Free Malware Removal Forum

[heathermarie73]

Okay... I deleted the firewall from safe mode. Upon reboot, I decided to attempt to log on under my name. I logged in and the vundofix box came up.. As I clicked the button to delete the vundo virus, I was thinking. .you probably shouldn't do this.... but I did it anyways.. so, I am not sure if it went through or not.. but afterwards... when it went to reboot.. once again.. no go.. After several attempts at safe mode.. which also wouldn't boot.. I tried to log on under me again in normal mode.. Finally, it booted and here I am.. As of right now, safe mode is no longer a booting option, though..
My spybot sd resident booted along with this boot, and being afraid of the rammifications.. I stopped the scan.

I will be waiting on your response... Thank you again for all your help....

this is terrible.... : (

heathermarie

[John B.]

Can you please post another fresh HijackThis log? You have been able to remove the firewall?

[heathermarie73]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:08 PM, on 8/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\logonui.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\lxctcoms.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\good program.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.x/24
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - (no file)
O2 - BHO: (no name) - {3C8C899C-437C-3FDD-2974-39B67F38F2C2} - C:\WINNT\System32\jbkmsyep.dll (file missing)
O2 - BHO: (no name) - {3D7DE6B8-603E-40A1-BB8F-585584718B00} - C:\WINNT\System32\cbxur.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - (no file)
O2 - BHO: (no name) - {CE228ECA-E9DE-4D4F-BFC6-06449D1862D1} - (no file)
O2 - BHO: (no name) - {DB570C0A-4881-4222-953F-FA1597452335} - C:\Program Files\Windows Media Player\hoqeri83122.dll (file missing)
O2 - BHO: (no name) - {E76CAA55-332F-41C6-B0CC-D03CF5078A03} - (no file)
O2 - BHO: (no name) - {EFB96FBB-095A-422B-968B-68DBACC2B0CE} - (no file)
O2 - BHO: (no name) - {F64ADC5C-78F5-4B33-8EC1-EF1D51C949DC} - C:\WINNT\System32\vtutu.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{AF-FF-FF-F8-ZN}] c:\winnt\system32\mndsregp.exe SKY009
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINNT\System32\friptskw.dll",forkonce
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ewta] "C:\PROGRA~1\MCROSO~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Affntiog] "C:\Program Files\Common Files\??pPatch\w?crtupd.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZCxdm238MGUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/ ... /tt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - Winlogon Notify: cbxur - C:\WINNT\System32\cbxur.dll (file missing)
O20 - Winlogon Notify: tuvuttr - C:\WINNT\
O20 - Winlogon Notify: vtutu - C:\WINNT\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - C:\WINNT\System32\lxctcoms.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\prolyzuqo.html

--
End of file - 8888 bytes

[heathermarie73]

FYI...
Each time I shut my pc down and then later come back to reboot it... I have to boot it up several times before it will come up. I am not sure if these means anything to you or not.. but just though I would let you know..

Thank you..

Kind Regards,

HeatherMarie

[heathermarie73]

Another thing... I have found that if I do not continuously hit the enter key... I am unable to get my pc to fully boot. I begin hitting my enter key as soon as my dell page goes away.. and until i get to my sign on page for each user's name. I do not know if this makes a difference or not.. but just in case.. i thought i would let you know..

Kind Regards,

HeatherMarie

[John B.]

Hi HeatherMarie,

What I can tell from your problems with booting is that your system has become very unstable by all the malware which is on it or because we're trying to remove it. It will probably get better as there will be less and less malware on your system.

At the moment I can't write a fix because I'm at work but in 2 hours I'm at home and will write you a fix against malware

Greets, John.

[John B.]

Hi,

You hit Vundo very well so we can move on to the next infection. Please follow these steps very carefully so you can post the right results and we can clean your computer faster.

Step 1: Disable A-Squared Guard
Please disable A-Squared Guard as it may interfere with the fix. To disable A-Squared Guard:

• Open A-Squared.
• Click on Configure Background-Guard.
• Deselect Enable background guard on system startup.
• Close the window.
• Close A-Squared.

Note: Reverse this process after your malware removal is complete.

Step 2: Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Step 3: Remove bad HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
  
  R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
  O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
  
  O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - (no file)
  O2 - BHO: (no name) - {3C8C899C-437C-3FDD-2974-39B67F38F2C2} - C:\WINNT\System32\jbkmsyep.dll (file missing)
  O2 - BHO: (no name) - {3D7DE6B8-603E-40A1-BB8F-585584718B00} - C:\WINNT\System32\cbxur.dll (file missing)
  
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  
  O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - (no file)
  O2 - BHO: (no name) - {CE228ECA-E9DE-4D4F-BFC6-06449D1862D1} - (no file)
  O2 - BHO: (no name) - {DB570C0A-4881-4222-953F-FA1597452335} - C:\Program Files\Windows Media Player\hoqeri83122.dll (file missing)
  O2 - BHO: (no name) - {E76CAA55-332F-41C6-B0CC-D03CF5078A03} - (no file)
  O2 - BHO: (no name) - {EFB96FBB-095A-422B-968B-68DBACC2B0CE} - (no file)
  O2 - BHO: (no name) - {F64ADC5C-78F5-4B33-8EC1-EF1D51C949DC} - C:\WINNT\System32\vtutu.dll (file missing)
  
  O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINNT\System32\friptskw.dll",forkonce
  
  O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
  
  O20 - Winlogon Notify: cbxur - C:\WINNT\System32\cbxur.dll (file missing)
  O20 - Winlogon Notify: tuvuttr - C:\WINNT\
  O20 - Winlogon Notify: vtutu - C:\WINNT\
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Step 4: Upload files to Virustotal
Please visit Virustotal

• Click the Browse... button
• Navigate to the file c:\winnt\system32\mndsregp.exe[/color]
• Click the Open button
• Click the Send button
• Copy and paste the results in a Notepad/Word file and save it to your desktop

Step 5: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Step 6: Post logs
Please post the following logs in a reply to this topic:

• Tell me how your computer's running, and booting.
• Virutotal results
• Uninstall log
• Fresh HijackThis log

Greets, John.

[heathermarie73]

This item is not in the system32 file. There is nothing in there that is even close to this name. I looked through every item in this file. It's not there.. So, what do I do now? I stopped at Virustotal.
The last thing I did was the removal of the items in via HiJackThis.

HeatherMarie

[John B.]

It's good that the file isn't there, because it's probably bad Please move on with the next step and forget about Virustotal results.

[heathermarie73]

I just noticed there is a new item in my task bar running.
it is something called
ffdshow audio decoder

what do i do? i want to close this.. but i am not sure if it is supposed to be running or not

[John B.]

Please just post the logs. I also have a program called 'ffdshow audio decoder' which I use to watch films. I'll see in the logs what's wrong

[heathermarie73]

1.) My pc seems to be running and booting great! : ) Thank you!!
2.) Virutotal results: Nothing. The file was not found.
3.) Uninstall Log
8 Queens
ABBYY FineReader 6.0 Sprint
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
a-squared Free 3.0
AVG 7.5
Checkers
Chess
Collector's Edition 251
Colors of War Special Edition
Dart Mania
Deer Drive (remove only)
Diamond Fall
eGames GameButler
eGames Master's Edition 151
Eleven
eMusic Download Manager
Fanarona
Fishing Special Edition
Galaxy of Games 201
Google Toolbar for Internet Explorer
HijackThis 2.0.2
K-Lite Codec Pack 2.85 Standard
Lexmark 5400 Series
Lexmark Toolbar
Master of Dwarves
Max Solitaire
Maze
Microsoft .NET Framework 1.1
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0)
Poker Palace
Quik 21
Rhapsody Player Engine
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920683)
Solitaire Master 3 Special Edition 1
Spybot - Search & Destroy 1.4
Strata 21
Tai Match
TicTacToe
Tile Blazer Special Edition
Treasure Mines
Tri Peaks
Turning
Update for Windows XP (KB898461)
Vertical Tic Tac Toe
Wal-Mart Digital Photo Manager
Wal-Mart® Mini Movie
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q815021
Windows XP Service Pack 1a
Yahoo! Install Manager
Yahoo! Messenger

4.) Fresh HiJackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:14 PM, on 8/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\lxctcoms.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\good program.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.x/24
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{AF-FF-FF-F8-ZN}] c:\winnt\system32\mndsregp.exe SKY009
O4 - HKCU\..\Run: [Ewta] "C:\PROGRA~1\MCROSO~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Affntiog] "C:\Program Files\Common Files\??pPatch\w?crtupd.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZCxdm238MGUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.malwareremoval.com/forum
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/ ... /tt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - C:\WINNT\System32\lxctcoms.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\prolyzuqo.html

--
End of file - 6915 bytes

[heathermarie73]

A windows installer box keeps coming up. It doesn't ask me if I want to.. it just starts downloading something. I immediately click cancel. It does this each time I boot.

[heathermarie73]

okay.. I have been trying to use my pc.. and have found that my programs are slow to respond.. which is not normal. in addition.. once they load.. they are very slow in usage..
i also have not downloaded the firewall again yet.

[John B.]

Hi HeatherMarie,

I just noticed there is a new item in my task bar running.
it is something called
ffdshow audio decoder

what do i do? i want to close this.. but i am not sure if it is supposed to be running or not

You have a so called codec pack installed on your system which can be used to watch all kinds of coded films:
K-Lite Codec Pack 2.85 Standard
I also have that codec pack so there's nothing wrong about it.

A windows installer box keeps coming up. It doesn't ask me if I want to.. it just starts downloading something. I immediately click cancel. It does this each time I boot.

Please keep on cancelling it until I'm 100% sure your system is clean and we can begin with fixing non-malware related problems.

okay.. I have been trying to use my pc.. and have found that my programs are slow to respond.. which is not normal. in addition.. once they load.. they are very slow in usage..
i also have not downloaded the firewall again yet.

As I said in my second post it may take some time before you will see things change but your system is improving at the moment! No need for a firewall until all the malware is gone because we found out your system can't take it now.

Step 1: Remove bad HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O4 - HKLM\..\Run: [{AF-FF-FF-F8-ZN}] c:\winnt\system32\mndsregp.exe SKY009
  O4 - HKCU\..\Run: [Ewta] "C:\PROGRA~1\MCROSO~1\mmc.exe" -vt yazb
  O4 - HKCU\..\Run: [Affntiog] "C:\Program Files\Common Files\??pPatch\w?crtupd.exe"
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Step 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 3: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives Scan Mail Bases
  
• Click OK
• Now under select a target to scan:
  
  Select My Computer
  
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.

Step 4: Download and Run ComboFix

• Download this file from either of the two below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.techsupportforum.com/sectool ... mboFix.exe
  
• Then double click ComboFix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step 5: Post logs
Please post the following logs in a reply to this topic:

• Tell me how your computer is running
• Kaspersky log
• ComboFix log
• Fresh HijackThis log

Greets, John.