Massive slow down with pop ups and choppy scrolling

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

Massive slow down with pop ups and choppy scrolling

Options

B. Wong View Member Profile	Apr 21 2008, 09:50 PM Post #1
New Member Group: New Member Posts: 5 Joined: 21-April 08 Member No.: 78,574 Operating System: Windows XP SP2	Hello, hopefully one of you may be able to help me with this problem. I recently Installed a fresh copy of Windows XP and after letting my son use it for a week i come back and it's really slow, IE will pop up and slow the computer to a crawl loading some webpage I don't want, and when i can use the internet, the scrolling is really choppy and slow. I have run Spybot and adaware, cleaned the system with AVG and still have problems. I DLed Hijackthis in hopes of finally getting rid of the problem without having to reformat. Here is my log file. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:44:40 PM, on 4/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\ctfmon.exe D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\WINDOWS\V29uZw\command.exe D:\WINDOWS\System32\alg.exe D:\WINDOWS\system32\wscntfy.exe D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe D:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\PROGRA~1\Grisoft\AVG7\avgcc.exe D:\WINDOWS\System32\msiexec.exe D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm3k.exe D:\Documents and Settings\Brandon\Desktop\HiJackThis.exe D:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {04495502-16C6-4547-8FD5-9F7636B0721F} - D:\WINDOWS\System32\vtutq.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - D:\WINDOWS\System32\atgban.dll (file missing) O2 - BHO: {4b3ef7cf-8c70-1ba8-4084-6373bb280281} - {182082bb-3736-4804-8ab1-07c8fc7fe3b4} - D:\WINDOWS\System32\tqmxrexw.dll (file missing) O2 - BHO: (no name) - {382EB516-B686-4273-845A-AA79A6FEBB40} - D:\WINDOWS\system32\ssqro.dll (file missing) O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - D:\WINDOWS\System32\ssqomkl.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {65419D9B-550E-28F2-0411-5B00B8B7DDC3} - (no file) O2 - BHO: (no name) - {9B477BC9-3651-4E40-B454-FE71A572969E} - D:\WINDOWS\System32\mlljj.dll (file missing) O2 - BHO: 0 - {B15B60A6-61C6-4B46-F793-EEEA0E7D803A} - D:\Program Files\Common Files\lafuv259.dll (file missing) O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - D:\WINDOWS\TinyBHO.dll (file missing) O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [PostSetupCheck] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\System32\atgban.dll" DllStart O4 - HKLM\..\Run: [BMcf40244f] Rundll32.exe "D:\WINDOWS\system32\rivuntcb.dll",s O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206337443877 O20 - Winlogon Notify: ssqomkl - ssqomkl.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\V29uZw\command.exe -- End of file - 5741 bytes Any help is greatly appreciated!

Noviciate View Member Profile	Apr 22 2008, 04:08 PM Post #2
SuperMember Group: Malware Team Posts: 1,220 Joined: 30-July 06 Member No.: 59,198 Operating System: Windows XP	Run HJT and click on Open the Misc Tools section. Click Open Uninstall Manager... Click Save list... and save it to your Desktop. Copy and paste the file uninstall_list.txt into your next reply.

B. Wong View Member Profile	Apr 23 2008, 05:17 AM Post #3
New Member Group: New Member Posts: 5 Joined: 21-April 08 Member No.: 78,574 Operating System: Windows XP SP2	Adobe Flash Player ActiveX Adobe Reader 8.1.2 ATI Display Driver (Omega 3.8.442) AVG 7.5 Canon S820 Deewoo Network Manager removal Enhancement Browser Tools Targetedbanner HijackThis 2.0.2 Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Mozilla Firefox (2.0.0.13) Radeon Omega Drivers v4.8.442 Setup Files and Tools Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937894) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944533) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB946026) Spybot - Search & Destroy Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920342) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB942840) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Service Pack 2 WinRAR archiver

Noviciate View Member Profile	Apr 23 2008, 01:00 PM Post #4
SuperMember Group: Malware Team Posts: 1,220 Joined: 30-July 06 Member No.: 59,198 Operating System: Windows XP	Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please Note: This tool may require the PC to be rebooted so close any programs you have open before you start. When CF has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply. Post a fresh HJT log as well. Let me know how the PC is behaving.

B. Wong View Member Profile	Apr 23 2008, 03:15 PM Post #5
New Member Group: New Member Posts: 5 Joined: 21-April 08 Member No.: 78,574 Operating System: Windows XP SP2	Computer is still a bit laggy, and webpages still scroll choppy and slow, but it is running a little better. ComboFix Log: ComboFix 08-04-22.5 - Brandon 2008-04-23 13:58:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT -7:00] Running from: D:\Documents and Settings\Brandon\Desktop\ComboFix.exe Command switches used :: D:\Documents and Settings\Brandon\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Documents and Settings\Brandon\My Documents\CURITY~1 D:\Program Files\dobe~1 D:\WINDOWS\BMcf40244f.xml D:\WINDOWS\pskt.ini D:\WINDOWS\system32\awtstrr.dll D:\WINDOWS\system32\ddccc.dll D:\WINDOWS\system32\dobe~1 D:\WINDOWS\system32\drivers\fastfatt.sys D:\WINDOWS\system32\gebyx.dll D:\WINDOWS\system32\jjllm.ini D:\WINDOWS\system32\jjllm.ini2 D:\WINDOWS\system32\mcrh.tmp D:\WINDOWS\system32\mljgd.dll D:\WINDOWS\system32\orqss.ini D:\WINDOWS\system32\orqss.ini2 D:\WINDOWS\system32\pac.txt D:\WINDOWS\system32\pmkjg.dll D:\WINDOWS\system32\qtutv.ini D:\WINDOWS\system32\qtutv.ini2 D:\WINDOWS\system32\scntokwd.exe D:\WINDOWS\system32\ssqpq.dll D:\WINDOWS\system32\sstqn.dll D:\WINDOWS\system32\vturp.dll D:\WINDOWS\system32\vtuspqp.dll D:\WINDOWS\system32\winpfz37.sys D:\WINDOWS\V29uZw\ D:\WINDOWS\V29uZw\\asappsrv.dll D:\WINDOWS\V29uZw\\command.exe D:\WINDOWS\V29uZw\\pZ6RtT.vbs D:\WINDOWS\V29uZw\command.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_FASTFATT -------\Legacy_NETWORK_MONITOR -------\Service_cmdService -------\Service_fastfatt ((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 ))))))))))))))))))))))))))))))) . 2008-04-23 07:27 . 2008-04-23 07:27 <DIR> d-------- D:\Program Files\Lavasoft 2008-04-23 07:27 . 2008-04-23 07:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-23 07:26 . 2008-04-23 07:26 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard 2008-04-21 20:41 . 2008-04-21 20:41 <DIR> d-------- D:\Program Files\Common Files\Adobe 2008-04-03 11:34 . 2004-08-03 22:08 26,496 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys 2008-03-31 05:19 . 2007-04-09 12:55 97,785 --a------ D:\WINDOWS\system32\instwdm.ini 2008-03-31 05:19 . 2007-04-09 12:55 54 --a------ D:\WINDOWS\system32\ctzapxx.ini 2008-03-31 05:18 . 2006-08-11 14:56 3,072 --a------ D:\WINDOWS\CTXFIRES.DLL 2008-03-31 05:15 . 2008-03-31 05:15 <DIR> d-------- D:\Program Files\Creative 2008-03-31 04:27 . 2004-03-22 12:17 24,816 --a------ D:\WINDOWS\system32\mdimon.dll 2008-03-31 04:27 . 2008-03-31 04:27 376 --a------ D:\WINDOWS\ODBC.INI 2008-03-31 04:14 . 2008-03-31 04:14 <DIR> d-------- D:\Program Files\Microsoft ActiveSync 2008-03-31 04:12 . 2008-03-31 04:15 <DIR> d-------- D:\WINDOWS\SHELLNEW 2008-03-31 04:11 . 2008-03-31 04:11 <DIR> d-------- D:\Program Files\Microsoft.NET 2008-03-27 12:15 . 2008-03-31 04:43 4,958,588 --a------ D:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-00531102}.BAK 2008-03-27 11:56 . 2008-03-31 04:43 4,958,588 --a------ D:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-00531102}.CDF 2008-03-27 11:53 . 2008-04-23 14:00 30,120 --a------ D:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx 2008-03-27 11:53 . 2008-04-23 14:00 30,120 --a------ D:\WINDOWS\system32\BMXState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx 2008-03-27 11:53 . 2008-04-23 14:00 27,408 --a------ D:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx 2008-03-27 11:53 . 2008-04-23 14:00 27,408 --a------ D:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx 2008-03-27 11:53 . 2008-04-23 14:00 11,564 --a------ D:\WINDOWS\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx 2008-03-27 08:05 . 2004-08-03 22:08 10,624 --a------ D:\WINDOWS\system32\drivers\gameenum.sys 2008-03-27 08:05 . 2004-08-03 22:08 10,624 --a--c--- D:\WINDOWS\system32\dllcache\gameenum.sys 2008-03-27 07:51 . 2007-12-06 19:21 6,066,176 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll 2008-03-27 07:51 . 2007-06-30 20:31 2,455,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-03-27 07:51 . 2007-06-30 20:36 991,232 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-03-27 07:51 . 2007-12-06 19:21 459,264 -----c--- D:\WINDOWS\system32\dllcache\msfeeds.dll 2008-03-27 07:51 . 2007-12-06 19:21 383,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-03-27 07:51 . 2007-12-06 19:21 267,776 -----c--- D:\WINDOWS\system32\dllcache\iertutil.dll 2008-03-27 07:51 . 2007-12-06 19:21 63,488 -----c--- D:\WINDOWS\system32\dllcache\icardie.dll 2008-03-27 07:51 . 2007-12-06 19:21 52,224 -----c--- D:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-03-27 07:51 . 2007-12-06 04:00 13,824 -----c--- D:\WINDOWS\system32\dllcache\ieudinit.exe 2008-03-27 07:45 . 2007-08-13 19:54 33,792 --a--c--- D:\WINDOWS\system32\dllcache\custsat.dll 2008-03-27 05:16 . 2008-03-27 05:16 <DIR> d-------- D:\Documents and Settings\Brandon\Application Data\Creative 2008-03-27 05:16 . 2008-03-27 05:16 409,600 --a------ D:\WINDOWS\system32\wrap_oal.dll 2008-03-27 05:16 . 2008-03-27 05:16 114,688 --a------ D:\WINDOWS\system32\OpenAL32.dll 2008-03-27 05:15 . 2008-04-21 20:36 <DIR> d-------- D:\WINDOWS\system32\data 2008-03-27 05:15 . 2004-08-03 22:15 145,792 --a------ D:\WINDOWS\system32\drivers\portcls.sys 2008-03-27 05:15 . 2004-08-03 22:15 145,792 --a--c--- D:\WINDOWS\system32\dllcache\portcls.sys 2008-03-27 05:15 . 2004-08-03 23:56 130,048 --a------ D:\WINDOWS\system32\ksproxy.ax 2008-03-27 05:15 . 2004-08-03 23:56 130,048 --a--c--- D:\WINDOWS\system32\dllcache\ksproxy.ax 2008-03-27 05:15 . 2004-08-03 22:07 60,288 --a------ D:\WINDOWS\system32\drivers\drmk.sys 2008-03-27 05:15 . 2004-08-03 22:07 60,288 --a--c--- D:\WINDOWS\system32\dllcache\drmk.sys 2008-03-27 05:15 . 2004-08-03 23:56 4,096 --a------ D:\WINDOWS\system32\ksuser.dll 2008-03-27 05:15 . 2004-08-03 23:56 4,096 --a--c--- D:\WINDOWS\system32\dllcache\ksuser.dll 2008-03-27 05:09 . 2006-08-21 02:14 128,896 -----c--- D:\WINDOWS\system32\dllcache\fltmgr.sys 2008-03-27 05:09 . 2006-08-21 02:14 23,040 -----c--- D:\WINDOWS\system32\dllcache\fltmc.exe 2008-03-27 05:09 . 2006-08-21 05:21 16,896 -----c--- D:\WINDOWS\system32\dllcache\fltlib.dll 2008-03-27 04:57 . 2007-07-09 06:09 584,192 -----c--- D:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-03-27 04:34 . 2008-03-27 12:12 <DIR> d--h----- D:\WINDOWS\$hf_mig$ 2008-03-27 04:24 . 2008-03-27 04:24 <DIR> d---s---- D:\WINDOWS\system32\Microsoft 2008-03-26 04:57 . 2008-03-27 04:25 316,640 --a------ D:\WINDOWS\WMSysPr9.prx 2008-03-26 04:46 . 2008-03-26 04:46 <DIR> d-------- D:\WINDOWS\provisioning 2008-03-26 04:46 . 2008-03-26 04:46 <DIR> d-------- D:\WINDOWS\peernet 2008-03-26 04:45 . 2008-03-26 04:45 <DIR> d-------- D:\WINDOWS\ServicePackFiles 2008-03-26 04:40 . 2006-09-06 18:43 22,752 --a------ D:\WINDOWS\system32\spupdsvc.exe 2008-03-26 04:38 . 2008-03-26 04:38 <DIR> d-------- D:\WINDOWS\EHome 2008-03-25 20:31 . 2004-08-04 01:56 11,776 --a------ D:\WINDOWS\system32\spnpinst.exe 2008-03-25 20:31 . 2004-08-02 15:20 7,208 --a------ D:\WINDOWS\system32\secupd.sig 2008-03-25 20:31 . 2004-08-02 15:20 4,569 --a------ D:\WINDOWS\system32\secupd.dat 2008-03-25 20:05 . 2008-04-21 20:45 <DIR> dr-h----- D:\$VAULT$.AVG 2008-03-25 20:04 . 2008-03-25 20:04 <DIR> d-------- D:\Documents and Settings\LocalService\Application Data\AVG7 2008-03-25 20:04 . 2008-03-25 20:28 <DIR> d-------- D:\Documents and Settings\Brandon\Application Data\AVG7 2008-03-25 20:04 . 2008-03-25 20:04 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-25 20:04 . 2008-03-25 20:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg7 2008-03-25 20:04 . 2008-03-25 20:04 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll 2008-03-25 20:04 . 2008-03-25 20:04 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll 2008-03-25 19:19 . 2008-03-25 19:19 294 --ahs---- D:\WINDOWS\system32\xypuyqsa.ini 2008-03-24 06:39 . 2007-09-28 22:05 593,920 --a------ D:\WINDOWS\system32\ati2sgag.exe 2008-03-24 06:31 . 2008-03-31 04:40 <DIR> d--h----- D:\Program Files\InstallShield Installation Information 2008-03-24 06:31 . 2008-03-31 04:40 <DIR> d-------- D:\Program Files\Common Files\InstallShield 2008-03-24 06:31 . 2006-02-22 01:13 6,144 --a------ D:\WINDOWS\system32\atiicdxx.sys 2008-03-24 06:30 . 2008-03-24 06:30 <DIR> d-------- D:\Program Files\Radeon Omega Drivers 2008-03-24 06:23 . 2008-04-23 13:45 617 --a------ D:\WINDOWS\wininit.ini 2008-03-24 06:17 . 2008-03-24 06:17 <DIR> d--h----- D:\BJPrinter 2008-03-24 06:17 . 2002-07-24 15:00 87,552 --a------ D:\WINDOWS\system32\CNMLM3k.DLL 2008-03-24 06:17 . 2002-07-30 03:59 73,728 --a------ D:\WINDOWS\system32\CNMCP3k.exe 2008-03-24 06:17 . 2002-07-30 03:59 73,728 --a------ D:\WINDOWS\system32\cnm5E.tmp 2008-03-24 06:17 . 2002-07-24 15:00 5,632 --a------ D:\WINDOWS\system32\CNMVS3k.DLL 2008-03-24 06:02 . 2008-03-24 06:02 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy 2008-03-24 06:02 . 2008-03-24 06:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-24 05:33 . 2008-03-24 05:33 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\xTmp 2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\winz1 2008-03-24 04:12 . 2008-03-24 04:12 <DIR> d-------- D:\WINDOWS\system32\usnv 2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\IDME 2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\aqVreo01 2008-03-24 04:12 . 2008-03-24 04:12 39,883 --a------ D:\WINDOWS\system32\targetedbanner-uninst.exe 2008-03-23 22:46 . 2008-03-23 22:46 <DIR> d-------- D:\WINDOWS\system32\bits 2008-03-23 22:45 . 2004-08-04 00:56 438,784 --a------ D:\WINDOWS\system32\xpob2res.dll 2008-03-23 22:45 . 2004-08-04 00:56 351,232 --a------ D:\WINDOWS\system32\winhttp.dll 2008-03-23 22:45 . 2004-08-04 00:56 18,944 --a------ D:\WINDOWS\system32\qmgrprxy.dll 2008-03-23 22:45 . 2004-08-04 00:56 8,192 --a------ D:\WINDOWS\system32\bitsprx2.dll 2008-03-23 22:45 . 2004-08-04 00:56 7,168 --a------ D:\WINDOWS\system32\bitsprx3.dll 2008-03-23 22:44 . 2008-03-23 22:44 <DIR> d--hs---- D:\Documents and Settings\Brandon\UserData 2008-03-23 22:44 . 2007-07-30 20:19 549,720 --a------ D:\WINDOWS\system32\wuapi.dll 2008-03-23 22:44 . 2007-07-30 20:19 325,976 --a------ D:\WINDOWS\system32\wucltui.dll 2008-03-23 22:44 . 2007-07-30 20:19 216,408 --a------ D:\WINDOWS\system32\wuaucpl.cpl 2008-03-23 22:44 . 2007-07-30 20:19 43,352 --a------ D:\WINDOWS\system32\wups2.dll 2008-03-23 22:44 . 2007-07-30 20:18 34,136 --a------ D:\WINDOWS\system32\wucltui.dll.mui 2008-03-23 22:44 . 2007-07-30 20:18 33,624 --a------ D:\WINDOWS\system32\wups.dll 2008-03-23 22:44 . 2007-07-30 20:19 25,944 --a------ D:\WINDOWS\system32\wuaucpl.cpl.mui 2008-03-23 22:44 . 2007-07-30 20:19 25,944 --a------ D:\WINDOWS\system32\wuapi.dll.mui 2008-03-23 22:44 . 2007-07-30 20:18 20,312 --a------ D:\WINDOWS\system32\wuaueng.dll.mui 2008-03-23 22:42 . 2008-03-23 22:42 0 --a------ D:\WINDOWS\nsreg.dat 2008-03-23 22:41 . 2008-04-23 07:27 <DIR> d--hs---- D:\WINDOWS\Installer 2008-03-23 22:41 . 2008-03-23 22:44 <DIR> d-------- D:\Documents and Settings\Brandon 2008-03-23 22:41 . 2008-03-27 07:37 1,024 --ah----- D:\Documents and Settings\Default User\NTUSER.DAT.LOG 2008-03-23 22:41 . 2008-04-23 14:02 1,024 --ah----- D:\Documents and Settings\Brandon\NTUSER.DAT.LOG . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-26 02:12 246 ----a-w D:\Program Files\Common Files\lafuv259 2008-03-24 13:30 472,576 ----a-w D:\WINDOWS\Radeon Omega Drivers v4.8.442 Uninstall.exe 2008-03-24 06:33 --------- d-----w D:\Program Files\microsoft frontpage 2008-02-13 05:30 7,680 ----a-w D:\WINDOWS\fetchuserid.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04495502-16C6-4547-8FD5-9F7636B0721F}] D:\WINDOWS\System32\vtutq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B435F6-B6CE-4F24-A568-944B27ED919C}] D:\WINDOWS\System32\atgban.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{182082bb-3736-4804-8ab1-07c8fc7fe3b4}] D:\WINDOWS\System32\tqmxrexw.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{382EB516-B686-4273-845A-AA79A6FEBB40}] D:\WINDOWS\system32\ssqro.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B477BC9-3651-4E40-B454-FE71A572969E}] D:\WINDOWS\System32\mlljj.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B15B60A6-61C6-4B46-F793-EEEA0E7D803A}] D:\Program Files\Common Files\lafuv259.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}] D:\WINDOWS\TinyBHO.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-21 20:33 579584] "MSConfig"="D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 20:04 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqomkl] ssqomkl.dll [HKLM\~\startupfolder\D:^Documents and Settings^Brandon^Start Menu^Programs^Startup^Deewoo.lnk] path=D:\Documents and Settings\Brandon\Start Menu\Programs\Startup\Deewoo.lnk backup=D:\WINDOWS\pss\Deewoo.lnkStartup [HKLM\~\startupfolder\D:^Documents and Settings^Brandon^Start Menu^Programs^Startup^DW_Start.lnk] path=D:\Documents and Settings\Brandon\Start Menu\Programs\Startup\DW_Start.lnk backup=D:\WINDOWS\pss\DW_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\14f1a2f1] D:\WINDOWS\System32\asqyupyx.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA] --a------ 2006-02-21 18:05 344064 D:\WINDOWS\system32\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMcf40244f] D:\WINDOWS\system32\rivuntcb.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ceps] D:\WINDOWS\System32\DOBE~1\wuaclt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 00:56 15360 D:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched] D:\WINDOWS\System32\scntokwd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mivgpln] D:\Program Files\?dobe\m?dtc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 09:24 1694208 D:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck] D:\WINDOWS\System32\atgban.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] D:\WINDOWS\mrofinu572.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-01-28 12:43 2097488 D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1A-A2-25-5E-DW}] d:\windows\system32\jnwnw64n.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Messenger"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . ************************************************************************ catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-23 14:02:05 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . D:\WINDOWS\system32\ati2evxx.exe D:\WINDOWS\system32\ati2evxx.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-04-23 14:03:38 - machine was rebooted [Brandon] ComboFix-quarantined-files.txt 2008-04-23 21:03:35 Pre-Run: 165,634,990,080 bytes free Post-Run: 166,221,221,888 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 264 Hijackthis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:13:31 PM, on 4/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\PROGRA~1\Grisoft\AVG7\avgcc.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\notepad.exe D:\Documents and Settings\Brandon\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {04495502-16C6-4547-8FD5-9F7636B0721F} - D:\WINDOWS\System32\vtutq.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - D:\WINDOWS\System32\atgban.dll (file missing) O2 - BHO: {4b3ef7cf-8c70-1ba8-4084-6373bb280281} - {182082bb-3736-4804-8ab1-07c8fc7fe3b4} - D:\WINDOWS\System32\tqmxrexw.dll (file missing) O2 - BHO: (no name) - {382EB516-B686-4273-845A-AA79A6FEBB40} - D:\WINDOWS\system32\ssqro.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {9B477BC9-3651-4E40-B454-FE71A572969E} - D:\WINDOWS\System32\mlljj.dll (file missing) O2 - BHO: 0 - {B15B60A6-61C6-4B46-F793-EEEA0E7D803A} - D:\Program Files\Common Files\lafuv259.dll (file missing) O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - D:\WINDOWS\TinyBHO.dll (file missing) O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206337443877 O20 - Winlogon Notify: ssqomkl - ssqomkl.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe -- End of file - 5045 bytes

Noviciate View Member Profile	Apr 23 2008, 03:36 PM Post #6
SuperMember Group: Malware Team Posts: 1,220 Joined: 30-July 06 Member No.: 59,198 Operating System: Windows XP	1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'. Place a checkmark in the boxes to the left of the following entries, by clicking on them: O2 - BHO: (no name) - {04495502-16C6-4547-8FD5-9F7636B0721F} - D:\WINDOWS\System32\vtutq.dll (file missing) O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - D:\WINDOWS\System32\atgban.dll (file missing) O2 - BHO: {4b3ef7cf-8c70-1ba8-4084-6373bb280281} - {182082bb-3736-4804-8ab1-07c8fc7fe3b4} - D:\WINDOWS\System32\tqmxrexw.dll (file missing) O2 - BHO: (no name) - {382EB516-B686-4273-845A-AA79A6FEBB40} - D:\WINDOWS\system32\ssqro.dll (file missing) O2 - BHO: (no name) - {9B477BC9-3651-4E40-B454-FE71A572969E} - D:\WINDOWS\System32\mlljj.dll (file missing) O2 - BHO: 0 - {B15B60A6-61C6-4B46-F793-EEEA0E7D803A} - D:\Program Files\Common Files\lafuv259.dll (file missing) O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - D:\WINDOWS\TinyBHO.dll (file missing) O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx O20 - Winlogon Notify: ssqomkl - ssqomkl.dll (file missing) CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked 2) Download Malwarebytes' Anti-Malware from here and save it to your Desktop. Double-click mbam-setup.exe and follow the prompts to install the program. Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish. If an update is found, it will download and install the latest version - you'll need to clear it with your firewall. Once the program has loaded, select Perform full scan and then Scan. When the scan has finished, click OK and then Show Results to view the results - no surprise there! If MBAM finds anything, check the box(es) and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > *log-date.txt* Let me have the MBAM log, a fresh HJT log (run in Normal Mode) AND a description of how your PC is behaving.

B. Wong View Member Profile	Apr 23 2008, 04:59 PM Post #7
New Member Group: New Member Posts: 5 Joined: 21-April 08 Member No.: 78,574 Operating System: Windows XP SP2	Ok! Scrolling is still choppy and computer seems to be like before. Also while MBAM was running AVG caught Multiple trojan based threats, that I didn't heal because I was afraid they would mess up the MBAM process. Should I run MBAM again and heal these threats, or continue and have AVG clear them out in the end? MBAM Log: Malwarebytes' Anti-Malware 1.11 Database version: 675 Scan type: Full Scan (D:\\|) Objects scanned: 58590 Time elapsed: 20 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\quantic.plug (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\quantic.plug.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\targetedbanner (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: D:\QooBox\Quarantine\D\WINDOWS\V29uZw\asappsrv.dll.vir (AdWare.CommAd) -> Quarantined and deleted successfully. D:\QooBox\Quarantine\D\WINDOWS\V29uZw\command.exe.vir (AdWare.CommAd) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP21\A0006810.exe (AdWare.CommAd) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP21\A0006811.dll (AdWare.CommAd) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP6\A0000190.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000228.dll (Adware.ClickSpring) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000229.dll (Adware.TargetSaver) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000233.vbs (Malware.Trace) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000235.exe (Adware.PurityScan) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000236.dll (Adware.TTC) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000349.exe (Adware.ClickSpring) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000356.dll (Adware.ClickSpring) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000372.dll (Adware.ClickSpring) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000374.dll (Adware.ClickSpring) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000377.ico (Malware.Trace) -> Quarantined and deleted successfully. D:\WINDOWS\system32\targetedbanner-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully. D:\WINDOWS\system32\IDME\TGbn1dll.exe (Adware.Trafficsol) -> Quarantined and deleted successfully. D:\WINDOWS\system32\usnv\pax89104.exe (Adware.TTC) -> Quarantined and deleted successfully. HIjackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:57:22 PM, on 4/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\system32\NOTEPAD.EXE D:\Program Files\Mozilla Firefox\firefox.exe D:\Documents and Settings\Brandon\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206337443877 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe -- End of file - 3946 bytes

Noviciate View Member Profile	Apr 24 2008, 01:49 PM Post #8
SuperMember Group: Malware Team Posts: 1,220 Joined: 30-July 06 Member No.: 59,198 Operating System: Windows XP	QUOTE Also while MBAM was running AVG caught Multiple trojan based threats, that I didn't heal because I was afraid they would mess up the MBAM process. Should I run MBAM again and heal these threats, or continue and have AVG clear them out in the end? It's difficult to say without knowing exactly what is being detected. I'd run MBAM again and see what AVG is detecting. If you can list what AVG is picking up, i'll tell you what I think is for the best. Can you tell me whether you installed AVG originally once you got the OS up and running, or whether it was only after you encountered the problems with the PC.

B. Wong View Member Profile	Apr 25 2008, 03:01 AM Post #9
New Member Group: New Member Posts: 5 Joined: 21-April 08 Member No.: 78,574 Operating System: Windows XP SP2	AVG was installed after I began having problems, I reran MBAM and it didn't pick anything up, then did a full system scan using AVG and nothing was picked up either... The pop ups have stopped, but for some reason the web is still slow and choppy. Anything else I can do about it?

Noviciate View Member Profile	Apr 25 2008, 12:47 PM Post #10
SuperMember Group: Malware Team Posts: 1,220 Joined: 30-July 06 Member No.: 59,198 Operating System: Windows XP	Given that the PC was being run without adequate security prior to it's infection, I recommend reformatting and reinstalling Windows. It is going to be impossible to guarantee a clean computer at the end of the removal process, which makes it something of a waste of time to start it in the first place. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems. You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC! Should you want them, I can provide links to free software that will help keep your PC malware-free in the future.

« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: