Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Virus Help

Started by HooJoe , Nov 19 2007 07:46 PM

  • This topic is locked This topic is locked
9 replies to this topic

#1 HooJoe

HooJoe

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 19 November 2007 - 07:46 PM

Hey everyone,

I got a virus about a week ago and have tried to fix it running Ad-aware, AVG, and SmitFraudFix. Earlier I had lots of popups and constant warnings in my taskbar and that came up on my desk top. Most of that has stopped, but I still get notified by Norton Anti-Virus of a virus called downloader mislead.app which it can't remove. Here is my Hijackthis log, thanks for any help you can provide.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Link\AirPro Utility\WLANmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\winshow.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.virginia.edu/OfCurr.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\bhykvdjd.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [D-Link AirPro Utility] C:\Program Files\D-Link\AirPro Utility\WLANmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a01b7472] rundll32.exe "C:\WINDOWS\System32\mfddrynn.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 209.8.20.130
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto...YorkActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish...r/dlControl.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\fafwosew.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

    Advertisements

Register to Remove

#2 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 24 November 2007 - 09:02 AM

Hi

Navigate into C:\Program Files\Hijackthis folder and rename HijackThis.exe file -> HooJoe.exe. Post a fresh hjt log after that.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#3 HooJoe

HooJoe

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 26 November 2007 - 10:57 PM

Hey, thanks for your help. I really appreciate it. My computer has gotten worse with much, much slower speed and new warnings of trojans from Norton anti-virus. They say trojan.vundo and trojan.awax. Here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 11:46:12 PM, on 11/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Link\AirPro Utility\WLANmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\winshow.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HooJoe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.virginia.edu/OfCurr.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {d0c55e72-3f99-b15b-db14-7bc0452ee845} - {548ee254-0cb7-41bd-b51b-99f327e55c0d} - C:\WINDOWS\System32\krwkdwob.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\System32\urqnmkj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8B0631B3-43F8-4EE6-A912-5CCF41C628A6} - C:\WINDOWS\System32\xxwwv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\System32\bhykvdjd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\bhykvdjd.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [D-Link AirPro Utility] C:\Program Files\D-Link\AirPro Utility\WLANmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 209.8.20.130
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto...YorkActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish...r/dlControl.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bhykvdjd - C:\WINDOWS\SYSTEM32\bhykvdjd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: urqnmkj - C:\WINDOWS\SYSTEM32\urqnmkj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\fafwosew.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

#4 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 27 November 2007 - 12:49 PM

Hi

1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#5 HooJoe

HooJoe

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 27 November 2007 - 02:38 PM

Here is the ComboFix log.

ComboFix 07-11-19.4 - Joe 2007-11-27 14:21:32.1 - NTFSx86
Running from: C:\Documents and Settings\Joe\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Joe\Application Data\RACLE~1
C:\Documents and Settings\Joe\Favorites\Online Security Guide.lnk
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bhykvdjd.dllbox
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\inyvbaes.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\vwwxx.bak1
C:\WINDOWS\SYSTEM32\vwwxx.bak2
C:\WINDOWS\SYSTEM32\vwwxx.ini
C:\WINDOWS\SYSTEM32\vwwxx.ini2
C:\WINDOWS\SYSTEM32\vwwxx.tmp
C:\WINDOWS\System32\xxwwv.dll
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NWSAPAGENT
-------\DomainService
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 14:22 784,245 --ahs---- C:\WINDOWS\SYSTEM32\jcofxfub.ini
2007-11-27 14:22 88,128 --a------ C:\WINDOWS\SYSTEM32\bufxfocj.dll
2007-11-27 14:19 71,232 --a------ C:\WINDOWS\SYSTEM32\xmeadqmi.exe
2007-11-27 14:16 71,232 --a------ C:\WINDOWS\SYSTEM32\iacakshn.exe
2007-11-27 14:13 71,232 --a------ C:\WINDOWS\SYSTEM32\byumoexj.exe
2007-11-26 23:10 71,232 --a------ C:\WINDOWS\SYSTEM32\kgbplxxf.exe
2007-11-26 18:48 71,232 --a------ C:\WINDOWS\SYSTEM32\pgyoxmgy.exe
2007-11-25 17:20 71,232 --a------ C:\WINDOWS\SYSTEM32\nmucfjgo.exe
2007-11-25 16:19 775,952 --ahs---- C:\WINDOWS\SYSTEM32\lsdwlgpa.ini
2007-11-25 16:18 85,056 --------- C:\WINDOWS\SYSTEM32\apglwdsl.dll
2007-11-25 16:15 79,936 --a------ C:\WINDOWS\SYSTEM32\krwkdwob.dll
2007-11-25 16:07 71,232 --a------ C:\WINDOWS\SYSTEM32\wuwtficd.exe
2007-11-22 11:54 775,892 --ahs---- C:\WINDOWS\SYSTEM32\gxgeccoo.ini
2007-11-22 11:51 79,936 --a------ C:\WINDOWS\SYSTEM32\yxpilsee.dll
2007-11-21 10:48 80,960 --a------ C:\WINDOWS\SYSTEM32\jrujfuhf.dll
2007-11-21 10:45 825,845 --ahs---- C:\WINDOWS\SYSTEM32\grfvlgnu.ini
2007-11-21 10:45 85,056 --a------ C:\WINDOWS\SYSTEM32\unglvfrg.dll
2007-11-21 10:40 71,232 --a------ C:\WINDOWS\SYSTEM32\xshdmjws.exe
2007-11-20 16:19 84,544 --a------ C:\WINDOWS\SYSTEM32\pitskahs.dll
2007-11-20 16:08 71,232 --a------ C:\WINDOWS\SYSTEM32\xwxabwsp.exe
2007-11-19 20:41 83,008 --a------ C:\WINDOWS\SYSTEM32\iuwnrkah.dll
2007-11-19 20:31 71,232 --a------ C:\WINDOWS\SYSTEM32\uaofwtsa.exe
2007-11-19 01:33 <DIR> d-------- C:\WINDOWS\Sun
2007-11-19 01:27 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-19 01:16 <DIR> d-------- C:\Program Files\Java
2007-11-19 01:13 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-18 15:04 826,996 --ahs---- C:\WINDOWS\SYSTEM32\nnyrddfm.ini
2007-11-18 15:01 79,424 --a------ C:\WINDOWS\SYSTEM32\otjggclv.dll
2007-11-18 14:52 71,232 --a------ C:\WINDOWS\SYSTEM32\btjismow.exe
2007-11-18 14:49 677,920 --ahs---- C:\WINDOWS\SYSTEM32\auevngvo.ini
2007-11-18 14:47 71,232 --a------ C:\WINDOWS\SYSTEM32\jokgrdtq.exe
2007-11-18 12:43 678,040 --ahs---- C:\WINDOWS\SYSTEM32\oljigqat.ini
2007-11-18 12:42 85,056 --a------ C:\WINDOWS\SYSTEM32\taqgijlo.dll
2007-11-18 12:39 79,424 --a------ C:\WINDOWS\SYSTEM32\lvdjypht.dll
2007-11-18 12:35 71,232 --a------ C:\WINDOWS\SYSTEM32\wjqvnyos.exe
2007-11-17 21:24 677,980 --ahs---- C:\WINDOWS\SYSTEM32\ndxtsvvr.ini
2007-11-17 21:21 82,496 --a------ C:\WINDOWS\SYSTEM32\tbipbukt.dll
2007-11-17 21:12 71,232 --a------ C:\WINDOWS\SYSTEM32\mxaihhle.exe
2007-11-17 20:18 82,496 --a------ C:\WINDOWS\SYSTEM32\oravyqgk.dll
2007-11-17 20:15 677,920 --ahs---- C:\WINDOWS\SYSTEM32\otuikavo.ini
2007-11-17 20:06 71,232 --a------ C:\WINDOWS\SYSTEM32\ibqaqxbl.exe
2007-11-17 16:21 677,980 --ahs---- C:\WINDOWS\SYSTEM32\lqaaotit.ini
2007-11-17 16:15 82,496 --a------ C:\WINDOWS\SYSTEM32\whykpcoy.dll
2007-11-17 16:12 71,232 --a------ C:\WINDOWS\SYSTEM32\agogeefc.exe
2007-11-17 15:30 88,128 --a------ C:\WINDOWS\SYSTEM32\aajalnyq.dll
2007-11-17 15:24 82,496 --a------ C:\WINDOWS\SYSTEM32\uxipckvm.dll
2007-11-17 15:21 71,232 --a------ C:\WINDOWS\SYSTEM32\plmppbpt.exe
2007-11-16 15:21 677,920 --ahs---- C:\WINDOWS\SYSTEM32\fmcqtsur.ini
2007-11-16 15:18 80,448 --a------ C:\WINDOWS\SYSTEM32\oslffwdd.dll
2007-11-16 15:18 71,232 --a------ C:\WINDOWS\SYSTEM32\ehsooefc.exe
2007-11-15 20:10 71,232 --a------ C:\WINDOWS\SYSTEM32\uncxnnmg.exe
2007-11-14 23:41 71,232 --a------ C:\WINDOWS\SYSTEM32\aveeaafv.exe
2007-11-14 15:03 669,061 --ahs---- C:\WINDOWS\SYSTEM32\ahnuohqy.ini
2007-11-14 14:57 80,448 --a------ C:\WINDOWS\SYSTEM32\gruoaulo.dll
2007-11-14 14:55 71,232 --a------ C:\WINDOWS\SYSTEM32\ewcxqvmc.exe
2007-11-13 13:25 80,448 --a------ C:\WINDOWS\SYSTEM32\nkoqohfq.dll
2007-11-13 13:19 628,902 --ahs---- C:\WINDOWS\SYSTEM32\daktlilt.ini
2007-11-13 13:15 71,232 --a------ C:\WINDOWS\SYSTEM32\upoviwnq.exe
2007-11-12 12:54 591,987 --ahs---- C:\WINDOWS\SYSTEM32\fuiqfujo.ini
2007-11-12 12:51 81,472 --a------ C:\WINDOWS\SYSTEM32\vxanssns.dll
2007-11-12 12:45 71,232 --a------ C:\WINDOWS\SYSTEM32\jnlebraf.exe
2007-11-08 20:39 591,807 --ahs---- C:\WINDOWS\SYSTEM32\lwwqtnxe.ini
2007-11-08 20:27 71,232 --a------ C:\WINDOWS\SYSTEM32\kwttadwl.exe
2007-11-08 16:38 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-11-08 16:38 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-11-08 16:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-08 16:37 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-08 00:16 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\Grisoft
2007-11-08 00:15 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-08 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 21:58 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-07 21:58 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-07 21:58 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-07 20:33 584,091 --ahs---- C:\WINDOWS\SYSTEM32\ppivgsvr.ini
2007-11-07 20:30 79,936 --a------ C:\WINDOWS\SYSTEM32\knmqcoyv.dll
2007-11-06 17:00 3,788 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-06 16:37 570,892 --ahs---- C:\WINDOWS\SYSTEM32\kjirfctu.ini
2007-11-06 16:11 81,472 --a------ C:\WINDOWS\SYSTEM32\vyiaiksc.dll
2007-11-06 16:03 145,984 --a------ C:\WINDOWS\SYSTEM32\bhykvdjd.dll
2007-11-06 16:02 145,984 --a------ C:\WINDOWS\SYSTEM32\ingkpjup.dll
2007-11-06 10:03 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-11-06 01:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz08r
2007-11-06 01:21 <DIR> d-------- C:\Temp\mZOr
2007-11-06 01:21 36,352 --a------ C:\WINDOWS\SYSTEM32\urqnmkj.dll
2007-10-28 21:16 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\Snapfish

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 05:23 --------- d-----w C:\Program Files\DIGStream
2007-11-08 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2007-11-07 01:48 --------- d-----w C:\Program Files\America Online 8.0
2007-10-23 23:00 --------- d-----w C:\Documents and Settings\Joe\Application Data\Skype
2006-07-04 13:12 48,432 ----a-w C:\Documents and Settings\Joe\Application Data\GDIPFONTCACHEV1.DAT
2003-04-26 16:22 207,759 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-06 01:21 36352 --------- C:\WINDOWS\system32\urqnmkj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-06 16:03 145984 --a------ C:\WINDOWS\system32\bhykvdjd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f6742c6c-7038-42b5-bcd2-f47ab2211b79}]
2007-11-27 14:25 78912 --a------ C:\WINDOWS\System32\qrfufetm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\bhykvdjd.dll [2007-11-06 16:03 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [2003-01-23 15:06 C:\WINDOWS\SYSTEM32\carpserv.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 12:30]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 12:29]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-07 21:00]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 16:47]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 10:18]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-11-13 17:28]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"D-Link AirPro Utility"="C:\Program Files\D-Link\AirPro Utility\WLANmon.exe" [2002-11-21 02:26]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 03:50]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 06:59]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-11-13 17:28]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-22 15:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-31 20:15]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"a01b7472"="C:\WINDOWS\System32\bufxfocj.dll" [2007-11-27 14:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-04-26 11:28:49]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-04-26 11:09:41]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
Script execution time was exceeded on script "C:\ComboFix\lnkread.vbs".
Script execution was terminated.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\urqnmkj.dll [2007-11-06 01:21 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bhykvdjd]
bhykvdjd.dll 2007-11-06 16:03 145984 C:\WINDOWS\SYSTEM32\bhykvdjd.dll
C:\WINDOWS\System32\NavLogon.dll 2001-09-24 06:59 45056 C:\WINDOWS\SYSTEM32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnmkj]
urqnmkj.dll 2007-11-06 01:21 36352 C:\WINDOWS\SYSTEM32\urqnmkj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\pmkih.dll


.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 14:41:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 15:13:52 - machine was rebooted
.
--- E O F ---

#6 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 27 November 2007 - 11:58 PM

Hi


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\jcofxfub.ini
C:\WINDOWS\SYSTEM32\bufxfocj.dll
C:\WINDOWS\SYSTEM32\xmeadqmi.exe
C:\WINDOWS\SYSTEM32\iacakshn.exe
C:\WINDOWS\SYSTEM32\byumoexj.exe
C:\WINDOWS\SYSTEM32\kgbplxxf.exe
C:\WINDOWS\SYSTEM32\pgyoxmgy.exe
C:\WINDOWS\SYSTEM32\nmucfjgo.exe
C:\WINDOWS\SYSTEM32\lsdwlgpa.ini
C:\WINDOWS\SYSTEM32\apglwdsl.dll
C:\WINDOWS\SYSTEM32\krwkdwob.dll
C:\WINDOWS\SYSTEM32\wuwtficd.exe
C:\WINDOWS\SYSTEM32\gxgeccoo.ini
C:\WINDOWS\SYSTEM32\yxpilsee.dll
C:\WINDOWS\SYSTEM32\jrujfuhf.dll
C:\WINDOWS\SYSTEM32\grfvlgnu.ini
C:\WINDOWS\SYSTEM32\unglvfrg.dll
C:\WINDOWS\SYSTEM32\xshdmjws.exe
C:\WINDOWS\SYSTEM32\pitskahs.dll
C:\WINDOWS\SYSTEM32\xwxabwsp.exe
C:\WINDOWS\SYSTEM32\iuwnrkah.dll
C:\WINDOWS\SYSTEM32\uaofwtsa.exe
C:\WINDOWS\SYSTEM32\nnyrddfm.ini
C:\WINDOWS\SYSTEM32\otjggclv.dll
C:\WINDOWS\SYSTEM32\btjismow.exe
C:\WINDOWS\SYSTEM32\auevngvo.ini
C:\WINDOWS\SYSTEM32\jokgrdtq.exe
C:\WINDOWS\SYSTEM32\oljigqat.ini
C:\WINDOWS\SYSTEM32\taqgijlo.dll
C:\WINDOWS\SYSTEM32\lvdjypht.dll
C:\WINDOWS\SYSTEM32\wjqvnyos.exe
C:\WINDOWS\SYSTEM32\ndxtsvvr.ini
C:\WINDOWS\SYSTEM32\tbipbukt.dll
C:\WINDOWS\SYSTEM32\mxaihhle.exe
C:\WINDOWS\SYSTEM32\oravyqgk.dll
C:\WINDOWS\SYSTEM32\otuikavo.ini
C:\WINDOWS\SYSTEM32\ibqaqxbl.exe
C:\WINDOWS\SYSTEM32\lqaaotit.ini
C:\WINDOWS\SYSTEM32\whykpcoy.dll
C:\WINDOWS\SYSTEM32\agogeefc.exe
C:\WINDOWS\SYSTEM32\aajalnyq.dll
C:\WINDOWS\SYSTEM32\uxipckvm.dll
C:\WINDOWS\SYSTEM32\plmppbpt.exe
C:\WINDOWS\SYSTEM32\fmcqtsur.ini
C:\WINDOWS\SYSTEM32\oslffwdd.dll
C:\WINDOWS\SYSTEM32\ehsooefc.exe
C:\WINDOWS\SYSTEM32\uncxnnmg.exe
C:\WINDOWS\SYSTEM32\aveeaafv.exe
C:\WINDOWS\SYSTEM32\ahnuohqy.ini
C:\WINDOWS\SYSTEM32\gruoaulo.dll
C:\WINDOWS\SYSTEM32\ewcxqvmc.exe
C:\WINDOWS\SYSTEM32\nkoqohfq.dll
C:\WINDOWS\SYSTEM32\daktlilt.ini
C:\WINDOWS\SYSTEM32\upoviwnq.exe
C:\WINDOWS\SYSTEM32\fuiqfujo.ini
C:\WINDOWS\SYSTEM32\vxanssns.dll
C:\WINDOWS\SYSTEM32\jnlebraf.exe
C:\WINDOWS\SYSTEM32\lwwqtnxe.ini
C:\WINDOWS\SYSTEM32\kwttadwl.exe
C:\WINDOWS\SYSTEM32\ppivgsvr.ini
C:\WINDOWS\SYSTEM32\knmqcoyv.dll
C:\WINDOWS\SYSTEM32\kjirfctu.ini
C:\WINDOWS\SYSTEM32\vyiaiksc.dll
C:\WINDOWS\SYSTEM32\bhykvdjd.dll
C:\WINDOWS\SYSTEM32\ingkpjup.dll
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\urqnmkj.dll
C:\WINDOWS\System32\qrfufetm.dll
C:\WINDOWS\System32\bufxfocj.dll

Folder::
C:\Temp
C:\WINDOWS\SYSTEM32\Mz08r

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f6742c6c-7038-42b5-bcd2-f47ab2211b79}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-

[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a01b7472"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bhykvdjd]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnmkj]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#7 HooJoe

HooJoe

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 30 November 2007 - 03:51 PM

Alright! After many attempts I finally got a log.

Here is the combofix log:

ComboFix 07-11-19.4 - Joe 2007-11-30 15:26:01.6 - NTFSx86
Running from: C:\Documents and Settings\Joe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joe\Desktop\CFScript.txt

FILE
C:\WINDOWS\SYSTEM32\aajalnyq.dll
C:\WINDOWS\SYSTEM32\agogeefc.exe
C:\WINDOWS\SYSTEM32\ahnuohqy.ini
C:\WINDOWS\SYSTEM32\apglwdsl.dll
C:\WINDOWS\SYSTEM32\auevngvo.ini
C:\WINDOWS\SYSTEM32\aveeaafv.exe
C:\WINDOWS\SYSTEM32\bhykvdjd.dll
C:\WINDOWS\SYSTEM32\btjismow.exe
C:\WINDOWS\SYSTEM32\bufxfocj.dll
C:\WINDOWS\System32\bufxfocj.dll
C:\WINDOWS\SYSTEM32\byumoexj.exe
C:\WINDOWS\SYSTEM32\daktlilt.ini
C:\WINDOWS\SYSTEM32\ehsooefc.exe
C:\WINDOWS\SYSTEM32\ewcxqvmc.exe
C:\WINDOWS\SYSTEM32\fmcqtsur.ini
C:\WINDOWS\SYSTEM32\fuiqfujo.ini
C:\WINDOWS\SYSTEM32\grfvlgnu.ini
C:\WINDOWS\SYSTEM32\gruoaulo.dll
C:\WINDOWS\SYSTEM32\gxgeccoo.ini
C:\WINDOWS\SYSTEM32\iacakshn.exe
C:\WINDOWS\SYSTEM32\ibqaqxbl.exe
C:\WINDOWS\SYSTEM32\ingkpjup.dll
C:\WINDOWS\SYSTEM32\iuwnrkah.dll
C:\WINDOWS\SYSTEM32\jcofxfub.ini
C:\WINDOWS\SYSTEM32\jnlebraf.exe
C:\WINDOWS\SYSTEM32\jokgrdtq.exe
C:\WINDOWS\SYSTEM32\jrujfuhf.dll
C:\WINDOWS\SYSTEM32\kgbplxxf.exe
C:\WINDOWS\SYSTEM32\kjirfctu.ini
C:\WINDOWS\SYSTEM32\knmqcoyv.dll
C:\WINDOWS\SYSTEM32\krwkdwob.dll
C:\WINDOWS\SYSTEM32\kwttadwl.exe
C:\WINDOWS\SYSTEM32\lqaaotit.ini
C:\WINDOWS\SYSTEM32\lsdwlgpa.ini
C:\WINDOWS\SYSTEM32\lvdjypht.dll
C:\WINDOWS\SYSTEM32\lwwqtnxe.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mxaihhle.exe
C:\WINDOWS\SYSTEM32\ndxtsvvr.ini
C:\WINDOWS\SYSTEM32\nkoqohfq.dll
C:\WINDOWS\SYSTEM32\nmucfjgo.exe
C:\WINDOWS\SYSTEM32\nnyrddfm.ini
C:\WINDOWS\SYSTEM32\oljigqat.ini
C:\WINDOWS\SYSTEM32\oravyqgk.dll
C:\WINDOWS\SYSTEM32\oslffwdd.dll
C:\WINDOWS\SYSTEM32\otjggclv.dll
C:\WINDOWS\SYSTEM32\otuikavo.ini
C:\WINDOWS\SYSTEM32\pgyoxmgy.exe
C:\WINDOWS\SYSTEM32\pitskahs.dll
C:\WINDOWS\SYSTEM32\plmppbpt.exe
C:\WINDOWS\SYSTEM32\ppivgsvr.ini
C:\WINDOWS\System32\qrfufetm.dll
C:\WINDOWS\SYSTEM32\taqgijlo.dll
C:\WINDOWS\SYSTEM32\tbipbukt.dll
C:\WINDOWS\SYSTEM32\uaofwtsa.exe
C:\WINDOWS\SYSTEM32\uncxnnmg.exe
C:\WINDOWS\SYSTEM32\unglvfrg.dll
C:\WINDOWS\SYSTEM32\upoviwnq.exe
C:\WINDOWS\SYSTEM32\urqnmkj.dll
C:\WINDOWS\SYSTEM32\uxipckvm.dll
C:\WINDOWS\SYSTEM32\vxanssns.dll
C:\WINDOWS\SYSTEM32\vyiaiksc.dll
C:\WINDOWS\SYSTEM32\whykpcoy.dll
C:\WINDOWS\SYSTEM32\wjqvnyos.exe
C:\WINDOWS\SYSTEM32\wuwtficd.exe
C:\WINDOWS\SYSTEM32\xmeadqmi.exe
C:\WINDOWS\SYSTEM32\xshdmjws.exe
C:\WINDOWS\SYSTEM32\xwxabwsp.exe
C:\WINDOWS\SYSTEM32\yxpilsee.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\WINDOWS\SYSTEM32\bhykvdjd.dll
C:\WINDOWS\system32\bhykvdjd.dllbox
C:\WINDOWS\SYSTEM32\byumoexj.exe
C:\WINDOWS\SYSTEM32\daktlilt.ini
C:\WINDOWS\SYSTEM32\ehsooefc.exe
C:\WINDOWS\SYSTEM32\ewcxqvmc.exe
C:\WINDOWS\SYSTEM32\fmcqtsur.ini
C:\WINDOWS\SYSTEM32\fuiqfujo.ini
C:\WINDOWS\SYSTEM32\grfvlgnu.ini
C:\WINDOWS\SYSTEM32\gxgeccoo.ini
C:\WINDOWS\SYSTEM32\hikmp.ini
C:\WINDOWS\SYSTEM32\hikmp.ini2
C:\WINDOWS\SYSTEM32\iacakshn.exe
C:\WINDOWS\SYSTEM32\ibqaqxbl.exe
C:\WINDOWS\SYSTEM32\iuwnrkah.dll
C:\WINDOWS\SYSTEM32\jcofxfub.ini
C:\WINDOWS\SYSTEM32\jnlebraf.exe
C:\WINDOWS\SYSTEM32\jokgrdtq.exe
C:\WINDOWS\SYSTEM32\jrujfuhf.dll
C:\WINDOWS\SYSTEM32\kgbplxxf.exe
C:\WINDOWS\SYSTEM32\kjirfctu.ini
C:\WINDOWS\SYSTEM32\krwkdwob.dll
C:\WINDOWS\SYSTEM32\kwttadwl.exe
C:\WINDOWS\SYSTEM32\lqaaotit.ini
C:\WINDOWS\SYSTEM32\lsdwlgpa.ini
C:\WINDOWS\SYSTEM32\lvdjypht.dll
C:\WINDOWS\SYSTEM32\lwwqtnxe.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mxaihhle.exe
C:\WINDOWS\SYSTEM32\Mz08r
C:\WINDOWS\SYSTEM32\ndxtsvvr.ini
C:\WINDOWS\SYSTEM32\nmucfjgo.exe
C:\WINDOWS\SYSTEM32\nnyrddfm.ini
C:\WINDOWS\SYSTEM32\oljigqat.ini
C:\WINDOWS\SYSTEM32\oravyqgk.dll
C:\WINDOWS\SYSTEM32\otjggclv.dll
C:\WINDOWS\SYSTEM32\otuikavo.ini
C:\WINDOWS\SYSTEM32\pgyoxmgy.exe
C:\WINDOWS\SYSTEM32\pitskahs.dll
C:\WINDOWS\SYSTEM32\plmppbpt.exe
C:\WINDOWS\system32\pmkih.dll
C:\WINDOWS\SYSTEM32\ppivgsvr.ini
C:\WINDOWS\System32\qrfufetm.dll
C:\WINDOWS\SYSTEM32\tbipbukt.dll
C:\WINDOWS\SYSTEM32\uaofwtsa.exe
C:\WINDOWS\SYSTEM32\uncxnnmg.exe
C:\WINDOWS\SYSTEM32\upoviwnq.exe
C:\WINDOWS\SYSTEM32\urqnmkj.dll
C:\WINDOWS\SYSTEM32\uxipckvm.dll
C:\WINDOWS\SYSTEM32\whykpcoy.dll
C:\WINDOWS\SYSTEM32\wjqvnyos.exe
C:\WINDOWS\SYSTEM32\wuwtficd.exe
C:\WINDOWS\SYSTEM32\xmeadqmi.exe
C:\WINDOWS\SYSTEM32\xshdmjws.exe
C:\WINDOWS\SYSTEM32\xwxabwsp.exe
C:\WINDOWS\SYSTEM32\yxpilsee.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-28 19:07 71,232 --------- C:\WINDOWS\SYSTEM32\dqmimpww.exe
2007-11-21 10:38 71,232 --a------ C:\WINDOWS\SYSTEM32\qsfsbwep.exe
2007-11-20 16:16 825,758 --ahs---- C:\WINDOWS\SYSTEM32\pxfybxdr.ini
2007-11-19 12:27 83,008 --a------ C:\WINDOWS\SYSTEM32\rcqncnbi.dll
2007-11-19 12:20 71,232 --a------ C:\WINDOWS\SYSTEM32\sayymorl.exe
2007-11-19 01:33 <DIR> d-------- C:\WINDOWS\Sun
2007-11-19 01:16 <DIR> d-------- C:\Program Files\Java
2007-11-19 01:13 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-17 15:30 677,980 --ahs---- C:\WINDOWS\SYSTEM32\qynlajaa.ini
2007-11-08 16:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-08 00:16 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\Grisoft
2007-11-08 00:15 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-08 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 21:16 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\Snapfish
2007-10-05 10:41 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2007-10-05 10:41 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2007-10-05 10:41 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2007-10-05 10:41 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 05:23 --------- d-----w C:\Program Files\DIGStream
2007-11-08 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2007-11-07 01:48 --------- d-----w C:\Program Files\America Online 8.0
2007-10-23 23:00 --------- d-----w C:\Documents and Settings\Joe\Application Data\Skype
2006-07-04 13:12 48,432 ----a-w C:\Documents and Settings\Joe\Application Data\GDIPFONTCACHEV1.DAT
2003-04-26 16:22 207,759 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_14.45.21.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 19:07:16 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2007-11-28 23:59:14 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2007-11-27 19:07:16 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-11-28 23:59:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2007-11-27 19:07:16 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2007-11-28 23:59:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2007-11-29 00:14:18 84,545 ----a-w C:\WINDOWS\SYSTEM32\jmticllv.dll
+ 2007-11-29 00:18:52 81,984 ----a-w C:\WINDOWS\SYSTEM32\lngvvixd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6ebb2cf-59b5-4d38-a351-11900f4b0fc3}]
2007-11-28 19:18 81984 --a------ C:\WINDOWS\System32\lngvvixd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [2003-01-23 15:06 C:\WINDOWS\SYSTEM32\carpserv.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 12:30]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 12:29]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-07 21:00]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 16:47]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 10:18]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-11-13 17:28]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"D-Link AirPro Utility"="C:\Program Files\D-Link\AirPro Utility\WLANmon.exe" [2002-11-21 02:26]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 03:50]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 06:59]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-11-13 17:28]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-22 15:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-31 20:15]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\Joe\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-06-03 11:00:10]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-04-26 11:28:49]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-04-26 11:09:41]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
C:\WINDOWS\System32\NavLogon.dll 2001-09-24 06:59 45056 C:\WINDOWS\SYSTEM32\NavLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\pmkih.dll


.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 16:33:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-30 16:42:57 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 15:14
.
--- E O F ---



AND here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:47:54 PM, on 11/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Link\AirPro Utility\WLANmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HooJoe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.virginia.edu/OfCurr.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {3cf0b4f0-0911-153a-83d4-5b95fc2bbe6b} - {b6ebb2cf-59b5-4d38-a351-11900f4b0fc3} - C:\WINDOWS\System32\lngvvixd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [D-Link AirPro Utility] C:\Program Files\D-Link\AirPro Utility\WLANmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 209.8.20.130
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto...YorkActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish...r/dlControl.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe



Things are moving much faster and the system seems much better. Thanks again for helping me!

#8 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 30 November 2007 - 04:37 PM

Hi


Start hjt, click do a system scan only, check:
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 209.8.20.130
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)

Close browsers and other windows. Click fix checked.


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\dqmimpww.exe
C:\WINDOWS\SYSTEM32\qsfsbwep.exe
C:\WINDOWS\SYSTEM32\pxfybxdr.ini
C:\WINDOWS\SYSTEM32\rcqncnbi.dll
C:\WINDOWS\SYSTEM32\sayymorl.exe
C:\WINDOWS\SYSTEM32\qynlajaa.ini
C:\WINDOWS\SYSTEM32\jmticllv.dll
C:\WINDOWS\SYSTEM32\lngvvixd.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6ebb2cf-59b5-4d38-a351-11900f4b0fc3}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log, ComboFix log & a description of any remaining problems

Edited by Blade81, 30 November 2007 - 04:37 PM.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#9 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 07 December 2007 - 10:08 AM

Do you still need help with this HooJoe?
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#10 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 14 December 2007 - 11:31 AM

Due to inactivity this topic will be closed.If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·