[saded]

Hi... I have encountered similar problems. I've read thru the instructions and run the scan. The following is the log. Help is appreciated. Thanks alot (=

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20: VIRUS ALERT!, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\lphcgwlj0e59j.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\scvhsot.exe
C:\Documents and Settings\Vlad\Desktop\HiJackThis.exe

F3 - REG:win.ini: run="C:\Documents and Settings\Vlad\Application Data\Adobe\Manager.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\3?35.exe
O3 - Toolbar: fdkowvbp - {C3FCD4C3-09EA-42DA-BED3-5452445EF824} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QQKAV] C:\WINDOWS\system32\scvhsot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MicrosoftUpdate] C:\WINDOWS\system32\MSServx.exe
O4 - HKLM\..\Run: [iehelper] C:\WINDOWS\tmpie\iehelper.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lphcgwlj0e59j] C:\WINDOWS\system32\lphcgwlj0e59j.exe
O4 - HKLM\..\Run: [SMrhclwlj0e59j] C:\Program Files\rhclwlj0e59j\rhclwlj0e59j.exe
O4 - HKLM\..\Run: [64822956] rundll32.exe "C:\WINDOWS\system32\kbdexqwg.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: ImationFlashDetect.lnk = C:\Documents and Settings\Vlad\Local Settings\Temp\Imation\ImationFlashDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O20 - AppInit_DLLs: fzxycn.dll sxqtfe.dll udynev.dll fbnbma.dll
O21 - SSODL: oLGZZodsqg - {648229FA-CE28-8350-5996-63147BD717CF} - C:\WINDOWS\system32\av.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5045 bytes

[Advertisements]

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[Rorschach112]

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[saded]

I ran SDfix and it seems like that is not enough memory. Do i uninstall some programs?

[Rorschach112]

Just go and run ComboFix then, will deal with that later

[saded]

i'm sorry. do i run combo fix in safe mode? sorry sorry

[Rorschach112]

No problem

Run ComboFix in normal mode

[saded]

ive dragged the recovery onto combpfix and the bar dun seem to be moving. Will it take some time? and there are pop ups. i hope it doesen't affect the progress?

[Rorschach112]

Shouldn't take too long

You can just go and run ComboFix normally then if it doesn't seem to work

[saded]

den how do i terminate the one dats alr running halfway?

[Rorschach112]

If it looks like it is running then leave it

If it has frozen just exit or use CTRL+ALT+DEL to stop it

[saded]

my task manager has been disabled by the virus. and the program seemed to hav froze there

[Rorschach112]

Try run it in safe mode

[saded]

ComboFix 08-09-20.05 - Vlad 2008-09-22 10:40:47.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.104 [GMT -8:00]
Running from: C:\Documents and Settings\Vlad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vlad\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\Vlad\Application Data\Adobe\Manager.exe
C:\Documents and Settings\Vlad\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Vlad\Application Data\rhclwlj0e59j
C:\Documents and Settings\Vlad\Cookies\[email protected][2].txt
C:\Documents and Settings\Vlad\Cookies\vlad@insightexpressai[2].txt
C:\Documents and Settings\Vlad\Cookies\vlad@serving-sys[1].txt
C:\Documents and Settings\Vlad\Cookies\vlad@specificclick[1].txt
C:\Documents and Settings\Vlad\Cookies\vlad@statcounter[1].txt
C:\Documents and Settings\Vlad\Favorites\Error Cleaner.url
C:\Documents and Settings\Vlad\Favorites\Privacy Protector.url
C:\Documents and Settings\Vlad\Favorites\Spyware&Malware Protection.url
C:\Program Files\Common Files\goskdl.dll
C:\Program Files\Internet Explorer\rksldk.bak
C:\Program Files\Internet Explorer\rksldk.dll
C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\ewte.exe
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbkvn.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\blphcgwlj0e59j.scr
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\jkkLCstu.dll
C:\WINDOWS\system32\lphcgwlj0e59j.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\phcgwlj0e59j.bmp
C:\WINDOWS\system32\pphcgwlj0e59j.exe
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\Update.exe
C:\WINDOWS\system32\utsCLkkj.ini
C:\WINDOWS\system32\utsCLkkj.ini2
C:\WINDOWS\wnslvxtf.dll
C:\WINDOWS\xml2u32h.dll

----- BITS: Possible infected sites -----

http://pornotube8.net
.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-22 10:28 . 2008-09-22 10:28 244 --ah----- C:\sqmnoopt19.sqm
2008-09-21 19:25 . 2008-09-21 19:25 244 --ah----- C:\sqmnoopt18.sqm
2008-09-21 19:25 . 2008-09-21 19:25 232 --ah----- C:\sqmdata19.sqm
2008-09-21 19:15 . 2008-09-21 19:15 244 --ah----- C:\sqmnoopt17.sqm
2008-09-21 19:15 . 2008-09-21 19:15 232 --ah----- C:\sqmdata18.sqm
2008-09-21 18:43 . 2008-09-21 18:43 <DIR> d-------- C:\SDFix
2008-09-21 14:26 . 2008-09-21 14:26 268 --ah----- C:\sqmdata17.sqm
2008-09-21 14:26 . 2008-09-21 14:26 244 --ah----- C:\sqmnoopt16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 268 --ah----- C:\sqmdata16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 244 --ah----- C:\sqmnoopt15.sqm
2008-09-21 14:06 . 2008-09-21 14:06 244 --ah----- C:\sqmnoopt14.sqm
2008-09-21 14:06 . 2008-09-21 14:06 232 --ah----- C:\sqmdata15.sqm
2008-09-21 13:49 . 2008-09-21 13:49 244 --ah----- C:\sqmnoopt13.sqm
2008-09-21 13:49 . 2008-09-21 13:49 232 --ah----- C:\sqmdata14.sqm
2008-09-08 14:07 . 2008-09-08 14:07 232 --ah----- C:\sqmdata13.sqm
2008-09-05 15:49 . 2008-09-05 15:49 244 --ah----- C:\sqmnoopt12.sqm
2008-09-05 15:49 . 2008-09-05 15:49 232 --ah----- C:\sqmdata12.sqm
2008-09-05 14:16 . 2008-09-05 14:16 268 --ah----- C:\sqmdata11.sqm
2008-09-05 14:16 . 2008-09-05 14:16 244 --ah----- C:\sqmnoopt11.sqm
2008-09-05 14:12 . 2008-09-05 14:12 244 --ah----- C:\sqmnoopt10.sqm
2008-09-05 14:12 . 2008-09-05 14:12 232 --ah----- C:\sqmdata10.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmnoopt09.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmdata09.sqm
2008-09-04 16:43 . 2008-09-04 16:43 132,224 --a------ C:\WINDOWS\system32\jmotynoy.dll
2008-09-04 16:43 . 2008-09-04 16:43 132,224 --a------ C:\WINDOWS\system32\fbnbma.dll
2008-09-04 16:42 . 2008-09-22 10:59 355 ---hs---- C:\WINDOWS\system32\gwqxedbk.ini
2008-09-04 16:41 . 2008-09-04 16:42 98,944 --a------ C:\WINDOWS\system32\kbdexqwg.dll
2008-09-03 14:17 . 2008-09-03 14:17 120,448 --a------ C:\WINDOWS\system32\xrsfcvvy.dll
2008-09-03 14:17 . 2008-09-03 14:17 120,448 --a------ C:\WINDOWS\system32\wljfbm.dll
2008-09-03 14:15 . 2008-09-04 16:41 1,337,721 --ahs---- C:\WINDOWS\system32\nowtwdhs.ini
2008-09-03 01:48 . 2008-09-03 01:48 121,472 --a------ C:\WINDOWS\system32\uubeub.dll
2008-09-03 01:48 . 2008-09-03 01:48 121,472 --a------ C:\WINDOWS\system32\rpburwlj.dll
2008-09-03 01:46 . 2008-09-03 14:15 354 --ahs---- C:\WINDOWS\system32\jxfbcydt.ini
2008-09-01 14:27 . 2008-09-01 14:27 268 --ah----- C:\sqmdata08.sqm
2008-09-01 14:27 . 2008-09-01 14:27 244 --ah----- C:\sqmnoopt08.sqm
2008-09-01 14:13 . 2008-09-01 14:13 121,472 --a------ C:\WINDOWS\system32\xmjvtdra.dll
2008-09-01 14:13 . 2008-09-01 14:13 121,472 --a------ C:\WINDOWS\system32\qcdhft.dll
2008-09-01 14:12 . 2008-09-01 14:12 1,345,996 --ahs---- C:\WINDOWS\system32\usvvtceu.ini
2008-09-01 14:11 . 2008-09-01 14:11 99,456 --a------ C:\WINDOWS\system32\uectvvsu.dll
2008-08-30 23:46 . 2008-09-03 01:46 1,346,236 --ahs---- C:\WINDOWS\system32\psytoqsp.ini
2008-08-30 23:46 . 2008-08-30 23:46 104,064 --a------ C:\WINDOWS\system32\psqotysp.dll
2008-08-30 23:43 . 2008-08-30 23:43 121,472 --a------ C:\WINDOWS\system32\jyspvi.dll
2008-08-30 23:43 . 2008-08-30 23:43 121,472 --a------ C:\WINDOWS\system32\dwrfkjqv.dll
2008-08-30 23:41 . 2008-08-30 23:41 1,336,794 --ahs---- C:\WINDOWS\system32\wkoyxslc.ini
2008-08-30 23:41 . 2008-08-30 23:41 104,064 --a------ C:\WINDOWS\system32\clsxyokw.dll
2008-08-29 09:42 . 2008-08-29 09:42 268 --ah----- C:\sqmdata07.sqm
2008-08-29 09:42 . 2008-08-29 09:42 244 --ah----- C:\sqmnoopt07.sqm
2008-08-29 09:07 . 2008-08-29 09:07 135,936 --a------ C:\WINDOWS\system32\xghbdn.dll
2008-08-29 09:07 . 2008-08-29 09:07 135,936 --a------ C:\WINDOWS\system32\ifollcil.dll
2008-08-29 09:06 . 2008-08-30 23:41 354 --ahs---- C:\WINDOWS\system32\bfyjkmqq.ini
2008-08-28 03:28 . 2008-08-28 03:28 268 --ah----- C:\sqmdata06.sqm
2008-08-28 03:28 . 2008-08-28 03:28 244 --ah----- C:\sqmnoopt06.sqm
2008-08-27 14:34 . 2008-08-27 14:34 136,448 --a------ C:\WINDOWS\system32\udynev.dll
2008-08-27 14:34 . 2008-08-27 14:34 136,448 --a------ C:\WINDOWS\system32\epawmsxo.dll
2008-08-27 14:33 . 2008-08-29 09:06 1,365,816 --ahs---- C:\WINDOWS\system32\reqvyjjd.ini
2008-08-26 10:34 . 2008-08-26 10:34 268 --ah----- C:\sqmdata05.sqm
2008-08-26 10:34 . 2008-08-26 10:34 244 --ah----- C:\sqmnoopt05.sqm
2008-08-25 13:16 . 2008-08-27 14:32 1,360,267 --ahs---- C:\WINDOWS\system32\pwhhirwv.ini
2008-08-25 13:15 . 2008-08-25 13:15 135,936 --a------ C:\WINDOWS\system32\vxxmpunf.dll
2008-08-25 13:15 . 2008-08-25 13:15 135,936 --a------ C:\WINDOWS\system32\sxqtfe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 00:40 94,208 ----a-w C:\WINDOWS\system32\28.tmp
2008-09-04 19:02 94,208 ----a-w C:\WINDOWS\system32\27.tmp
2008-09-04 06:26 94,208 ----a-w C:\WINDOWS\system32\23.tmp
2008-09-01 22:27 --------- d-----w C:\Documents and Settings\Vlad\Application Data\DNA
2008-09-01 22:13 --------- d-----w C:\Program Files\DNA
2008-08-29 17:05 94,208 ----a-w C:\WINDOWS\system32\11.tmp
2008-08-26 18:04 94,208 ----a-w C:\WINDOWS\system32\12.tmp
2008-08-26 18:04 94,208 ----a-w C:\WINDOWS\system32\10.tmp
2008-08-04 20:29 98,688 ----a-w C:\WINDOWS\system32\tikfmtqb.dll
2008-08-04 20:26 130,432 ----a-w C:\WINDOWS\system32\sranscdo.dll
2008-08-04 20:26 130,432 ----a-w C:\WINDOWS\system32\fzxycn.dll
2008-08-04 20:12 34,688 ----a-w C:\WINDOWS\system32\xxywXNGA.dll
2008-08-04 20:12 34,688 ----a-w C:\WINDOWS\system32\jkkLDULE.dll
2008-08-04 20:11 --------- d-----w C:\Documents and Settings\Vlad\Application Data\TmpRecentIcons
2008-07-11 06:36 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-03 12:45 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2008-03-12 04:21 0 ----a-w C:\Program Files\temp01
2007-02-27 00:17 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

------- Sigcheck -------

md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

2006-11-20 00:50 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-11-20 00:50 360576 c3b02652a90ca57b1b2891939d69fcca C:\WINDOWS\system32\drivers\tcpip.sys

md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ACE626E-2B10-4D8F-B1F2-562806837CEE}]
2008-09-22 11:03 326144 --a------ C:\WINDOWS\system32\mlJAtuRL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9991be66-c524-4a0f-9da9-4e70022f8d94}]
2008-09-22 11:07 136832 --a------ C:\WINDOWS\system32\aohwpu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A596175D-BBC7-476A-A152-FBA652B64505}]
2008-08-04 12:12 34688 --a------ C:\WINDOWS\system32\xxywXNGA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-11-07 3739672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-04 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"MicrosoftUpdate"="C:\WINDOWS\system32\MSServx.exe" [2007-10-09 408092]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"64822956"="C:\WINDOWS\system32\rfichrqc.dll" [2008-09-22 104064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A596175D-BBC7-476A-A152-FBA652B64505}"= "C:\WINDOWS\system32\xxywXNGA.dll" [2008-08-04 34688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"oLGZZodsqg"= {648229FA-CE28-8350-5996-63147BD717CF} - C:\WINDOWS\system32\av.dll [2006-11-20 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywXNGA]
2008-08-04 12:12 34688 C:\WINDOWS\system32\xxywXNGA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mlJAtuRL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"MSUpdateSvc"= C:\WINDOWS\system32\MSServx.exe
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24955:TCP"= 24955:TCP:BitComet 24955 TCP
"24955:UDP"= 24955:UDP:BitComet 24955 UDP

R2 U3SDR200;U3SDR200;C:\WINDOWS\System32\Drivers\U3SDR200.SYS [2008-04-05 4224]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7311c26a-0399-11dd-be26-0011092bf597}]
\Shell\Auto\command - sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dca1e17c-9399-11db-b8aa-0011092bf597}]
\Shell\Auto\command - E:\sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{16B9803C-EA16-4B98-A18B-6EB9569CEA0E} - C:\WINDOWS\system32\jkkLCstu.dll
HKCU-Run-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
HKLM-Run-QQKAV - C:\WINDOWS\system32\scvhsot.exe
HKLM-Run-lphcgwlj0e59j - C:\WINDOWS\system32\lphcgwlj0e59j.exe
HKLM-Run-SMrhclwlj0e59j - C:\Program Files\rhclwlj0e59j\rhclwlj0e59j.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Vlad\Application Data\Mozilla\Firefox\Profiles\6a42s84v.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 10:58:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\mlJAtuRL.dll 326144 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xxywXNGA.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rfichrqc.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-09-22 11:09:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 19:09:20

Pre-Run: 3,323,801,600 bytes free
Post-Run: 4,189,777,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

268

[saded]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54, on 9/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\scvhsot.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Vlad\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MicrosoftUpdate] C:\WINDOWS\system32\MSServx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [64822956] rundll32.exe "C:\WINDOWS\system32\rfichrqc.dll",b
O4 - HKLM\..\Run: [QQKAV] C:\WINDOWS\system32\scvhsot.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: ImationFlashDetect.lnk = C:\Documents and Settings\Vlad\Local Settings\Temp\Imation\ImationFlashDetect.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O21 - SSODL: oLGZZodsqg - {648229FA-CE28-8350-5996-63147BD717CF} - C:\WINDOWS\system32\av.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4043 bytes

[Rorschach112]

Hello

Plug your USB key in for this


Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Virus-Alert-Toolbar-log-t212449.html

Collect::
C:\WINDOWS\system32\jmotynoy.dll
C:\WINDOWS\system32\fbnbma.dll
C:\WINDOWS\system32\gwqxedbk.ini
C:\WINDOWS\system32\kbdexqwg.dll
C:\WINDOWS\system32\xrsfcvvy.dll
C:\WINDOWS\system32\wljfbm.dll
C:\WINDOWS\system32\nowtwdhs.ini
C:\WINDOWS\system32\uubeub.dll
C:\WINDOWS\system32\rpburwlj.dll
C:\WINDOWS\system32\jxfbcydt.ini
C:\WINDOWS\system32\xmjvtdra.dll
C:\WINDOWS\system32\qcdhft.dll
C:\WINDOWS\system32\usvvtceu.ini
C:\WINDOWS\system32\uectvvsu.dll
C:\WINDOWS\system32\psytoqsp.ini
C:\WINDOWS\system32\psqotysp.dll
C:\WINDOWS\system32\jyspvi.dll
C:\WINDOWS\system32\dwrfkjqv.dll
C:\WINDOWS\system32\wkoyxslc.ini
C:\WINDOWS\system32\clsxyokw.dll
C:\WINDOWS\system32\xghbdn.dll
C:\WINDOWS\system32\ifollcil.dll
C:\WINDOWS\system32\bfyjkmqq.ini
C:\WINDOWS\system32\udynev.dll
C:\WINDOWS\system32\epawmsxo.dll
C:\WINDOWS\system32\reqvyjjd.ini
C:\WINDOWS\system32\pwhhirwv.ini
C:\WINDOWS\system32\vxxmpunf.dll
C:\WINDOWS\system32\sxqtfe.dll
C:\WINDOWS\system32\28.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\11.tmp
 C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\tikfmtqb.dll
C:\WINDOWS\system32\sranscdo.dll
C:\WINDOWS\system32\fzxycn.dll
C:\WINDOWS\system32\xxywXNGA.dll
C:\WINDOWS\system32\jkkLDULE.dll
C:\Program Files\temp01
E:\sss.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7311c26a-0399-11dd-be26-0011092bf597}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dca1e17c-9399-11db-b8aa-0011092bf597}]

Sysrst::

Suspect::

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.