Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help..Laptop infected and don't know how to fix

Started by abcd916 , Jul 05 2007 04:52 PM

  • Please log in to reply

#1
abcd916
Posted 05 July 2007 - 04:52 PM

abcd916

    New Member

  • Member
  • Pip
  • 7 posts
Hi. My computer's been having a lot of problems lately. When I start it up my desktop icons disappear and there's a message that shows up after startup which says RUNDLL Error loading C:\WINDOW\System32\alxbqfbx.dll ..Also I am having problems connecting to the internet.. hopefully someone can help me with this..thanks.

Edited by abcd916, 08 July 2007 - 09:46 PM.

  • 0

Advertisements

#2
abcd916
Posted 08 July 2007 - 09:48 PM

abcd916

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is my hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 10:27:04 PM, on 7/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\download\jhan91683\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.128126.cn/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\explorer.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7C8F0287E55E246220D9E728F80D6664366DB7D5175E744AB97
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\alxbqfbx.dll",realset
O4 - HKLM\..\Run: [RAV009F] C:\WINDOWS\System32\RAV009F.exe
O4 - HKLM\..\Run: [Microsoft Autorun10] C:\WINDOWS\System32\nwizwmgjs.exe
O4 - HKLM\..\Run: [whqvts87] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\whqvts87.dll",Start
O4 - HKLM\..\Run: [pblama15] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\pblama15.dll",Start
O4 - HKLM\..\Run: [hhifjr61] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\hhifjr61.dll",DllCanUnloadNow
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mssql.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msapi.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O20 - AppInit_DLLs: qhbpri.dll
O23 - Service: DomainService - - C:\WINDOWS\System32\gsuqktgm.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: DNS Cache (SOCEESe) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)
  • 0

#3
jwbirdsong
Posted 09 July 2007 - 12:55 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply .
  • 0

#4
abcd916
Posted 09 July 2007 - 12:25 PM

abcd916

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is my combofix log

"Owner" - 2007-07-09 13:06:14 - ComboFix 07-07-09.3 - Service Pack 1


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\efcdbbx.dll
C:\WINDOWS\system32\evmwdvvb.dll
C:\WINDOWS\system32\gdpvyehd.dll
C:\WINDOWS\system32\gktkojps.dll
C:\WINDOWS\system32\ochekhtw.dll
C:\WINDOWS\system32\pmklj.dll
C:\WINDOWS\system32\qlrnmysn.dll
C:\WINDOWS\system32\ruuvyobv.dll
C:\WINDOWS\system32\sleixsis.dll
C:\WINDOWS\system32\tcktwerk.dll
C:\WINDOWS\system32\vwxhtyfw.exe
C:\WINDOWS\system32\lakdfoxh.exe
C:\WINDOWS\system32\gebcbyv.dll
C:\WINDOWS\system32\jkkhghh.dll
C:\WINDOWS\system32\ljjghfc.dll
C:\WINDOWS\system32\bvvdwmve.ini
C:\WINDOWS\system32\dheyvpdg.ini
C:\WINDOWS\system32\spjoktkg.ini
C:\WINDOWS\system32\jlkmp.ini
C:\WINDOWS\system32\vboyvuur.ini
C:\WINDOWS\system32\sisxiels.ini
C:\WINDOWS\system32\krewtkct.ini
C:\WINDOWS\system32\efcbaxv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~2\ALLUSE~1\APPLIC~1.\microsoft\pctools
C:\DOCUME~2\ALLUSE~1\APPLIC~1.\microsoft\pctools\pctools.dll
C:\DOCUME~2\Owner\APPLIC~1.\cuckoo
C:\DOCUME~2\Owner\APPLIC~1.\cuckoo\Host.dat
C:\DOCUME~2\Owner\APPLIC~1.\cuckoo\windows2.log
C:\DOCUME~2\Owner\APPLIC~1.\curity~1
C:\DOCUME~2\Owner\APPLIC~1\Sskdmns.dll
C:\DOCUME~2\Owner\MYDOCU~1.\fnts~1
C:\DOCUME~2\Owner\MYDOCU~1.\fnts~2
C:\Program Files\asks~1
C:\Program Files\Common Files\microsoft shared\msinfo\newinfo.bmt
C:\Program Files\Common Files\microsoft shared\msinfo\SysInfo.yer
C:\Program Files\Common Files\Microsoft Shared\MSInfo\system.2dt
C:\Program Files\Common Files\system\updaterun.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp
C:\Program Files\Internet Explorer\plugins\System64.Sys
C:\Program Files\Internet Explorer\vikoj.html
C:\Program Files\NetMeeting\nipybalov83122.dll
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\IA
C:\WINDOWS\KB998013.log
C:\WINDOWS\netdde32.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\rising432.exe
C:\WINDOWS\rising448.exe
C:\WINDOWS\rising913.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\20328.exe
C:\WINDOWS\system32\699F99B4.dat
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\AD22875E.EXE
C:\WINDOWS\system32\adinfo.bin
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\aeuhsigw.exe
C:\WINDOWS\system32\ahjfb.dll
C:\WINDOWS\system32\bhirgnca.exe
C:\WINDOWS\system32\bind_50099.exe
C:\WINDOWS\system32\bind_50201.exe
C:\WINDOWS\system32\cydxuswj.exe
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\dllhost32.exe
C:\WINDOWS\system32\dodolook133.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\hhifjr61.sys
C:\WINDOWS\system32\drivers\pblama15.sys
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\drivers\webhelp.drv
C:\WINDOWS\system32\drivers\webshow.drv
C:\WINDOWS\system32\drivers\whqvts87.sys
C:\WINDOWS\system32\equkjnal.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fd012.exe
C:\WINDOWS\system32\fmxrboqj.exe
C:\WINDOWS\system32\fquwyjlm.exe
C:\WINDOWS\system32\gsuqktgm.exe
C:\WINDOWS\system32\hhifjr61.dll
C:\WINDOWS\system32\hhifjr61.ini
C:\WINDOWS\system32\ijgrmjxc.exe
C:\WINDOWS\system32\juypjxes.exe
C:\WINDOWS\system32\kjromoym.exe
C:\WINDOWS\system32\lnafxfci.exe
C:\WINDOWS\system32\mosou.dll
C:\WINDOWS\system32\mosou.exe
C:\WINDOWS\system32\Msf3sf.sys
C:\WINDOWS\system32\netdde32.exe
C:\WINDOWS\system32\npyuxhyl.exe
C:\WINDOWS\system32\nwizzhuxians.dll
C:\WINDOWS\system32\nwizzhuxians.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\ohrqsjhu.exe
C:\WINDOWS\system32\pblama15.dll
C:\WINDOWS\system32\pnyebv64
C:\WINDOWS\system32\pnyebv64\a.sys
C:\WINDOWS\system32\pnyebv64\pnyebv64.exe
C:\WINDOWS\system32\pnyebv64\staA.dll
C:\WINDOWS\system32\pnyebv64\winA.dll
C:\WINDOWS\system32\prddvnub.exe
C:\WINDOWS\system32\redmcpeh.exe
C:\WINDOWS\system32\remotedbg.dll
C:\WINDOWS\system32\rldsregk.exe
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\SysProFile.dll
C:\WINDOWS\system32\SysProFiles.dll
C:\WINDOWS\system32\tgfdxdie.exe
C:\WINDOWS\system32\twaig.dll
C:\WINDOWS\system32\wbem\jtwvl.dll
C:\WINDOWS\system32\wbem\mxkwq.dll
C:\WINDOWS\system32\webhelp.exe
C:\WINDOWS\system32\webshow.dll
C:\WINDOWS\system32\whqvts87.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winama15.bin
C:\WINDOWS\system32\winama15.dll
C:\WINDOWS\system32\winup
C:\WINDOWS\system32\winup\hhifjr61.dll
C:\WINDOWS\system32\winvts87.bin
C:\WINDOWS\system32\winvts87.dll
C:\WINDOWS\system32\winybb49.bin
C:\WINDOWS\system32\wyrhhjuw.exe
C:\WINDOWS\system32\yvravgsi.exe
C:\WINDOWS\system32\zxjybb49
C:\WINDOWS\system32\zxjybb49\winybb49.bin
C:\WINDOWS\system32\zxjybb49\winybb49.dll
C:\WINDOWS\system32\zxjybb49\zxjybb49.dll
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_CELINDRV
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_HHIFJR61
-------\LEGACY_INVESTOR
-------\LEGACY_NET_AGENT
-------\LEGACY_PBLAMA15
-------\LEGACY_REMOTEDBG
-------\LEGACY_SOCEESE
-------\LEGACY_WHQVTS87
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\hhifjr61
-------\Investor
-------\Net Agent
-------\pblama15
-------\RemoteDbg
-------\SOCEESe
-------\whqvts87


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-09 13:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 12:24 8,508 --a------ C:\WINDOWS\system32\RAV009F.exe
2007-07-05 12:24 8,396 --a------ C:\WINDOWS\system32\nwizwmgjs.exe
2007-07-05 12:24 65,536 --ah----- C:\WINDOWS\system32\msapi.dll
2007-07-05 12:24 5,058 --a------ C:\WINDOWS\system32\RAV009F.DAT
2007-07-05 12:24 11,264 --a------ C:\WINDOWS\system32\nwizwmgjs.dll
2007-07-05 12:22 9,844 --a------ C:\WINDOWS\system32\RAV008C.exe
2007-07-05 12:22 9,044 --a------ C:\WINDOWS\system32\RAV00AE.exe
2007-07-05 12:22 6,377 --a------ C:\WINDOWS\system32\RAV008C.DAT
2007-07-05 12:22 5,888 --ah----- C:\WINDOWS\system32\mssock.sys
2007-07-05 12:22 5,600 --a------ C:\WINDOWS\system32\RAV00AE.DAT
2007-07-05 12:22 32,912 --ah----- C:\WINDOWS\system32\mssql.dll
2007-07-05 12:22 19,968 --a------ C:\WINDOWS\system32\nwizwlwzs.exe
2007-07-05 12:22 16,896 --a------ C:\WINDOWS\system32\nwizqjsj.dll
2007-07-05 12:22 11,776 --a------ C:\WINDOWS\system32\nwizwlwzs.dll
2007-07-05 12:22 11,508 --a------ C:\WINDOWS\system32\nwizqjsj.exe
2007-07-05 12:21 13,312 --a------ C:\WINDOWS\system32\mh104.dll
2007-07-05 12:11 8,704 --a------ C:\WINDOWS\system32\Ravasktao.dll
2007-07-05 12:11 7,584 --a------ C:\WINDOWS\system32\Ravasktao.exe
2007-07-05 12:11 11,897 --a------ C:\WINDOWS\TIMHost.exe
2007-07-05 12:11 11,264 --a------ C:\WINDOWS\system32\TIMHost.dll
2007-07-05 02:07 33 --a------ C:\WINDOWS\system32\1u8e00Lgg.dll
2007-07-05 02:06 14,777 --a------ C:\WINDOWS\system32\77DB258C.DLL
2007-07-04 22:29 <DIR> d-------- C:\WINDOWS\pss
2007-07-03 22:48 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinTouch
2007-07-03 22:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-03 09:42 22,016 --a------ C:\WINDOWS\b138.exe
2007-07-03 00:55 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-03 00:31 97,280 --a-s---- C:\WINDOWS\system32\reginia_sc.exe
2007-07-03 00:29 22,592 --a------ C:\WINDOWS\system32\64Nw3r2k.exe
2007-07-02 23:39 <DIR> d-------- C:\WINDOWS\system32\zslfiles
2007-07-02 23:38 <DIR> d-------- C:\WINDOWS\system32\ZeroSpyware Limited Edition
2007-07-02 23:37 <DIR> d-------- C:\Program Files\FBM Software
2007-07-02 22:53 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinPatrol
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F9
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F5
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F4
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F3
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F2
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-27 04:36 113,901 --a------ C:\WINDOWS\system32\d03.exe
2007-06-19 00:54 <DIR> d-------- C:\Downloads
2007-06-19 00:54 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\GetRightToGo
2007-06-19 00:46 <DIR> d-------- C:\DOCUME~2\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-19 00:14 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-18 11:33 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 18:02:30 45,056 ----a-w C:\WINDOWS\system32\dab1.dll
2007-07-03 05:30:13 -------- d-----w C:\Program Files\Winamp
2007-07-03 04:38:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 04:38:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 03:06:02 -------- d-----w C:\DOCUME~2\Owner\APPLIC~1\PandoraTV
2007-06-17 03:05:48 808,720 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-06-17 03:05:48 210,704 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-06-17 03:05:48 206,608 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-06-17 03:05:48 153,360 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-06-17 03:05:48 1,097,488 ----a-w C:\WINDOWS\system32\pavc.dll
2007-05-22 03:57:09 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-22 03:57:09 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-22 03:57:09 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-22 03:57:09 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-22 03:57:09 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-05-19 01:44:12 385,024 ----a-w C:\WINDOWS\DownUpdater.exe
2007-05-14 07:02:40 901,120 ----a-w C:\WINDOWS\system32\OIBox.dll
2007-05-06 01:50:48 132,896 ----a-w C:\WINDOWS\pdrinst2.dll
2007-04-13 10:06:40 159,744 ----a-r C:\WINDOWS\system32\fscagent.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 15:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]
C:\WINDOWS\System32\jicpfdu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
C:\WINDOWS\System32\xqhscyi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-03 00:55 126976 --a------ C:\WINDOWS\xhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EssSpkPhone"="essspk.exe" [2001-09-25 19:47 C:\WINDOWS\essspk.exe]
"S3TRAY2"="S3tray2.exe" [2002-02-21 10:38 C:\WINDOWS\system32\S3tray2.exe]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 15:12]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 20:57]
"CP4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 14:17]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 06:24]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 10:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-04 00:47]
"HostManager"="C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe" [2006-05-09 19:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 19:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\vikoj.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26368135-64FA-BC34-DA32-DCF4FD431C92}"="C:\WINDOWS\System32\qhbpri.dll" [2004-08-04 12:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=qhbpri.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùœ xùœ üþ 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
grdq

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\WINDOWS\System32\nwizzhuxians.exe

Contents of the 'Scheduled Tasks' folder
2007-07-05 05:00:32 C:\WINDOWS\tasks\At1.job
2007-07-03 05:29:45 C:\WINDOWS\tasks\At10.job
2007-07-03 05:29:49 C:\WINDOWS\tasks\At11.job
2007-07-03 05:29:50 C:\WINDOWS\tasks\At12.job
2007-07-05 17:01:37 C:\WINDOWS\tasks\At13.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At14.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At15.job
2007-07-03 05:29:53 C:\WINDOWS\tasks\At16.job
2007-07-04 21:00:30 C:\WINDOWS\tasks\At17.job
2007-07-03 05:29:59 C:\WINDOWS\tasks\At18.job
2007-07-03 05:30:00 C:\WINDOWS\tasks\At19.job
2007-07-05 06:00:32 C:\WINDOWS\tasks\At2.job
2007-07-05 00:00:40 C:\WINDOWS\tasks\At20.job
2007-07-05 01:00:40 C:\WINDOWS\tasks\At21.job
2007-07-03 05:30:10 C:\WINDOWS\tasks\At22.job
2007-07-03 05:30:11 C:\WINDOWS\tasks\At23.job
2007-07-05 04:00:31 C:\WINDOWS\tasks\At24.job
2007-07-05 07:00:31 C:\WINDOWS\tasks\At3.job
2007-07-04 08:00:30 C:\WINDOWS\tasks\At4.job
2007-07-04 09:00:31 C:\WINDOWS\tasks\At5.job
2007-07-03 05:29:42 C:\WINDOWS\tasks\At6.job
2007-07-03 05:29:43 C:\WINDOWS\tasks\At7.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At8.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 13:16:37
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 13:18:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-09 13:18

--- E O F ---
  • 0

#5
jwbirdsong
Posted 09 July 2007 - 04:32 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Let's see if we can clean a little more before we move to manual mode.

Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode (without Networking) by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the C:\SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here along with a fresh Combofix log..

  • 0

#6
abcd916
Posted 09 July 2007 - 05:21 PM

abcd916

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ok..here's the sdfix report

SDFix: Version 1.90

Run by Owner on Mon 07/09/2007 at 05:57 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\EUW.DLL - Deleted
C:\WINDOWS\b138.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\system32\msapi.dll
C:\WINDOWS\system32\mssql.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\system42.rar
C:\WINDOWS\system32\mssock.sys
C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
C:\WINDOWS\system32\config\SYSTEM.tmp.LOG

Finished

Here's the New ComboFix log.

"Owner" - 2007-07-09 18:10:53 - ComboFix 07-07-09.3 - Service Pack 1


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-09 17:56 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-09 13:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 12:24 8,508 --a------ C:\WINDOWS\system32\RAV009F.exe
2007-07-05 12:24 8,396 --a------ C:\WINDOWS\system32\nwizwmgjs.exe
2007-07-05 12:24 65,536 --ah----- C:\WINDOWS\system32\msapi.dll
2007-07-05 12:24 5,058 --a------ C:\WINDOWS\system32\RAV009F.DAT
2007-07-05 12:24 11,264 --a------ C:\WINDOWS\system32\nwizwmgjs.dll
2007-07-05 12:22 9,844 --a------ C:\WINDOWS\system32\RAV008C.exe
2007-07-05 12:22 9,044 --a------ C:\WINDOWS\system32\RAV00AE.exe
2007-07-05 12:22 6,377 --a------ C:\WINDOWS\system32\RAV008C.DAT
2007-07-05 12:22 5,888 --ah----- C:\WINDOWS\system32\mssock.sys
2007-07-05 12:22 5,600 --a------ C:\WINDOWS\system32\RAV00AE.DAT
2007-07-05 12:22 32,912 --ah----- C:\WINDOWS\system32\mssql.dll
2007-07-05 12:22 19,968 --a------ C:\WINDOWS\system32\nwizwlwzs.exe
2007-07-05 12:22 16,896 --a------ C:\WINDOWS\system32\nwizqjsj.dll
2007-07-05 12:22 11,776 --a------ C:\WINDOWS\system32\nwizwlwzs.dll
2007-07-05 12:22 11,508 --a------ C:\WINDOWS\system32\nwizqjsj.exe
2007-07-05 12:21 13,312 --a------ C:\WINDOWS\system32\mh104.dll
2007-07-05 12:11 8,704 --a------ C:\WINDOWS\system32\Ravasktao.dll
2007-07-05 12:11 7,584 --a------ C:\WINDOWS\system32\Ravasktao.exe
2007-07-05 12:11 11,897 --a------ C:\WINDOWS\TIMHost.exe
2007-07-05 12:11 11,264 --a------ C:\WINDOWS\system32\TIMHost.dll
2007-07-05 02:07 33 --a------ C:\WINDOWS\system32\1u8e00Lgg.dll
2007-07-05 02:06 14,777 --a------ C:\WINDOWS\system32\77DB258C.DLL
2007-07-04 22:29 <DIR> d-------- C:\WINDOWS\pss
2007-07-03 22:48 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinTouch
2007-07-03 22:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-03 00:55 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-03 00:31 97,280 --a-s---- C:\WINDOWS\system32\reginia_sc.exe
2007-07-03 00:29 22,592 --a------ C:\WINDOWS\system32\64Nw3r2k.exe
2007-07-02 23:39 <DIR> d-------- C:\WINDOWS\system32\zslfiles
2007-07-02 23:38 <DIR> d-------- C:\WINDOWS\system32\ZeroSpyware Limited Edition
2007-07-02 23:37 <DIR> d-------- C:\Program Files\FBM Software
2007-07-02 22:53 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinPatrol
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F9
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F5
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F4
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F3
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F2
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-27 04:36 113,901 --a------ C:\WINDOWS\system32\d03.exe
2007-06-19 00:54 <DIR> d-------- C:\Downloads
2007-06-19 00:54 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\GetRightToGo
2007-06-19 00:46 <DIR> d-------- C:\DOCUME~2\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-19 00:14 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-18 11:33 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 18:02:30 45,056 ----a-w C:\WINDOWS\system32\dab1.dll
2007-07-03 05:30:13 -------- d-----w C:\Program Files\Winamp
2007-07-03 04:38:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 04:38:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 03:06:02 -------- d-----w C:\DOCUME~2\Owner\APPLIC~1\PandoraTV
2007-06-17 03:05:48 808,720 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-06-17 03:05:48 210,704 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-06-17 03:05:48 206,608 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-06-17 03:05:48 153,360 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-06-17 03:05:48 1,097,488 ----a-w C:\WINDOWS\system32\pavc.dll
2007-05-22 03:57:09 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-22 03:57:09 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-22 03:57:09 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-22 03:57:09 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-22 03:57:09 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-05-19 01:44:12 385,024 ----a-w C:\WINDOWS\DownUpdater.exe
2007-05-14 07:02:40 901,120 ----a-w C:\WINDOWS\system32\OIBox.dll
2007-05-06 01:50:48 132,896 ----a-w C:\WINDOWS\pdrinst2.dll
2007-04-13 10:06:40 159,744 ----a-r C:\WINDOWS\system32\fscagent.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 15:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]
C:\WINDOWS\System32\jicpfdu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
C:\WINDOWS\System32\xqhscyi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-03 00:55 126976 --a------ C:\WINDOWS\xhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EssSpkPhone"="essspk.exe" [2001-09-25 19:47 C:\WINDOWS\essspk.exe]
"S3TRAY2"="S3tray2.exe" [2002-02-21 10:38 C:\WINDOWS\system32\S3tray2.exe]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 15:12]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 20:57]
"CP4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 14:17]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 06:24]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 10:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-04 00:47]
"HostManager"="C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe" [2006-05-09 19:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 19:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 10:47]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\vikoj.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26368135-64FA-BC34-DA32-DCF4FD431C92}"="C:\WINDOWS\System32\qhbpri.dll" [2004-08-04 12:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=qhbpri.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùœ xùœ üþ 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
grdq


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\WINDOWS\System32\nwizzhuxians.exe

Contents of the 'Scheduled Tasks' folder
2007-07-05 05:00:32 C:\WINDOWS\tasks\At1.job
2007-07-03 05:29:45 C:\WINDOWS\tasks\At10.job
2007-07-03 05:29:49 C:\WINDOWS\tasks\At11.job
2007-07-03 05:29:50 C:\WINDOWS\tasks\At12.job
2007-07-05 17:01:37 C:\WINDOWS\tasks\At13.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At14.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At15.job
2007-07-03 05:29:53 C:\WINDOWS\tasks\At16.job
2007-07-04 21:00:30 C:\WINDOWS\tasks\At17.job
2007-07-03 05:29:59 C:\WINDOWS\tasks\At18.job
2007-07-03 05:30:00 C:\WINDOWS\tasks\At19.job
2007-07-05 06:00:32 C:\WINDOWS\tasks\At2.job
2007-07-05 00:00:40 C:\WINDOWS\tasks\At20.job
2007-07-05 01:00:40 C:\WINDOWS\tasks\At21.job
2007-07-03 05:30:10 C:\WINDOWS\tasks\At22.job
2007-07-03 05:30:11 C:\WINDOWS\tasks\At23.job
2007-07-05 04:00:31 C:\WINDOWS\tasks\At24.job
2007-07-05 07:00:31 C:\WINDOWS\tasks\At3.job
2007-07-04 08:00:30 C:\WINDOWS\tasks\At4.job
2007-07-04 09:00:31 C:\WINDOWS\tasks\At5.job
2007-07-03 05:29:42 C:\WINDOWS\tasks\At6.job
2007-07-03 05:29:43 C:\WINDOWS\tasks\At7.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At8.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 18:12:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 18:13:14
C:\ComboFix-quarantined-files.txt ... 2007-07-09 18:12
C:\ComboFix2.txt ... 2007-07-09 13:18

--- E O F ---
  • 0

#7
jwbirdsong
Posted 11 July 2007 - 09:53 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and the combofix log from the instrunctions below


Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
  • 0

#8
abcd916
Posted 12 July 2007 - 09:20 AM

abcd916

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I tried to run the panda software but my internet browser keeps closing a second after i open it..all the programs on my computer that use the internet are also doing the same...however it says that i am connected to the internet and the connection is fine.
  • 0

#9
jwbirdsong
Posted 12 July 2007 - 04:33 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
See if you have any better luck with this one.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
When done post the Kaspersky log.

PS you can do the Combofix-DO part before you run the AV scan if you wish/need. Usally posts should be done in the order given but in this case it makes little difference

Edited by jwbirdsong, 12 July 2007 - 04:35 PM.

  • 0

#10
abcd916
Posted 12 July 2007 - 07:33 PM

abcd916

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
i tried again but it does the same thing..it says that i'm not connected to the internet (even though there's nothing wrong with my connection) and then the browser closes...rite now i'm using someone else's computer to post this up.
  • 0

#11
jwbirdsong
Posted 12 July 2007 - 10:31 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Sounds like maybe a new/different infection has kicked in/been downloaded.

Can you run and post a fresh Combofix log please
  • 0

#12
abcd916
Posted 13 July 2007 - 02:39 PM

abcd916

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's the new combofix.

"Owner" - 2007-07-13 15:28:04 - ComboFix 07-07-09.3 - Service Pack 1


((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


2007-07-09 17:56 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-09 13:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 12:24 8,508 --a------ C:\WINDOWS\system32\RAV009F.exe
2007-07-05 12:24 8,396 --a------ C:\WINDOWS\system32\nwizwmgjs.exe
2007-07-05 12:24 65,536 --ah----- C:\WINDOWS\system32\msapi.dll
2007-07-05 12:24 5,058 --a------ C:\WINDOWS\system32\RAV009F.DAT
2007-07-05 12:24 11,264 --a------ C:\WINDOWS\system32\nwizwmgjs.dll
2007-07-05 12:22 9,844 --a------ C:\WINDOWS\system32\RAV008C.exe
2007-07-05 12:22 9,044 --a------ C:\WINDOWS\system32\RAV00AE.exe
2007-07-05 12:22 6,377 --a------ C:\WINDOWS\system32\RAV008C.DAT
2007-07-05 12:22 5,888 --ah----- C:\WINDOWS\system32\mssock.sys
2007-07-05 12:22 5,600 --a------ C:\WINDOWS\system32\RAV00AE.DAT
2007-07-05 12:22 32,912 --ah----- C:\WINDOWS\system32\mssql.dll
2007-07-05 12:22 19,968 --a------ C:\WINDOWS\system32\nwizwlwzs.exe
2007-07-05 12:22 16,896 --a------ C:\WINDOWS\system32\nwizqjsj.dll
2007-07-05 12:22 11,776 --a------ C:\WINDOWS\system32\nwizwlwzs.dll
2007-07-05 12:22 11,508 --a------ C:\WINDOWS\system32\nwizqjsj.exe
2007-07-05 12:21 13,312 --a------ C:\WINDOWS\system32\mh104.dll
2007-07-05 12:11 8,704 --a------ C:\WINDOWS\system32\Ravasktao.dll
2007-07-05 12:11 7,584 --a------ C:\WINDOWS\system32\Ravasktao.exe
2007-07-05 12:11 11,897 --a------ C:\WINDOWS\TIMHost.exe
2007-07-05 12:11 11,264 --a------ C:\WINDOWS\system32\TIMHost.dll
2007-07-05 02:07 33 --a------ C:\WINDOWS\system32\1u8e00Lgg.dll
2007-07-05 02:06 14,777 --a------ C:\WINDOWS\system32\77DB258C.DLL
2007-07-04 22:29 <DIR> d-------- C:\WINDOWS\pss
2007-07-03 22:48 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinTouch
2007-07-03 22:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-03 00:55 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-03 00:31 97,280 --a-s---- C:\WINDOWS\system32\reginia_sc.exe
2007-07-03 00:29 22,592 --a------ C:\WINDOWS\system32\64Nw3r2k.exe
2007-07-02 23:39 <DIR> d-------- C:\WINDOWS\system32\zslfiles
2007-07-02 23:38 <DIR> d-------- C:\WINDOWS\system32\ZeroSpyware Limited Edition
2007-07-02 23:37 <DIR> d-------- C:\Program Files\FBM Software
2007-07-02 22:53 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinPatrol
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F9
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F5
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F4
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F3
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F2
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-27 04:36 113,901 --a------ C:\WINDOWS\system32\d03.exe
2007-06-19 00:54 <DIR> d-------- C:\Downloads
2007-06-19 00:54 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\GetRightToGo
2007-06-19 00:46 <DIR> d-------- C:\DOCUME~2\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-19 00:14 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-18 11:33 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 18:02:30 45,056 ----a-w C:\WINDOWS\system32\dab1.dll
2007-07-03 05:30:13 -------- d-----w C:\Program Files\Winamp
2007-07-03 04:38:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 04:38:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 03:06:02 -------- d-----w C:\DOCUME~2\Owner\APPLIC~1\PandoraTV
2007-06-17 03:05:48 808,720 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-06-17 03:05:48 210,704 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-06-17 03:05:48 206,608 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-06-17 03:05:48 153,360 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-06-17 03:05:48 1,097,488 ----a-w C:\WINDOWS\system32\pavc.dll
2007-05-22 03:57:09 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-22 03:57:09 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-22 03:57:09 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-22 03:57:09 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-22 03:57:09 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-05-19 01:44:12 385,024 ----a-w C:\WINDOWS\DownUpdater.exe
2007-05-14 07:02:40 901,120 ----a-w C:\WINDOWS\system32\OIBox.dll
2007-05-06 01:50:48 132,896 ----a-w C:\WINDOWS\pdrinst2.dll
2007-04-13 10:06:40 159,744 ----a-r C:\WINDOWS\system32\fscagent.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 15:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]
C:\WINDOWS\System32\jicpfdu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
C:\WINDOWS\System32\xqhscyi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-03 00:55 126976 --a------ C:\WINDOWS\xhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EssSpkPhone"="essspk.exe" [2001-09-25 19:47 C:\WINDOWS\essspk.exe]
"S3TRAY2"="S3tray2.exe" [2002-02-21 10:38 C:\WINDOWS\system32\S3tray2.exe]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 15:12]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 20:57]
"CP4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 14:17]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 06:24]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 10:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-04 00:47]
"HostManager"="C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe" [2006-05-09 19:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 19:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 10:47]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= C:\Program Files\Internet Explorer\vikoj.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26368135-64FA-BC34-DA32-DCF4FD431C92}"="C:\WINDOWS\System32\qhbpri.dll" [2004-08-04 12:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=qhbpri.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùœ xùœ üþ 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
grdq


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\WINDOWS\System32\nwizzhuxians.exe

Contents of the 'Scheduled Tasks' folder
2007-07-05 05:00:32 C:\WINDOWS\tasks\At1.job
2007-07-03 05:29:45 C:\WINDOWS\tasks\At10.job
2007-07-03 05:29:49 C:\WINDOWS\tasks\At11.job
2007-07-03 05:29:50 C:\WINDOWS\tasks\At12.job
2007-07-05 17:01:37 C:\WINDOWS\tasks\At13.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At14.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At15.job
2007-07-03 05:29:53 C:\WINDOWS\tasks\At16.job
2007-07-04 21:00:30 C:\WINDOWS\tasks\At17.job
2007-07-03 05:29:59 C:\WINDOWS\tasks\At18.job
2007-07-03 05:30:00 C:\WINDOWS\tasks\At19.job
2007-07-05 06:00:32 C:\WINDOWS\tasks\At2.job
2007-07-05 00:00:40 C:\WINDOWS\tasks\At20.job
2007-07-05 01:00:40 C:\WINDOWS\tasks\At21.job
2007-07-03 05:30:10 C:\WINDOWS\tasks\At22.job
2007-07-03 05:30:11 C:\WINDOWS\tasks\At23.job
2007-07-05 04:00:31 C:\WINDOWS\tasks\At24.job
2007-07-05 07:00:31 C:\WINDOWS\tasks\At3.job
2007-07-04 08:00:30 C:\WINDOWS\tasks\At4.job
2007-07-04 09:00:31 C:\WINDOWS\tasks\At5.job
2007-07-03 05:29:42 C:\WINDOWS\tasks\At6.job
2007-07-03 05:29:43 C:\WINDOWS\tasks\At7.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At8.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 15:31:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-13 15:32:08
C:\ComboFix-quarantined-files.txt ... 2007-07-13 15:31
C:\ComboFix2.txt ... 2007-07-09 18:13
C:\ComboFix3.txt ... 2007-07-09 13:18

--- E O F ---
  • 0

#13
jwbirdsong
Posted 21 July 2007 - 10:37 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
abcd916
Sorry; your post sort of got lost in the cracks somehow.

If you still need help please post a current Combofix/HJT log.

Wouldn't hurt to delete thye combofix you have and download a new copy...It's update OFTEN.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP