Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91631 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Massive slow down with pop ups and choppy scrolling


  • Please log in to reply
9 replies to this topic

#1 B. Wong

B. Wong

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 21 April 2008 - 09:50 PM

Hello, hopefully one of you may be able to help me with this problem. I recently Installed a fresh copy of Windows XP and after letting my son use it for a week i come back and it's really slow, IE will pop up and slow the computer to a crawl loading some webpage I don't want, and when i can use the internet, the scrolling is really choppy and slow. I have run Spybot and adaware, cleaned the system with AVG and still have problems. I DLed Hijackthis in hopes of finally getting rid of the problem without having to reformat.

Here is my log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:40 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\V29uZw\command.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\System32\msiexec.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm3k.exe
D:\Documents and Settings\Brandon\Desktop\HiJackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {04495502-16C6-4547-8FD5-9F7636B0721F} - D:\WINDOWS\System32\vtutq.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - D:\WINDOWS\System32\atgban.dll (file missing)
O2 - BHO: {4b3ef7cf-8c70-1ba8-4084-6373bb280281} - {182082bb-3736-4804-8ab1-07c8fc7fe3b4} - D:\WINDOWS\System32\tqmxrexw.dll (file missing)
O2 - BHO: (no name) - {382EB516-B686-4273-845A-AA79A6FEBB40} - D:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - D:\WINDOWS\System32\ssqomkl.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65419D9B-550E-28F2-0411-5B00B8B7DDC3} - (no file)
O2 - BHO: (no name) - {9B477BC9-3651-4E40-B454-FE71A572969E} - D:\WINDOWS\System32\mlljj.dll (file missing)
O2 - BHO: 0 - {B15B60A6-61C6-4B46-F793-EEEA0E7D803A} - D:\Program Files\Common Files\lafuv259.dll (file missing)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - D:\WINDOWS\TinyBHO.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PostSetupCheck] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\System32\atgban.dll" DllStart
O4 - HKLM\..\Run: [BMcf40244f] Rundll32.exe "D:\WINDOWS\system32\rivuntcb.dll",s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206337443877
O20 - Winlogon Notify: ssqomkl - ssqomkl.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\V29uZw\command.exe

--
End of file - 5741 bytes

Any help is greatly appreciated!

    Advertisements

Register to Remove


#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 22 April 2008 - 04:08 PM

Run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

Death to the salad eaters!

#3 B. Wong

B. Wong

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 23 April 2008 - 05:17 AM

Adobe Flash Player ActiveX Adobe Reader 8.1.2 ATI Display Driver (Omega 3.8.442) AVG 7.5 Canon S820 Deewoo Network Manager removal Enhancement Browser Tools Targetedbanner HijackThis 2.0.2 Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Mozilla Firefox (2.0.0.13) Radeon Omega Drivers v4.8.442 Setup Files and Tools Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937894) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944533) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB946026) Spybot - Search & Destroy Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920342) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB942840) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Service Pack 2 WinRAR archiver

#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 23 April 2008 - 01:00 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingc...to-use-combofix
  • Please Note: This tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.

Death to the salad eaters!

#5 B. Wong

B. Wong

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 23 April 2008 - 03:15 PM

Computer is still a bit laggy, and webpages still scroll choppy and slow, but it is running a little better.

ComboFix Log:
ComboFix 08-04-22.5 - Brandon 2008-04-23 13:58:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT -7:00]
Running from: D:\Documents and Settings\Brandon\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Brandon\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Brandon\My Documents\CURITY~1
D:\Program Files\dobe~1
D:\WINDOWS\BMcf40244f.xml
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\awtstrr.dll
D:\WINDOWS\system32\ddccc.dll
D:\WINDOWS\system32\dobe~1
D:\WINDOWS\system32\drivers\fastfatt.sys
D:\WINDOWS\system32\gebyx.dll
D:\WINDOWS\system32\jjllm.ini
D:\WINDOWS\system32\jjllm.ini2
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\mljgd.dll
D:\WINDOWS\system32\orqss.ini
D:\WINDOWS\system32\orqss.ini2
D:\WINDOWS\system32\pac.txt
D:\WINDOWS\system32\pmkjg.dll
D:\WINDOWS\system32\qtutv.ini
D:\WINDOWS\system32\qtutv.ini2
D:\WINDOWS\system32\scntokwd.exe
D:\WINDOWS\system32\ssqpq.dll
D:\WINDOWS\system32\sstqn.dll
D:\WINDOWS\system32\vturp.dll
D:\WINDOWS\system32\vtuspqp.dll
D:\WINDOWS\system32\winpfz37.sys
D:\WINDOWS\V29uZw\
D:\WINDOWS\V29uZw\\asappsrv.dll
D:\WINDOWS\V29uZw\\command.exe
D:\WINDOWS\V29uZw\\pZ6RtT.vbs
D:\WINDOWS\V29uZw\command.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_FASTFATT
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_fastfatt


((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 07:27 . 2008-04-23 07:27 <DIR> d-------- D:\Program Files\Lavasoft
2008-04-23 07:27 . 2008-04-23 07:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-23 07:26 . 2008-04-23 07:26 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 20:41 . 2008-04-21 20:41 <DIR> d-------- D:\Program Files\Common Files\Adobe
2008-04-03 11:34 . 2004-08-03 22:08 26,496 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-31 05:19 . 2007-04-09 12:55 97,785 --a------ D:\WINDOWS\system32\instwdm.ini
2008-03-31 05:19 . 2007-04-09 12:55 54 --a------ D:\WINDOWS\system32\ctzapxx.ini
2008-03-31 05:18 . 2006-08-11 14:56 3,072 --a------ D:\WINDOWS\CTXFIRES.DLL
2008-03-31 05:15 . 2008-03-31 05:15 <DIR> d-------- D:\Program Files\Creative
2008-03-31 04:27 . 2004-03-22 12:17 24,816 --a------ D:\WINDOWS\system32\mdimon.dll
2008-03-31 04:27 . 2008-03-31 04:27 376 --a------ D:\WINDOWS\ODBC.INI
2008-03-31 04:14 . 2008-03-31 04:14 <DIR> d-------- D:\Program Files\Microsoft ActiveSync
2008-03-31 04:12 . 2008-03-31 04:15 <DIR> d-------- D:\WINDOWS\SHELLNEW
2008-03-31 04:11 . 2008-03-31 04:11 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-03-27 12:15 . 2008-03-31 04:43 4,958,588 --a------ D:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-00531102}.BAK
2008-03-27 11:56 . 2008-03-31 04:43 4,958,588 --a------ D:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-00531102}.CDF
2008-03-27 11:53 . 2008-04-23 14:00 30,120 --a------ D:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx
2008-03-27 11:53 . 2008-04-23 14:00 30,120 --a------ D:\WINDOWS\system32\BMXState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx
2008-03-27 11:53 . 2008-04-23 14:00 27,408 --a------ D:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx
2008-03-27 11:53 . 2008-04-23 14:00 27,408 --a------ D:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx
2008-03-27 11:53 . 2008-04-23 14:00 11,564 --a------ D:\WINDOWS\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00531102}.rfx
2008-03-27 08:05 . 2004-08-03 22:08 10,624 --a------ D:\WINDOWS\system32\drivers\gameenum.sys
2008-03-27 08:05 . 2004-08-03 22:08 10,624 --a--c--- D:\WINDOWS\system32\dllcache\gameenum.sys
2008-03-27 07:51 . 2007-12-06 19:21 6,066,176 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-27 07:51 . 2007-06-30 20:31 2,455,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-27 07:51 . 2007-06-30 20:36 991,232 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-27 07:51 . 2007-12-06 19:21 459,264 -----c--- D:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-27 07:51 . 2007-12-06 19:21 383,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-27 07:51 . 2007-12-06 19:21 267,776 -----c--- D:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-27 07:51 . 2007-12-06 19:21 63,488 -----c--- D:\WINDOWS\system32\dllcache\icardie.dll
2008-03-27 07:51 . 2007-12-06 19:21 52,224 -----c--- D:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-27 07:51 . 2007-12-06 04:00 13,824 -----c--- D:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-27 07:45 . 2007-08-13 19:54 33,792 --a--c--- D:\WINDOWS\system32\dllcache\custsat.dll
2008-03-27 05:16 . 2008-03-27 05:16 <DIR> d-------- D:\Documents and Settings\Brandon\Application Data\Creative
2008-03-27 05:16 . 2008-03-27 05:16 409,600 --a------ D:\WINDOWS\system32\wrap_oal.dll
2008-03-27 05:16 . 2008-03-27 05:16 114,688 --a------ D:\WINDOWS\system32\OpenAL32.dll
2008-03-27 05:15 . 2008-04-21 20:36 <DIR> d-------- D:\WINDOWS\system32\data
2008-03-27 05:15 . 2004-08-03 22:15 145,792 --a------ D:\WINDOWS\system32\drivers\portcls.sys
2008-03-27 05:15 . 2004-08-03 22:15 145,792 --a--c--- D:\WINDOWS\system32\dllcache\portcls.sys
2008-03-27 05:15 . 2004-08-03 23:56 130,048 --a------ D:\WINDOWS\system32\ksproxy.ax
2008-03-27 05:15 . 2004-08-03 23:56 130,048 --a--c--- D:\WINDOWS\system32\dllcache\ksproxy.ax
2008-03-27 05:15 . 2004-08-03 22:07 60,288 --a------ D:\WINDOWS\system32\drivers\drmk.sys
2008-03-27 05:15 . 2004-08-03 22:07 60,288 --a--c--- D:\WINDOWS\system32\dllcache\drmk.sys
2008-03-27 05:15 . 2004-08-03 23:56 4,096 --a------ D:\WINDOWS\system32\ksuser.dll
2008-03-27 05:15 . 2004-08-03 23:56 4,096 --a--c--- D:\WINDOWS\system32\dllcache\ksuser.dll
2008-03-27 05:09 . 2006-08-21 02:14 128,896 -----c--- D:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-27 05:09 . 2006-08-21 02:14 23,040 -----c--- D:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-27 05:09 . 2006-08-21 05:21 16,896 -----c--- D:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-27 04:57 . 2007-07-09 06:09 584,192 -----c--- D:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-27 04:34 . 2008-03-27 12:12 <DIR> d--h----- D:\WINDOWS\$hf_mig$
2008-03-27 04:24 . 2008-03-27 04:24 <DIR> d---s---- D:\WINDOWS\system32\Microsoft
2008-03-26 04:57 . 2008-03-27 04:25 316,640 --a------ D:\WINDOWS\WMSysPr9.prx
2008-03-26 04:46 . 2008-03-26 04:46 <DIR> d-------- D:\WINDOWS\provisioning
2008-03-26 04:46 . 2008-03-26 04:46 <DIR> d-------- D:\WINDOWS\peernet
2008-03-26 04:45 . 2008-03-26 04:45 <DIR> d-------- D:\WINDOWS\ServicePackFiles
2008-03-26 04:40 . 2006-09-06 18:43 22,752 --a------ D:\WINDOWS\system32\spupdsvc.exe
2008-03-26 04:38 . 2008-03-26 04:38 <DIR> d-------- D:\WINDOWS\EHome
2008-03-25 20:31 . 2004-08-04 01:56 11,776 --a------ D:\WINDOWS\system32\spnpinst.exe
2008-03-25 20:31 . 2004-08-02 15:20 7,208 --a------ D:\WINDOWS\system32\secupd.sig
2008-03-25 20:31 . 2004-08-02 15:20 4,569 --a------ D:\WINDOWS\system32\secupd.dat
2008-03-25 20:05 . 2008-04-21 20:45 <DIR> dr-h----- D:\$VAULT$.AVG
2008-03-25 20:04 . 2008-03-25 20:04 <DIR> d-------- D:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 20:04 . 2008-03-25 20:28 <DIR> d-------- D:\Documents and Settings\Brandon\Application Data\AVG7
2008-03-25 20:04 . 2008-03-25 20:04 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 20:04 . 2008-03-25 20:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 20:04 . 2008-03-25 20:04 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
2008-03-25 20:04 . 2008-03-25 20:04 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll
2008-03-25 19:19 . 2008-03-25 19:19 294 --ahs---- D:\WINDOWS\system32\xypuyqsa.ini
2008-03-24 06:39 . 2007-09-28 22:05 593,920 --a------ D:\WINDOWS\system32\ati2sgag.exe
2008-03-24 06:31 . 2008-03-31 04:40 <DIR> d--h----- D:\Program Files\InstallShield Installation Information
2008-03-24 06:31 . 2008-03-31 04:40 <DIR> d-------- D:\Program Files\Common Files\InstallShield
2008-03-24 06:31 . 2006-02-22 01:13 6,144 --a------ D:\WINDOWS\system32\atiicdxx.sys
2008-03-24 06:30 . 2008-03-24 06:30 <DIR> d-------- D:\Program Files\Radeon Omega Drivers
2008-03-24 06:23 . 2008-04-23 13:45 617 --a------ D:\WINDOWS\wininit.ini
2008-03-24 06:17 . 2008-03-24 06:17 <DIR> d--h----- D:\BJPrinter
2008-03-24 06:17 . 2002-07-24 15:00 87,552 --a------ D:\WINDOWS\system32\CNMLM3k.DLL
2008-03-24 06:17 . 2002-07-30 03:59 73,728 --a------ D:\WINDOWS\system32\CNMCP3k.exe
2008-03-24 06:17 . 2002-07-30 03:59 73,728 --a------ D:\WINDOWS\system32\cnm5E.tmp
2008-03-24 06:17 . 2002-07-24 15:00 5,632 --a------ D:\WINDOWS\system32\CNMVS3k.DLL
2008-03-24 06:02 . 2008-03-24 06:02 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2008-03-24 06:02 . 2008-03-24 06:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-24 05:33 . 2008-03-24 05:33 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\xTmp
2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\winz1
2008-03-24 04:12 . 2008-03-24 04:12 <DIR> d-------- D:\WINDOWS\system32\usnv
2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\IDME
2008-03-24 04:12 . 2008-03-25 21:05 <DIR> d-------- D:\WINDOWS\system32\aqVreo01
2008-03-24 04:12 . 2008-03-24 04:12 39,883 --a------ D:\WINDOWS\system32\targetedbanner-uninst.exe
2008-03-23 22:46 . 2008-03-23 22:46 <DIR> d-------- D:\WINDOWS\system32\bits
2008-03-23 22:45 . 2004-08-04 00:56 438,784 --a------ D:\WINDOWS\system32\xpob2res.dll
2008-03-23 22:45 . 2004-08-04 00:56 351,232 --a------ D:\WINDOWS\system32\winhttp.dll
2008-03-23 22:45 . 2004-08-04 00:56 18,944 --a------ D:\WINDOWS\system32\qmgrprxy.dll
2008-03-23 22:45 . 2004-08-04 00:56 8,192 --a------ D:\WINDOWS\system32\bitsprx2.dll
2008-03-23 22:45 . 2004-08-04 00:56 7,168 --a------ D:\WINDOWS\system32\bitsprx3.dll
2008-03-23 22:44 . 2008-03-23 22:44 <DIR> d--hs---- D:\Documents and Settings\Brandon\UserData
2008-03-23 22:44 . 2007-07-30 20:19 549,720 --a------ D:\WINDOWS\system32\wuapi.dll
2008-03-23 22:44 . 2007-07-30 20:19 325,976 --a------ D:\WINDOWS\system32\wucltui.dll
2008-03-23 22:44 . 2007-07-30 20:19 216,408 --a------ D:\WINDOWS\system32\wuaucpl.cpl
2008-03-23 22:44 . 2007-07-30 20:19 43,352 --a------ D:\WINDOWS\system32\wups2.dll
2008-03-23 22:44 . 2007-07-30 20:18 34,136 --a------ D:\WINDOWS\system32\wucltui.dll.mui
2008-03-23 22:44 . 2007-07-30 20:18 33,624 --a------ D:\WINDOWS\system32\wups.dll
2008-03-23 22:44 . 2007-07-30 20:19 25,944 --a------ D:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-23 22:44 . 2007-07-30 20:19 25,944 --a------ D:\WINDOWS\system32\wuapi.dll.mui
2008-03-23 22:44 . 2007-07-30 20:18 20,312 --a------ D:\WINDOWS\system32\wuaueng.dll.mui
2008-03-23 22:42 . 2008-03-23 22:42 0 --a------ D:\WINDOWS\nsreg.dat
2008-03-23 22:41 . 2008-04-23 07:27 <DIR> d--hs---- D:\WINDOWS\Installer
2008-03-23 22:41 . 2008-03-23 22:44 <DIR> d-------- D:\Documents and Settings\Brandon
2008-03-23 22:41 . 2008-03-27 07:37 1,024 --ah----- D:\Documents and Settings\Default User\NTUSER.DAT.LOG
2008-03-23 22:41 . 2008-04-23 14:02 1,024 --ah----- D:\Documents and Settings\Brandon\NTUSER.DAT.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 02:12 246 ----a-w D:\Program Files\Common Files\lafuv259
2008-03-24 13:30 472,576 ----a-w D:\WINDOWS\Radeon Omega Drivers v4.8.442 Uninstall.exe
2008-03-24 06:33 --------- d-----w D:\Program Files\microsoft frontpage
2008-02-13 05:30 7,680 ----a-w D:\WINDOWS\fetchuserid.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04495502-16C6-4547-8FD5-9F7636B0721F}]
D:\WINDOWS\System32\vtutq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B435F6-B6CE-4F24-A568-944B27ED919C}]
D:\WINDOWS\System32\atgban.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{182082bb-3736-4804-8ab1-07c8fc7fe3b4}]
D:\WINDOWS\System32\tqmxrexw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{382EB516-B686-4273-845A-AA79A6FEBB40}]
D:\WINDOWS\system32\ssqro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B477BC9-3651-4E40-B454-FE71A572969E}]
D:\WINDOWS\System32\mlljj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B15B60A6-61C6-4B46-F793-EEEA0E7D803A}]
D:\Program Files\Common Files\lafuv259.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}]
D:\WINDOWS\TinyBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-21 20:33 579584]
"MSConfig"="D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 20:04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqomkl]
ssqomkl.dll

[HKLM\~\startupfolder\D:^Documents and Settings^Brandon^Start Menu^Programs^Startup^Deewoo.lnk]
path=D:\Documents and Settings\Brandon\Start Menu\Programs\Startup\Deewoo.lnk
backup=D:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Brandon^Start Menu^Programs^Startup^DW_Start.lnk]
path=D:\Documents and Settings\Brandon\Start Menu\Programs\Startup\DW_Start.lnk
backup=D:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\14f1a2f1]
D:\WINDOWS\System32\asqyupyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 18:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMcf40244f]
D:\WINDOWS\system32\rivuntcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ceps]
D:\WINDOWS\System32\DOBE~1\wuaclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
D:\WINDOWS\System32\scntokwd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mivgpln]
D:\Program Files\?dobe\m?dtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
D:\WINDOWS\System32\atgban.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
D:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1A-A2-25-5E-DW}]
d:\windows\system32\jnwnw64n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 14:02:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-23 14:03:38 - machine was rebooted [Brandon]
ComboFix-quarantined-files.txt 2008-04-23 21:03:35

Pre-Run: 165,634,990,080 bytes free
Post-Run: 166,221,221,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

264



Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:31 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\Brandon\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {04495502-16C6-4547-8FD5-9F7636B0721F} - D:\WINDOWS\System32\vtutq.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - D:\WINDOWS\System32\atgban.dll (file missing)
O2 - BHO: {4b3ef7cf-8c70-1ba8-4084-6373bb280281} - {182082bb-3736-4804-8ab1-07c8fc7fe3b4} - D:\WINDOWS\System32\tqmxrexw.dll (file missing)
O2 - BHO: (no name) - {382EB516-B686-4273-845A-AA79A6FEBB40} - D:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9B477BC9-3651-4E40-B454-FE71A572969E} - D:\WINDOWS\System32\mlljj.dll (file missing)
O2 - BHO: 0 - {B15B60A6-61C6-4B46-F793-EEEA0E7D803A} - D:\Program Files\Common Files\lafuv259.dll (file missing)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - D:\WINDOWS\TinyBHO.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206337443877
O20 - Winlogon Notify: ssqomkl - ssqomkl.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 5045 bytes

#6 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 23 April 2008 - 03:36 PM

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {04495502-16C6-4547-8FD5-9F7636B0721F} - D:\WINDOWS\System32\vtutq.dll (file missing)
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - D:\WINDOWS\System32\atgban.dll (file missing)
O2 - BHO: {4b3ef7cf-8c70-1ba8-4084-6373bb280281} - {182082bb-3736-4804-8ab1-07c8fc7fe3b4} - D:\WINDOWS\System32\tqmxrexw.dll (file missing)
O2 - BHO: (no name) - {382EB516-B686-4273-845A-AA79A6FEBB40} - D:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: (no name) - {9B477BC9-3651-4E40-B454-FE71A572969E} - D:\WINDOWS\System32\mlljj.dll (file missing)
O2 - BHO: 0 - {B15B60A6-61C6-4B46-F793-EEEA0E7D803A} - D:\Program Files\Common Files\lafuv259.dll (file missing)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - D:\WINDOWS\TinyBHO.dll (file missing)

O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx

O20 - Winlogon Notify: ssqomkl - ssqomkl.dll (file missing)


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Download Malwarebytes' Anti-Malware from here and save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh HJT log (run in Normal Mode) AND a description of how your PC is behaving.
Death to the salad eaters!

#7 B. Wong

B. Wong

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 23 April 2008 - 04:59 PM

Ok! Scrolling is still choppy and computer seems to be like before. Also while MBAM was running AVG caught Multiple trojan based threats, that I didn't heal because I was afraid they would mess up the MBAM process. Should I run MBAM again and heal these threats, or continue and have AVG clear them out in the end?

MBAM Log:
Malwarebytes' Anti-Malware 1.11
Database version: 675

Scan type: Full Scan (D:\|)
Objects scanned: 58590
Time elapsed: 20 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\quantic.plug (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\quantic.plug.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\targetedbanner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\QooBox\Quarantine\D\WINDOWS\V29uZw\asappsrv.dll.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\V29uZw\command.exe.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP21\A0006810.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP21\A0006811.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP6\A0000190.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000228.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000229.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000233.vbs (Malware.Trace) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000235.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000236.dll (Adware.TTC) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000349.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000356.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000372.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000374.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA3756D4-DD0E-4F2D-896C-A1A6728286E4}\RP7\A0000377.ico (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\targetedbanner-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\IDME\TGbn1dll.exe (Adware.Trafficsol) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\usnv\pax89104.exe (Adware.TTC) -> Quarantined and deleted successfully.


HIjackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:22 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Brandon\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206337443877
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 3946 bytes

#8 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 24 April 2008 - 01:49 PM

Also while MBAM was running AVG caught Multiple trojan based threats, that I didn't heal because I was afraid they would mess up the MBAM process. Should I run MBAM again and heal these threats, or continue and have AVG clear them out in the end?

It's difficult to say without knowing exactly what is being detected. I'd run MBAM again and see what AVG is detecting. If you can list what AVG is picking up, i'll tell you what I think is for the best.
Can you tell me whether you installed AVG originally once you got the OS up and running, or whether it was only after you encountered the problems with the PC.
Death to the salad eaters!

#9 B. Wong

B. Wong

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 25 April 2008 - 03:01 AM

AVG was installed after I began having problems, I reran MBAM and it didn't pick anything up, then did a full system scan using AVG and nothing was picked up either... The pop ups have stopped, but for some reason the web is still slow and choppy. Anything else I can do about it?

#10 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 25 April 2008 - 12:47 PM

Given that the PC was being run without adequate security prior to it's infection, I recommend reformatting and reinstalling Windows. It is going to be impossible to guarantee a clean computer at the end of the removal process, which makes it something of a waste of time to start it in the first place. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems. You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC! Should you want them, I can provide links to free software that will help keep your PC malware-free in the future.
Death to the salad eaters!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users