f.sys"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\system32\drivers\527d489f.sys

  • Click Open.
  • Click Post.
Thank you!



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\drivers\527d489f.sys
    C:\WINDOWS\system32\duofmsrxys.exe
    C:\Program Files\Common Files\?racle /u
    C:\WINDOWS\system32\hgQsttwa.ini2
    C:\WINDOWS\system32\nWELlUtv.ini2
    C:\WINDOWS\system32\AIhOnnnn.ini2
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948c1d54-01a2-11dc-a239-0015c54b8ed3}
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot and post a new HJT log
  • 0

#13
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have my new HJT log right here after I rebooted

Explorer killed successfully
File move failed. C:\WINDOWS\system32\drivers\527d489f.sys scheduled to be moved on reboot.
C:\WINDOWS\system32\duofmsrxys.exe moved successfully.
< C:\Program Files\Common Files\?racle /u >
C:\Program Files\Common Files\Оracle moved successfully.
C:\WINDOWS\system32\hgQsttwa.ini2 moved successfully.
C:\WINDOWS\system32\nWELlUtv.ini2 moved successfully.
C:\WINDOWS\system32\AIhOnnnn.ini2 moved successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948c1d54-01a2-11dc-a239-0015c54b8ed3} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948c1d54-01a2-11dc-a239-0015c54b8ed3}\\ deleted successfully.
< purity >
C:\WINDOWS\ѕуstem32 moved successfully.
C:\WINDOWS\system32\ΑрpPatch moved successfully.
C:\WINDOWS\system32\Μіcrosoft moved successfully.
C:\WINDOWS\system32\Sуmantec moved successfully.
C:\WINDOWS\system32\Таsks moved successfully.
C:\Documents and Settings\jlaxaman\My Documents\аѕsembly moved successfully.
C:\Documents and Settings\jlaxaman\My Documents\sуstem moved successfully.
C:\Documents and Settings\jlaxaman\My Documents\WіnSxS moved successfully.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08172008_135026

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\527d489f.sys scheduled to be moved
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this as well please

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#15
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hello again rorshach

sorry it has been taking me so long to respond, but i am having a little trouble with combo fix.
the main problem right now is that when i try and drag the symbol onto the combo fix, it automatically starts combo fix and the microsoft link will not go away, but instead the combo fix link will disappear instead.

the combo fix link also doesnt look like the one in the instructions, as well as my link to my windows recovery console :)

:)
although on the bright side.. when I had opened my World of Warcraft, there wasn't a detection of a trojan hacker on my comp
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP