Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

could be vb.hc or lop.dn

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

could be vb.hc or lop.dn

Unread postby jeffree » September 24th, 2007, 3:16 pm

please help!!!



hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 3:03:18 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ffslemvx.dll",sitypnow
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


dss log

Logfile of HijackThis v1.99.1
Scan saved at 3:03:18 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ffslemvx.dll",sitypnow
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm
Advertisement
Register to Remove

Unread postby Shaba » September 25th, 2007, 10:11 am

Hi jeffree

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis. Close it.
  • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to jeffree.exe
  • When you've renamed HijackThis, open HijackThis again.
  • Take a fresh HijackThis log (click Do a system scan and save a log file)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

thank you ... new log

Unread postby jeffree » September 25th, 2007, 1:16 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:20 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\jeffree.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C2EF348-9B6F-44F4-A676-4CFCEC6763BC} - C:\WINDOWS\system32\ssttu.dll
O2 - BHO: (no name) - {6AF934DC-7451-4E66-B811-5ACDD0A40E07} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\fccddda.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rakffrtk.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O20 - Winlogon Notify: fccddda - C:\WINDOWS\SYSTEM32\fccddda.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4082 bytes
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm

Unread postby Shaba » September 25th, 2007, 1:18 pm

Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

whew

Unread postby jeffree » September 25th, 2007, 2:54 pm

finally the log you asked for
1. vundofix would want to run and reboot 4-5 times
2. my router finally refused to power up and had to install a new router, and log into bellsouth with my userid and password, i guess thats compromised now?
3. vundofix just found two more and i am rebooting do you need another log?
4. avg antivirus keeps healing some juan file and bho.aky file
5. thank you


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:05:55 PM 9/20/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:23:02 PM 9/20/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 2:51:35 PM 9/24/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 6:19:32 PM 9/24/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 1:33:05 PM 9/25/2007

Listing files found while scanning....

C:\windows\system32\fccddda.dll
C:\WINDOWS\system32\ktrffkar.ini
C:\WINDOWS\system32\rakffrtk.dll
C:\windows\system32\sptll.dll

Beginning removal...

Attempting to delete C:\windows\system32\fccddda.dll
C:\windows\system32\fccddda.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ktrffkar.ini
C:\WINDOWS\system32\ktrffkar.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rakffrtk.dll
C:\WINDOWS\system32\rakffrtk.dll Could not be deleted.

Attempting to delete C:\windows\system32\sptll.dll
C:\windows\system32\sptll.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\fccddda.dll
C:\windows\system32\fccddda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rakffrtk.dll
C:\WINDOWS\system32\rakffrtk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 1:56:16 PM 9/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\bahsqame.dll
C:\WINDOWS\system32\emaqshab.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bahsqame.dll
C:\WINDOWS\system32\bahsqame.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\emaqshab.ini
C:\WINDOWS\system32\emaqshab.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bahsqame.dll
C:\WINDOWS\system32\bahsqame.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 2:04:26 PM 9/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\drsmwoug.ini
C:\WINDOWS\system32\guowmsrd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\drsmwoug.ini
C:\WINDOWS\system32\drsmwoug.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\guowmsrd.dll
C:\WINDOWS\system32\guowmsrd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\guowmsrd.dll
C:\WINDOWS\system32\guowmsrd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 2:17:38 PM 9/25/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 2:45:17 PM 9/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\pseparuq.ini
C:\WINDOWS\system32\qurapesp.dll
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm

hijackthislog

Unread postby jeffree » September 25th, 2007, 3:04 pm

sorry forgot to add this



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:48 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\jeffree.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {01AB1939-EC3E-454F-B407-3371C8B711DB} - C:\WINDOWS\system32\ssttu.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6AF934DC-7451-4E66-B811-5ACDD0A40E07} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O20 - Winlogon Notify: vtstq - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3911 bytes
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm

Unread postby Shaba » September 26th, 2007, 2:11 am

Hi

"2. my router finally refused to power up and had to install a new router, and log into bellsouth with my userid and password, i guess thats compromised now?"

Sounds really weird but sounds like a router problem not malware problem.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

logs and log jam

Unread postby jeffree » September 26th, 2007, 12:44 pm

combofix ran reluctantly. microsoft windows message kept appearing saying that the process was already running and after repeatedly telling it don't send a report to miscrosoft it rebooted and scanned and rebooted again producing a IEXPLORER icon on my desktop in addition to the shortcut i placed there. i didnt know if this icon was due to running combofix with an explorer window open at the time or what it's from. under properties it takes me to internet options. anyway here are the following logs created.

the router problem has been happening for months. my concern was that the new router required me to enter my user id and password.

i reallly appreciate your skill level to pour over this data and make sense of it and thank you so much for your assistance.




log after combofix ran on final reboot

ComboFix 07-09-21.2 - "Jeff" 2007-09-26 12:19:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -4:00]
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
Rootkit driver msguard is present. ... attempting disinfection
Rootkit driver lzx32 is present. ... attempting disinfection
Rootkit driver huy32 is present. ... attempting disinfection
Rootkit driver xpdt is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
msguard ...... driver unloaded successfully.
lzx32 ...... driver unloaded successfully.
huy32 ...... driver unloaded successfully.
xpdt ...... driver unloaded successfully.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\Jeff\APPLIC~1\DOBE~1
C:\DOCUME~1\Jeff\APPLIC~1\Sskdmns.dll
C:\Program Files\Common Files\{A0533~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\adyafaia.exe
C:\WINDOWS\system32\eefwcuhv.exe
C:\WINDOWS\system32\fhqorgso.exe
C:\WINDOWS\system32\gglbakvc.exe
C:\WINDOWS\system32\ioprivsg.exe
C:\WINDOWS\system32\kkuckfdm.exe
C:\WINDOWS\system32\lkdlarcy.exe
C:\WINDOWS\system32\mafumuno.exe
C:\WINDOWS\system32\onhdmtkv.exe
C:\WINDOWS\system32\oyemoouj.exe
C:\WINDOWS\system32\ptoyemjv.exe
C:\WINDOWS\system32\pwdbjjsw.exe
C:\WINDOWS\system32\ssiednbq.exe
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.bak2
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\uttss.tmp
C:\WINDOWS\system32\uxvmesfe.exe
C:\WINDOWS\system32\vtjdhdcl.exe
C:\WINDOWS\system32\wtdlcvtv.exe
C:\WINDOWS\system32\wvirqxwp.exe
C:\WINDOWS\system32\yfsatiqn.exe
C:\WINDOWS\system32\yuukvpbn.exe
C:\WINDOWS\system32\zxdnt3d.cfg
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-26 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 15:05 84,032 --a------ C:\WINDOWS\system32\qqfebams.dll
2007-09-25 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-24 17:25 85,056 --a------ C:\WINDOWS\system32\pkodkmek.dll
2007-09-24 17:23 1,690 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-24 17:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-24 17:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-24 17:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-24 17:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-24 16:35 85,056 --a------ C:\WINDOWS\system32\wmxyqbkm.dll
2007-09-24 15:25 85,056 --a------ C:\WINDOWS\system32\upqdkcgl.dll
2007-09-24 15:00 85,056 --a------ C:\WINDOWS\system32\ffslemvx.dll
2007-09-24 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Hewlett-Packard
2007-09-24 13:37 145 --------- C:\WINDOWS\hpgmdl01.dat
2007-09-24 13:32 85,056 --a------ C:\WINDOWS\system32\hopuccme.dll
2007-09-20 17:11 <DIR> d-------- C:\Deckard
2007-09-20 17:05 <DIR> d-------- C:\VundoFix Backups
2007-09-17 17:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-14 15:00 <DIR> d-------- C:\Program Files\WM Converter
2007-09-14 14:54 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-14 14:54 <DIR> d-------- C:\videooutput
2007-09-13 03:13 2,009,073 --ahs---- C:\WINDOWS\system32\qtstv.bak2
2007-09-12 15:14 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Software
2007-09-12 15:13 6,448 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-09-12 15:13 <DIR> d-------- C:\Program Files\NCH Software
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\AVS4YOU
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AVS4YOU
2007-09-12 14:03 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-12 14:03 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-09-12 14:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-09-12 14:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-09-12 14:03 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-12 14:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-12 14:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-09-12 14:03 <DIR> d-------- C:\Program Files\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 13:40 --------- d-------- C:\Program Files\HP
2007-09-21 16:29 --------- d-------- C:\Program Files\e-Sword
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF934DC-7451-4E66-B811-5ACDD0A40E07}]
C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 11:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 07:48]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"SearchIndexer"="C:\WINDOWS\system32\qqfebams.dll" [2007-09-25 15:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstq]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\159H]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\keyboard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Luho]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]
C:\\mousepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys0305157347-16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdS7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usqxxorc]
C:\Documents and Settings\Jeff\Application Data\?dobe\d?xplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wahm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{33-3E-E1-1D-ZN}]


.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 12:26:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-26 12:29:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 12:28
.
--- E O F ---



log found under c:/



ComboFix 07-09-21.2 - "Jeff" 2007-09-26 12:19:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -4:00]
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
Rootkit driver msguard is present. ... attempting disinfection
Rootkit driver lzx32 is present. ... attempting disinfection
Rootkit driver huy32 is present. ... attempting disinfection
Rootkit driver xpdt is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
msguard ...... driver unloaded successfully.
lzx32 ...... driver unloaded successfully.
huy32 ...... driver unloaded successfully.
xpdt ...... driver unloaded successfully.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\Jeff\APPLIC~1\DOBE~1
C:\DOCUME~1\Jeff\APPLIC~1\Sskdmns.dll
C:\Program Files\Common Files\{A0533~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\adyafaia.exe
C:\WINDOWS\system32\eefwcuhv.exe
C:\WINDOWS\system32\fhqorgso.exe
C:\WINDOWS\system32\gglbakvc.exe
C:\WINDOWS\system32\ioprivsg.exe
C:\WINDOWS\system32\kkuckfdm.exe
C:\WINDOWS\system32\lkdlarcy.exe
C:\WINDOWS\system32\mafumuno.exe
C:\WINDOWS\system32\onhdmtkv.exe
C:\WINDOWS\system32\oyemoouj.exe
C:\WINDOWS\system32\ptoyemjv.exe
C:\WINDOWS\system32\pwdbjjsw.exe
C:\WINDOWS\system32\ssiednbq.exe
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.bak2
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\uttss.tmp
C:\WINDOWS\system32\uxvmesfe.exe
C:\WINDOWS\system32\vtjdhdcl.exe
C:\WINDOWS\system32\wtdlcvtv.exe
C:\WINDOWS\system32\wvirqxwp.exe
C:\WINDOWS\system32\yfsatiqn.exe
C:\WINDOWS\system32\yuukvpbn.exe
C:\WINDOWS\system32\zxdnt3d.cfg
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-26 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 15:05 84,032 --a------ C:\WINDOWS\system32\qqfebams.dll
2007-09-25 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-24 17:25 85,056 --a------ C:\WINDOWS\system32\pkodkmek.dll
2007-09-24 17:23 1,690 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-24 17:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-24 17:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-24 17:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-24 17:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-24 16:35 85,056 --a------ C:\WINDOWS\system32\wmxyqbkm.dll
2007-09-24 15:25 85,056 --a------ C:\WINDOWS\system32\upqdkcgl.dll
2007-09-24 15:00 85,056 --a------ C:\WINDOWS\system32\ffslemvx.dll
2007-09-24 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Hewlett-Packard
2007-09-24 13:37 145 --------- C:\WINDOWS\hpgmdl01.dat
2007-09-24 13:32 85,056 --a------ C:\WINDOWS\system32\hopuccme.dll
2007-09-20 17:11 <DIR> d-------- C:\Deckard
2007-09-20 17:05 <DIR> d-------- C:\VundoFix Backups
2007-09-17 17:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-14 15:00 <DIR> d-------- C:\Program Files\WM Converter
2007-09-14 14:54 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-14 14:54 <DIR> d-------- C:\videooutput
2007-09-13 03:13 2,009,073 --ahs---- C:\WINDOWS\system32\qtstv.bak2
2007-09-12 15:14 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Software
2007-09-12 15:13 6,448 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-09-12 15:13 <DIR> d-------- C:\Program Files\NCH Software
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\AVS4YOU
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AVS4YOU
2007-09-12 14:03 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-12 14:03 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-09-12 14:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-09-12 14:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-09-12 14:03 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-12 14:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-12 14:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-09-12 14:03 <DIR> d-------- C:\Program Files\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 13:40 --------- d-------- C:\Program Files\HP
2007-09-21 16:29 --------- d-------- C:\Program Files\e-Sword
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF934DC-7451-4E66-B811-5ACDD0A40E07}]
C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 11:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 07:48]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"SearchIndexer"="C:\WINDOWS\system32\qqfebams.dll" [2007-09-25 15:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstq]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\159H]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\keyboard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Luho]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]
C:\\mousepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys0305157347-16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdS7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usqxxorc]
C:\Documents and Settings\Jeff\Application Data\?dobe\d?xplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wahm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{33-3E-E1-1D-ZN}]


.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 12:26:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-26 12:29:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 12:28
.
--- E O F ---




log of quarantined files



Code: Select all
2004-08-04 08:00      132096    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir
2004-09-13 12:15      53    --a------    C:\Qoobox\Quarantine\H\Autorun.inf.vir
2004-10-27 21:21      721920    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\_000009_.tmp.dll.vir
2006-03-04 21:12      21    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
2006-03-06 20:06      55    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Jeff\APPLIC~1\Sskdmns.dll.vir
2007-07-08 21:23      15399    --a------    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-09-13 03:14      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\eefwcuhv.exe.vir
2007-09-19 12:58      312416    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ssttu.dll.vir
2007-09-21 01:04      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yuukvpbn.exe.vir
2007-09-21 12:59      1981742    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.bak1.vir
2007-09-21 12:59      1981742    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.ini.vir
2007-09-21 13:01      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wvirqxwp.exe.vir
2007-09-22 17:35      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ssiednbq.exe.vir
2007-09-24 13:26      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\onhdmtkv.exe.vir
2007-09-24 14:33      1985433    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.tmp.vir
2007-09-24 14:51      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vtjdhdcl.exe.vir
2007-09-24 14:55      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ioprivsg.exe.vir
2007-09-24 15:13      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pwdbjjsw.exe.vir
2007-09-24 15:19      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yfsatiqn.exe.vir
2007-09-24 16:32      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mafumuno.exe.vir
2007-09-24 17:16      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gglbakvc.exe.vir
2007-09-24 17:40      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kkuckfdm.exe.vir
2007-09-24 17:43      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\oyemoouj.exe.vir
2007-09-24 18:18      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\fhqorgso.exe.vir
2007-09-24 18:33      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\adyafaia.exe.vir
2007-09-25 13:44      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ptoyemjv.exe.vir
2007-09-25 14:04      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\lkdlarcy.exe.vir
2007-09-25 14:47      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uxvmesfe.exe.vir
2007-09-25 14:57      1985092    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.bak2.vir
2007-09-25 14:59      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wtdlcvtv.exe.vir
2007-09-26 12:14      678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-09-26 12:17      2254    --a------    C:\Qoobox\Quarantine\C\check_LSA7.txt.vir
2007-09-26 12:23      1982084    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.ini2.vir
2007-09-26 12:23      2382    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.dat
2007-09-26 12:23      832    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.dat
2007-09-26 12:23      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat
2007-09-26 12:23      862    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.dat
2007-09-26 12:24      560    --a------    C:\Qoobox\Quarantine\catchme.log
2007-09-26 12:24      845988    --a------    C:\Qoobox\Quarantine\catchme2007-09-26_122652.01.zip


Folder PATH listing
Volume serial number is A053-3E1D
C:\QOOBOX\QUARANTINE
|   catchme.log
|   catchme2007-09-26_122652.01.zip
|   
+---C
|   |   check_LSA7.txt.vir
|   |   
|   +---ComboFix
|   |       FProps.vbs.vir
|   |       
|   +---DOCUME~1
|   |   \---Jeff
|   |       \---APPLIC~1
|   |               Sskdmns.dll.vir
|   |               
|   \---WINDOWS
|       |   cookies.ini.vir
|       |   
|       \---system32
|               adyafaia.exe.vir
|               eefwcuhv.exe.vir
|               fhqorgso.exe.vir
|               gglbakvc.exe.vir
|               ioprivsg.exe.vir
|               kkuckfdm.exe.vir
|               lkdlarcy.exe.vir
|               mafumuno.exe.vir
|               onhdmtkv.exe.vir
|               oyemoouj.exe.vir
|               ptoyemjv.exe.vir
|               pwdbjjsw.exe.vir
|               ssiednbq.exe.vir
|               ssttu.dll.vir
|               uttss.bak1.vir
|               uttss.bak2.vir
|               uttss.ini.vir
|               uttss.ini2.vir
|               uttss.tmp.vir
|               uxvmesfe.exe.vir
|               vtjdhdcl.exe.vir
|               wtdlcvtv.exe.vir
|               wvirqxwp.exe.vir
|               yfsatiqn.exe.vir
|               yuukvpbn.exe.vir
|               zxdnt3d.cfg.vir
|               _000008_.tmp.dll.vir
|               _000009_.tmp.dll.vir
|               
+---H
|       Autorun.inf.vir
|       
\---Registry_backups
        LEGACY_CMDSERVICE.reg.dat
        LEGACY_DOMAINSERVICE.reg.dat
        LEGACY_NETWORK_MONITOR.reg.dat
        services_DomainService.reg.dat
        




recent hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:18 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\jeffree.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6AF934DC-7451-4E66-B811-5ACDD0A40E07} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\qqfebams.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O20 - Winlogon Notify: vtstq - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3910 bytes
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm

Unread postby Shaba » September 26th, 2007, 1:00 pm

Hi

Combofix reluctancy was no wonder because rootkits were present.

Looks better :)

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\qqfebams.dll
C:\WINDOWS\system32\pkodkmek.dll
C:\WINDOWS\system32\wmxyqbkm.dll
C:\WINDOWS\system32\upqdkcgl.dll
C:\WINDOWS\system32\ffslemvx.dll 
C:\WINDOWS\system32\hopuccme.dll
C:\WINDOWS\system32\qtstv.bak2 
C:\WINDOWS\system32\qtstv.bak1 

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF934DC-7451-4E66-B811-5ACDD0A40E07}] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchIndexer"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\159H] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Luho]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys0305157347-16]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usqxxorc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wahm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{33-3E-E1-1D-ZN}] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstq] 


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

seems like we are getting somewhere

Unread postby jeffree » September 26th, 2007, 2:13 pm

thank you so much.

i think the first two logs are the same but i am posting them anyway.

java opened during last internet session, not this time.



combofix auto log.txt

ComboFix 07-09-21.2 - "Jeff" 2007-09-26 13:58:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Jeff\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\qqfebams.dll
C:\WINDOWS\system32\pkodkmek.dll
C:\WINDOWS\system32\wmxyqbkm.dll
C:\WINDOWS\system32\upqdkcgl.dll
C:\WINDOWS\system32\ffslemvx.dll
C:\WINDOWS\system32\hopuccme.dll
C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\qtstv.bak1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ffslemvx.dll
C:\WINDOWS\system32\hopuccme.dll
C:\WINDOWS\system32\pkodkmek.dll
C:\WINDOWS\system32\qqfebams.dll
C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\upqdkcgl.dll
C:\WINDOWS\system32\wmxyqbkm.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-26 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-24 17:23 1,690 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-24 17:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-24 17:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-24 17:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-24 17:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-24 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Hewlett-Packard
2007-09-24 13:37 145 --------- C:\WINDOWS\hpgmdl01.dat
2007-09-20 17:11 <DIR> d-------- C:\Deckard
2007-09-20 17:05 <DIR> d-------- C:\VundoFix Backups
2007-09-17 17:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-14 15:00 <DIR> d-------- C:\Program Files\WM Converter
2007-09-14 14:54 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-14 14:54 <DIR> d-------- C:\videooutput
2007-09-12 15:14 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Software
2007-09-12 15:13 <DIR> d-------- C:\Program Files\NCH Software
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\AVS4YOU
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AVS4YOU
2007-09-12 14:03 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-12 14:03 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-09-12 14:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-09-12 14:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-09-12 14:03 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-12 14:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-12 14:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-09-12 14:03 <DIR> d-------- C:\Program Files\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 13:40 --------- d-------- C:\Program Files\HP
2007-09-21 16:29 --------- d-------- C:\Program Files\e-Sword
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 11:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 07:48]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdS7_0_8 -reboot 1


.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 14:01:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-26 14:03:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 14:02
C:\ComboFix2.txt ... 2007-09-26 12:53
C:\ComboFix3.txt ... 2007-09-26 12:29
.
--- E O F ---




other log under c:/

ComboFix 07-09-21.2 - "Jeff" 2007-09-26 13:58:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Jeff\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\qqfebams.dll
C:\WINDOWS\system32\pkodkmek.dll
C:\WINDOWS\system32\wmxyqbkm.dll
C:\WINDOWS\system32\upqdkcgl.dll
C:\WINDOWS\system32\ffslemvx.dll
C:\WINDOWS\system32\hopuccme.dll
C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\qtstv.bak1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ffslemvx.dll
C:\WINDOWS\system32\hopuccme.dll
C:\WINDOWS\system32\pkodkmek.dll
C:\WINDOWS\system32\qqfebams.dll
C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\upqdkcgl.dll
C:\WINDOWS\system32\wmxyqbkm.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-26 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-24 17:23 1,690 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-24 17:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-24 17:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-24 17:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-24 17:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-24 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Hewlett-Packard
2007-09-24 13:37 145 --------- C:\WINDOWS\hpgmdl01.dat
2007-09-20 17:11 <DIR> d-------- C:\Deckard
2007-09-20 17:05 <DIR> d-------- C:\VundoFix Backups
2007-09-17 17:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-14 15:00 <DIR> d-------- C:\Program Files\WM Converter
2007-09-14 14:54 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-14 14:54 <DIR> d-------- C:\videooutput
2007-09-12 15:14 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Software
2007-09-12 15:13 <DIR> d-------- C:\Program Files\NCH Software
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\AVS4YOU
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AVS4YOU
2007-09-12 14:03 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-12 14:03 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-09-12 14:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-09-12 14:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-09-12 14:03 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-12 14:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-12 14:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-09-12 14:03 <DIR> d-------- C:\Program Files\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 13:40 --------- d-------- C:\Program Files\HP
2007-09-21 16:29 --------- d-------- C:\Program Files\e-Sword
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 11:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 07:48]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdS7_0_8 -reboot 1


.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 14:01:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-26 14:03:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 14:02
C:\ComboFix2.txt ... 2007-09-26 12:53
C:\ComboFix3.txt ... 2007-09-26 12:29
.
--- E O F ---



hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:08 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\jeffree.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3680 bytes
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm

IEXPLORER ICON

Unread postby jeffree » September 26th, 2007, 2:21 pm

i deleted the IEXPLORER ICON that appeared on my desktop after running combofix thinking it was some fluke thing appearing. after recently running combofix again it came back. is this part of the problem, part of the solution or neither? thanks again for your time and effort
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm

Unread postby Shaba » September 27th, 2007, 1:13 am

Hi

"i deleted the IEXPLORER ICON that appeared on my desktop after running combofix thinking it was some fluke thing appearing. after recently running combofix again it came back. is this part of the problem, part of the solution or neither?"

I think combofix made shortcut for IE to desktop.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

whew

Unread postby jeffree » September 27th, 2007, 2:28 pm

thanks again so much ... the two reports are:

recent hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:44 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\jeffree.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3798 bytes




kaspersky report


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 27, 2007 2:24:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 27/09/2007
Kaspersky Anti-Virus database records: 424245
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 90730
Number of viruses found: 3
Number of infected objects: 46
Number of suspicious objects: 0
Duration of the scan process: 00:55:25

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20070920171616\backup\DOCUME~1\Jeff\LOCALS~1\Temp\temp.frCC28 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jeff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeff\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\adyafaia.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\eefwcuhv.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\fhqorgso.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\gglbakvc.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ioprivsg.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kkuckfdm.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\lkdlarcy.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mafumuno.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\onhdmtkv.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oyemoouj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ptoyemjv.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pwdbjjsw.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ssiednbq.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\uxvmesfe.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vtjdhdcl.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\wtdlcvtv.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\wvirqxwp.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\yfsatiqn.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\yuukvpbn.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP10\A0000742.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000795.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000796.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000797.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000798.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000799.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000800.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000801.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000802.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000803.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000804.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000805.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000806.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000807.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000808.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000809.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000810.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000811.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000812.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000813.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000839.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000839.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000839.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP13\A0000850.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP14\change.log Object is locked skipped
C:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP5\A0000071.exe Infected: Trojan.Win32.Agent.bck skipped
C:\VundoFix Backups\fccddda.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{33B611A3-8DFE-4229-B64E-0CBDFFBFE538}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{719C9276-6409-4834-AABA-AEF2657662A8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
H:\System Volume Information\_restore{BCA7AB06-6EEE-4651-91B7-A37AC0C8E5F0}\RP14\change.log Object is locked skipped

Scan process completed.
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm

Unread postby Shaba » September 28th, 2007, 1:58 am

Hi

Empty these folders:

C:\qoobox\Quarantine
C:\VundoFix Backups
C:\Deckard\System Scanner\20070920171616\backup\DOCUME~1\Jeff\LOCALS~1\Temp\

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

noticed difference

Unread postby jeffree » September 28th, 2007, 9:23 am

i noticed a big difference somewhere in the middle of this process. i have delete the listed files. i think im going to dump adaware and reload it since i had trouble with it during that process. the linkk stopped working. when i reloaded it, it didnt take long to download all updates. and yes i know i have a system restore issue there are 8 or 10 files in there and i think they are all corrupt. i await your further instructions. and thanks so much, again. jeff
jeffree
Regular Member
 
Posts: 17
Joined: September 24th, 2007, 2:43 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 337 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware