I have Windows XP Home running Slimbrowser as my Internet Browser. The computer is infested with "stuff" with names made from random letters of the alphabet.
A faux paugh warning Window comes up warning me that a Virus, Trojan or Spyware (all of them) has been detected and wants me to click to get anti-virus sosftware. The warning messages have proper spellings but the English is not good. I'm offered the choice of Yes or No, and some windows just have an OK box to check. I always click the "No" choice but the boxes offering me an "OK" to check which causes a new Internet Explorer (not my default) window to come up. This repeats at about one minute intervals.
I just ran an AdAware scan which detected and removed over a hundred *-ware programs. I then ran HiJackThis and got the following log for you which I would be immensely happy if you could rid me of this pest. Thank you:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:50:21 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.spaceweather.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - C:\WINDOWS\system32\jkkjhgd.dll
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ykicfuqz.dll
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {D47D69D4-CC45-421E-81E1-90121AE599C4} - C:\WINDOWS\system32\jkkjj.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ykicfuqz.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm027XXUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1488f2f8062bf893f022/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094070805359
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.samsphotoclub.com/upload/WebUploadClient.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: jkkjhgd - C:\WINDOWS\SYSTEM32\jkkjhgd.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
O20 - Winlogon Notify: ykicfuqz - C:\WINDOWS\SYSTEM32\ykicfuqz.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 8568 bytes
Full Version: Many instances of false securtiy warnings
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hello.Oldmartian & Welcome
Please download
VundoFix.exe
to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
======================
Then
* Go here to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic for review
======================
Come back here with the Eset scan log and vundofix.txt Also a new HijackThis log
Gogo
Please download
VundoFix.exe
to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
======================
Then
* Go here to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic for review
======================
Come back here with the Eset scan log and vundofix.txt Also a new HijackThis log
Gogo
QUOTE(HJThis @ Nov 11 2007, 05:07 PM) 
Hello.Oldmartian & Welcome
Please download
VundoFix.exe
to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
======================
Then
* Go here to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic for review
======================
Come back here with the Eset scan log and vundofix.txt Also a new HijackThis log
Gogo
Please download
VundoFix.exe
to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
======================
Then
* Go here to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic for review
======================
Come back here with the Eset scan log and vundofix.txt Also a new HijackThis log
Gogo
Thank you for your quick response. I appreciate you folks being here...
Here's VunduFix.txt:
VundoFix V6.5.11
Checking Java version...
Scan started at 8:13:05 AM 11/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\ykicfuqz.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ykicfuqz.dll
C:\WINDOWS\system32\ykicfuqz.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ykicfuqz.dll
C:\WINDOWS\system32\ykicfuqz.dll Has been deleted!
Performing Repairs to the registry.
Done!
Now I'm going to do the ESET scan using Internet Explorer...
I D/L ESET and installed ActiveX. Before starting ESET I turned off my Avast AV proggie. I hope that's OK. I un-checked and checked the proper boxes requested.
It's running now at 8:40 am EST Nov 12. (Info if you need any of it, but typing it help me know I did the right things.)
I'm noticing after running the VooDoo (VundoFix.exe) proggie that the pop-up errors and IE boxes have ceased. "So far so good."
I tell people, "I'm going to live forever. 65, so far so good..."
Well, it's been running for 33 minutes and so far has found 3800 threats...
There weren't many threats (about 80) before EDET came across the Windows directory tree. What I'm seeing fly by are threats in the Fonts Subdirectory.
(We're at 6700 now ... As they are flying by I recognize the names of bad guys - BugBear,...Zone..., EvanAlmighty,...Family Tree,... Find Love) They sound more like cookies, but I can't see the whole names because they are flashing by so fast, but we're still in the C:\Windows\Fonts\... directory, 11,500 threats and counting.
I'm going to send you this now while the ESET AV proggie is running. If these threats dedicate a line of text in the EsetOnlineScanner\log.txt this will be an enorouse file, which I'm sure you don't want me to clog your system.
The scan is about half done and I have 15,000 threats in 180,000 files scanned. I'll keep it running.
By the way I'm running the infected computer thru LogMeIn Remote control. The infected computer belongs to a close friend who is not partitularly (not at all) computer literate.
Hi.Oldmartian
Not a problem I'll check back on you.
Gogo
Not a problem I'll check back on you.
Gogo
QUOTE(HJThis @ Nov 12 2007, 12:15 PM)
Hi.Oldmartian
Not a problem I'll check back on you.
Gogo
Not a problem I'll check back on you.
Gogo
OK, the ESET AV is done. It's a 4.5 Meg file and I cannot cut and paste, so I'll upload the file to you.
My friend bought a subscription and installed "MusicETC" 6 weeks ago. It took her a long time to find her way around in the proggie. She thinks she might have left it up for a period of time. The contents of the ESET log indicates that she has downloaded a piece of something from every piece of software that MusicETC has "available". They show up as .zip files and I wonder if they are torrent files. I don't intend to open anything even to look until we are done. I installed utorrent.exe on her machine and that even shows up as a "threat" file. I have it at home and it does not pose any security problems on my computer. I do intend to scan my own computer with ESET, though.
Anyway, the 5 MB ESET log is uploaded and the HijackThis file follows. I am anxious to know what to do next to stamp out this virus on this plague-ridden computer of hers.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:37:31 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gardnerpier.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - C:\WINDOWS\system32\jkkjhgd.dll
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {5E46A119-9450-4317-A511-C89FD8F69EB0} - C:\WINDOWS\system32\jkkjj.dll
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm027XXUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1488f2f8062bf893f022/...ip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094070805359
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.samsphotoclub.com/upload/WebUploadClient.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: jkkjhgd - C:\WINDOWS\SYSTEM32\jkkjhgd.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 8477 bytes
Hi.Oldmartian
All I have to say is WOW.
Please download VirtumundoBeGone[/color:
Save it to the desktop.
Don't run just Yet!
=======================
Download ComboFix from Here or Here to your Desktop.
Don't run just Yet!
======================
Now we will run-->
Close all running programs (including your Internet browser).
Double-click VirtumundoBeGone.exe on the desktop.
Follow the directions as indicated.
This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams".
To confirm successful deletion, and to determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It will be on your desktop.
=======================
After the reboot run this one.-->
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
=======================
Then come back here with both logfiles. Oh-boy let's not for get the HijackThis log.
Gogo
All I have to say is WOW.
Please download VirtumundoBeGone[/color:
Save it to the desktop.
Don't run just Yet!
=======================
Download ComboFix from Here or Here to your Desktop.
Don't run just Yet!
======================
Now we will run-->
Close all running programs (including your Internet browser).
Double-click VirtumundoBeGone.exe on the desktop.
Follow the directions as indicated.
This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams".
To confirm successful deletion, and to determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It will be on your desktop.
=======================
After the reboot run this one.-->
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
=======================
Then come back here with both logfiles. Oh-boy let's not for get the HijackThis log.
Gogo
QUOTE(HJThis @ Nov 12 2007, 02:45 PM)
Hi.Oldmartian
All I have to say is WOW.
Please download VirtumundoBeGone[/color:
Save it to the desktop.
Don't run just Yet!
=======================
Download ComboFix from Here or Here to your Desktop.
Don't run just Yet!
======================
Now we will run-->
Close all running programs (including your Internet browser).
Double-click VirtumundoBeGone.exe on the desktop.
Follow the directions as indicated.
This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams".
To confirm successful deletion, and to determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It will be on your desktop.
=======================
After the reboot run this one.-->
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
=======================
Then come back here with both logfiles. Oh-boy let's not for get the HijackThis log.
Gogo
All I have to say is WOW.
Please download VirtumundoBeGone[/color:
Save it to the desktop.
Don't run just Yet!
=======================
Download ComboFix from Here or Here to your Desktop.
Don't run just Yet!
======================
Now we will run-->
Close all running programs (including your Internet browser).
Double-click VirtumundoBeGone.exe on the desktop.
Follow the directions as indicated.
This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams".
To confirm successful deletion, and to determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It will be on your desktop.
=======================
After the reboot run this one.-->
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
=======================
Then come back here with both logfiles. Oh-boy let's not for get the HijackThis log.
Gogo
O.K. I've followed everything and have the results.
First I'l like to ask why there weren't any Registry Fixes. With all that crap I would have thout the Registry got pickled, too.
Second, did all those files get deleted from the C:\Windows\Fonts? (I'm afraid to look!)
Third, If I run another scan (AdAware, ESET or Avast!) is it OK to delete any findings?
Fourth should I expect any findings?
Fifth, do you know the link to your Killer Dog is broken?
Here are the results in the proper order: VBG, Combo and HijackThis
[11/12/2007, 15:22:17] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[11/12/2007, 15:22:28] - Detected System Information:
[11/12/2007, 15:22:28] - Windows Version: 5.1.2600, Service Pack 2
[11/12/2007, 15:22:28] - Current Username: Owner (Admin)
[11/12/2007, 15:22:28] - Windows is in NORMAL mode.
[11/12/2007, 15:22:28] - Searching for Browser Helper Objects:
[11/12/2007, 15:22:28] - BHO 1: SOFTWARE ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - No filename found. Continuing.
[11/12/2007, 15:22:28] - BHO 2: {01CD0B31-9154-45F2-9414-F5D64B74EAF6} ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - Checking for HKLM\...\Winlogon\Notify\jkkjhgd
[11/12/2007, 15:22:28] - Found: HKLM\...\Winlogon\Notify\jkkjhgd - This is probably Virtumundo.
[11/12/2007, 15:22:28] - Assigning {01CD0B31-9154-45F2-9414-F5D64B74EAF6} MSEvents Object
[11/12/2007, 15:22:28] - BHO list has been changed! Starting over...
[11/12/2007, 15:22:28] - BHO 1: SOFTWARE ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - No filename found. Continuing.
[11/12/2007, 15:22:28] - BHO 2: {01CD0B31-9154-45F2-9414-F5D64B74EAF6} (MSEvents Object)
[11/12/2007, 15:22:28] - ALERT: Found MSEvents Object!
[11/12/2007, 15:22:28] - BHO 3: {2538ab79-2371-4dbd-99ca-d954fed5a0ce} ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - Checking for HKLM\...\Winlogon\Notify\nldyltet
[11/12/2007, 15:22:28] - Key not found: HKLM\...\Winlogon\Notify\nldyltet, continuing.
[11/12/2007, 15:22:28] - BHO 4: {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - Checking for HKLM\...\Winlogon\Notify\
[11/12/2007, 15:22:28] - Key not found: HKLM\...\Winlogon\Notify\, continuing.
[11/12/2007, 15:22:28] - BHO 5: {5E46A119-9450-4317-A511-C89FD8F69EB0} ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - Checking for HKLM\...\Winlogon\Notify\jkkjj
[11/12/2007, 15:22:28] - Key not found: HKLM\...\Winlogon\Notify\jkkjj, continuing.
[11/12/2007, 15:22:28] - BHO 6: {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - Checking for HKLM\...\Winlogon\Notify\jumper83122.exe
[11/12/2007, 15:22:28] - Key not found: HKLM\...\Winlogon\Notify\jumper83122.exe, continuing.
[11/12/2007, 15:22:28] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/12/2007, 15:22:28] - BHO 8: {AEBF760E-4840-4B29-92CC-393E4D721222} ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - No filename found. Continuing.
[11/12/2007, 15:22:28] - BHO 9: {D05111EF-336A-4AC7-8D16-494ADD9614B1} ()
[11/12/2007, 15:22:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:28] - Checking for HKLM\...\Winlogon\Notify\CEMG555077.exe
[11/12/2007, 15:22:28] - Key not found: HKLM\...\Winlogon\Notify\CEMG555077.exe, continuing.
[11/12/2007, 15:22:28] - Finished Searching Browser Helper Objects
[11/12/2007, 15:22:28] - *** Detected MSEvents Object
[11/12/2007, 15:22:28] - Trying to remove MSEvents Object...
[11/12/2007, 15:22:29] - Terminating Process: IEXPLORE.EXE
[11/12/2007, 15:22:29] - Terminating Process: RUNDLL32.EXE
[11/12/2007, 15:22:30] - Disabling Automatic Shell Restart
[11/12/2007, 15:22:30] - Terminating Process: EXPLORER.EXE
[11/12/2007, 15:22:30] - Suspending the NT Session Manager System Service
[11/12/2007, 15:22:31] - Terminating Windows NT Logon/Logoff Manager
[11/12/2007, 15:22:32] - Re-enabling Automatic Shell Restart
[11/12/2007, 15:22:32] - File to disable: C:\WINDOWS\system32\jkkjhgd.dll
[11/12/2007, 15:22:32] - Renaming C:\WINDOWS\system32\jkkjhgd.dll -> C:\WINDOWS\system32\jkkjhgd.dll.vir
[11/12/2007, 15:22:34] - File successfully renamed!
[11/12/2007, 15:22:34] - Removing HKLM\...\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}
[11/12/2007, 15:22:34] - Removing HKCR\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}
[11/12/2007, 15:22:34] - Adding Kill Bit for ActiveX for GUID: {01CD0B31-9154-45F2-9414-F5D64B74EAF6}
[11/12/2007, 15:22:34] - Deleting ATLEvents/MSEvents Registry entries
[11/12/2007, 15:22:34] - Removing HKLM\...\Winlogon\Notify\jkkjhgd
[11/12/2007, 15:22:34] - Searching for Browser Helper Objects:
[11/12/2007, 15:22:34] - BHO 1: SOFTWARE ()
[11/12/2007, 15:22:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:34] - No filename found. Continuing.
[11/12/2007, 15:22:34] - BHO 2: {2538ab79-2371-4dbd-99ca-d954fed5a0ce} ()
[11/12/2007, 15:22:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:34] - Checking for HKLM\...\Winlogon\Notify\nldyltet
[11/12/2007, 15:22:34] - Key not found: HKLM\...\Winlogon\Notify\nldyltet, continuing.
[11/12/2007, 15:22:34] - BHO 3: {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} ()
[11/12/2007, 15:22:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:34] - Checking for HKLM\...\Winlogon\Notify\
[11/12/2007, 15:22:34] - Key not found: HKLM\...\Winlogon\Notify\, continuing.
[11/12/2007, 15:22:34] - BHO 4: {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} ()
[11/12/2007, 15:22:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:34] - Checking for HKLM\...\Winlogon\Notify\jumper83122.exe
[11/12/2007, 15:22:34] - Key not found: HKLM\...\Winlogon\Notify\jumper83122.exe, continuing.
[11/12/2007, 15:22:34] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/12/2007, 15:22:34] - BHO 6: {91724D17-EAA1-4269-AA29-EFC5508A439D} ()
[11/12/2007, 15:22:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:34] - Checking for HKLM\...\Winlogon\Notify\jkkjj
[11/12/2007, 15:22:34] - Key not found: HKLM\...\Winlogon\Notify\jkkjj, continuing.
[11/12/2007, 15:22:34] - BHO 7: {AEBF760E-4840-4B29-92CC-393E4D721222} ()
[11/12/2007, 15:22:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:34] - No filename found. Continuing.
[11/12/2007, 15:22:34] - BHO 8: {D05111EF-336A-4AC7-8D16-494ADD9614B1} ()
[11/12/2007, 15:22:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/12/2007, 15:22:34] - Checking for HKLM\...\Winlogon\Notify\CEMG555077.exe
[11/12/2007, 15:22:34] - Key not found: HKLM\...\Winlogon\Notify\CEMG555077.exe, continuing.
[11/12/2007, 15:22:34] - Finished Searching Browser Helper Objects
[11/12/2007, 15:22:34] - Finishing up...
[11/12/2007, 15:22:34] - A restart is needed.
[11/12/2007, 15:23:05] - Attempting to Restart via STOP error (Blue Screen!)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 07-11-08.1 - Owner 2007-11-12 15:31:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.875 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
..
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
..
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\rcfcqfgm.ini
C:\WINDOWS\system32\rcfcqfgm.ini2
C:\WINDOWS\system32\rcfcqfgm.tmp
C:\WINDOWS\system32\ykicfuqz.dllbox
..
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
..
2007-11-12 15:42 32,768 --a------ C:\Documents and Settings\Owner\pdf.exe
2007-11-12 08:38 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-12 08:13 <DIR> d-------- C:\VundoFix Backups
2007-11-12 06:57 36,352 --a------ C:\WINDOWS\system32\qommjjk.dll
2007-11-11 14:59 <DIR> d-------- C:\Program Files\LavasoftAd-Aware 2007
2007-11-11 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-11 14:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 14:52 <DIR> d-------- C:\Program Files\Combofix
2007-11-11 14:20 88,128 --a------ C:\WINDOWS\system32\mgfqcfcr.dll
2007-11-11 14:17 79,936 --a------ C:\WINDOWS\system32\nldyltet.dll
2007-11-11 14:11 36,352 --a------ C:\WINDOWS\system32\urqnmmj.dll
2007-11-11 11:13 <DIR> d-------- C:\Program Files\QuickPar-FM
2007-11-11 11:12 <DIR> d-------- C:\Program Files\D*mn NFO Viewer-FM
2007-11-11 11:03 88,128 --a------ C:\WINDOWS\system32\gepufcrx.dll
2007-11-11 10:47 79,936 --a------ C:\WINDOWS\system32\wigktlic.dll
2007-11-11 10:47 71,232 --a------ C:\WINDOWS\system32\aemalovn.exe
2007-11-11 10:34 <DIR> d-------- C:\WINDOWS\system32\rMa06yy
2007-11-11 10:34 <DIR> d-------- C:\WINDOWS\Sun
2007-11-11 10:34 <DIR> d-------- C:\Program Files\uTorrent
2007-11-11 09:43 36,352 --a------ C:\WINDOWS\system32\jkkhebx.dll
2007-11-10 13:58 36,352 --a------ C:\WINDOWS\system32\jkkjhgd.dll.vir
2007-11-10 11:20 81,472 --a------ C:\WINDOWS\system32\xejroxaj.dll
2007-11-10 11:14 145,984 --a------ C:\WINDOWS\system32\xmpijtim.dll
2007-11-10 11:14 71,232 --a------ C:\WINDOWS\system32\sjqlgjul.exe
2007-11-10 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 01:03 81,472 --a------ C:\WINDOWS\system32\juvvjkvl.dll
2007-11-10 01:01 85,056 --a------ C:\WINDOWS\system32\ebmbiksg.dll
2007-11-10 01:01 36,352 --a------ C:\WINDOWS\system32\awtuutr.dll
2007-11-09 08:13 71,232 --a------ C:\WINDOWS\system32\luseqctr.exe
2007-11-09 00:02 172,032 --a------ C:\winlogon.exe
2007-11-09 00:02 35,328 --a------ C:\WINDOWS\system32\wvutrqr.dll
2007-11-09 00:02 2,069 --a------ C:\Documents and Settings\Owner\z.dat
2007-11-09 00:02 888 --a------ C:\Documents and Settings\Owner\x.dat
2007-11-08 14:58 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-08 14:58 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-08 14:58 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-08 13:15 35,328 --a------ C:\WINDOWS\system32\gebbyvv.dll
2007-11-08 13:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-11-08 08:30 86,080 --a------ C:\WINDOWS\system32\nxhjevmg.dll
2007-11-08 08:30 71,232 --a------ C:\WINDOWS\system32\fpadhqnh.exe
2007-11-08 04:15 71,232 --a------ C:\WINDOWS\system32\tqhbnygs.exe
2007-11-07 14:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-07 07:06 35,328 --a------ C:\WINDOWS\system32\efcdecc.dll
2007-11-06 15:58 87,104 --a------ C:\WINDOWS\system32\yoqrabgn.dll
2007-11-06 15:58 71,232 --a------ C:\WINDOWS\system32\jbfbehpk.exe
2007-11-06 08:25 35,328 --a------ C:\WINDOWS\system32\xxyyvss.dll
2007-11-02 12:08 <DIR> d-------- C:\Program Files\RegSeeker
2007-11-02 10:23 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-02 09:05 634,880 --a------ C:\WINDOWS\uninstall-temp.exe
2007-11-02 09:04 <DIR> d-------- C:\Program Files\Java
2007-11-02 09:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-01 09:00 <DIR> d-------- C:\Program Files\Foxit Software
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\WINDOWS
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\VERITAS
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Symantec
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\InterTrust
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Corel
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-10-31 11:39 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-31 11:39 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-31 11:39 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-31 11:39 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-31 11:39 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-31 11:39 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-31 11:39 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-31 11:39 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-31 10:56 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-10-31 10:56 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-10-31 10:56 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-10-31 10:55 75,064 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-10-31 10:54 <DIR> d-------- C:\Program Files\LogMeIn
2007-10-30 06:53 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-30 06:53 <DIR> d-------- C:\Temp
2007-10-29 07:25 589 --a------ C:\WINDOWS\system32\opimcrri.dll
2007-10-28 18:31 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-28 18:28 134 --a------ C:\n.bat
2007-10-28 18:27 28,672 --a------ C:\Documents and Settings\Owner\update.exe
2007-10-25 13:38 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-10-24 12:45 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-10-24 12:45 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-10-24 12:44 <DIR> d-------- C:\Program Files\MusicETC
2007-10-18 19:47 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-10-18 19:47 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll
..
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
..
2007-11-12 20:42 9,808 ----a-w C:\b.exe
2007-11-12 20:42 32,768 ----a-w C:\svchost.exe
2007-11-12 20:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\SlimBrowser
2007-11-11 17:29 --------- dc----w C:\Program Files\HPSelect
2007-11-07 20:14 --------- d-----w C:\Program Files\SlimBrowser
2007-11-02 14:24 --------- d-----w C:\Program Files\Common Files\Real
2007-11-01 21:20 512 ---ha-w C:\os455975.bin
2007-11-01 14:04 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-01 13:54 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-01 13:38 --------- d-----w C:\Program Files\CasinoOnNet
2007-11-01 13:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 16:52 --------- d-----w C:\Program Files\Google
2007-10-28 23:31 278,536 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-28 23:26 278,535 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-10-25 17:10 --------- d-----w C:\Program Files\HP
2007-09-12 14:20 10,144 ----a-w C:\WINDOWS\system32\drivers\lmimirr.sys
2007-05-30 14:32 463,872 ----a-w C:\Program Files\UnitConversion.exe
2001-08-18 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
..
((((((((((((((((((((((((((((( snapshot@2007-11-10_14.00.44.12 )))))))))))))))))))))))))))))))))))))))))
..
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-11-12 20:42:40 36,352 ----a-w C:\WINDOWS\system32\hggeeeb.dll
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2007-11-11 15:35:01 9,027,336 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-11-07 18:26:48 32,768 ----a-w C:\WINDOWS\system32\rMa06yy\rMa06yy1083.exe
+ 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2007-11-12 20:39:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
..
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
..
..
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2538ab79-2371-4dbd-99ca-d954fed5a0ce}]
2007-11-11 14:17 79936 --a------ C:\WINDOWS\system32\nldyltet.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C5B9CF8-7E88-4291-8C74-F41EEC57789B}]
C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF760E-4840-4B29-92CC-393E4D721222}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D05111EF-336A-4AC7-8D16-494ADD9614B1}]
C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 22:56]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 09:46]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-12 05:20]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-10-28 18:26]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 09:20]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"18e2ca85"="C:\WINDOWS\system32\mgfqcfcr.dll" [2007-11-11 14:20]
"runner1"="C:\WINDOWS\mrofinu1188.exe" [2007-11-12 15:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\WINDOWS\system32\hggeeeb.dll [2007-11-12 15:42 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggeeeb]
hggeeeb.dll 2007-11-12 15:42 36352 C:\WINDOWS\system32\hggeeeb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-10-18 19:47 75064 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wukenmvu]
wukenmvu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\18e2ca85]
rundll32.exe "C:\WINDOWS\system32\gepufcrx.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorGuard]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySpotter System Defender]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufmq]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2C-CA-A2-2A-ZN}]
C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys
..
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 15:40:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\rcfcqfgm.ini 590356 bytes
scan completed successfully
hidden files: 1
**************************************************************************
..
Completion time: 2007-11-12 15:47:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 14:15
C:\ComboFix3.txt ... 2007-11-10 14:05
..
--- E O F ---
------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:00:26 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\17PHolmes1188.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\HiJackThis\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.spaceweather.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm027XXUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1488f2f8062bf893f022/...ip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094070805359
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.samsphotoclub.com/upload/WebUploadClient.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 8122 bytes
Hi.Oldmartian
Sorry for the holdup here.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
====================
Then run HijackThis.
Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Then exit Or Close HijackThis.
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
Sorry for the holdup here.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
QUOTE
File::
C:\WINDOWS\system32\qommjjk.dll
C:\WINDOWS\system32\mgfqcfcr.dll
C:\WINDOWS\system32\nldyltet.dll
C:\WINDOWS\system32\urqnmmj.dll
C:\WINDOWS\system32\gepufcrx.dll
C:\WINDOWS\system32\wigktlic.dll
C:\WINDOWS\system32\aemalovn.exe
C:\WINDOWS\system32\rMa06yy
C:\WINDOWS\system32\jkkhebx.dll
C:\WINDOWS\system32\jkkjhgd.dll.vir
C:\WINDOWS\system32\xejroxaj.dll
C:\WINDOWS\system32\xmpijtim.dll
C:\WINDOWS\system32\sjqlgjul.exe
C:\WINDOWS\system32\juvvjkvl.dll
C:\WINDOWS\system32\ebmbiksg.dll
C:\WINDOWS\system32\awtuutr.dll
C:\WINDOWS\system32\luseqctr.exe
C:\WINDOWS\system32\wvutrqr.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\nxhjevmg.dll
C:\WINDOWS\system32\fpadhqnh.exe
C:\WINDOWS\system32\tqhbnygs.exe
C:\WINDOWS\system32\efcdecc.dll
C:\WINDOWS\system32\yoqrabgn.dll
C:\WINDOWS\system32\jbfbehpk.exe
C:\WINDOWS\system32\xxyyvss.dll
C:\WINDOWS\mrofinu1000106.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2538ab79-2371-4dbd-99ca-d954fed5a0ce}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D05111EF-336A-4AC7-8D16-494ADD9614B1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"runner1"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggeeeb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wukenmvu]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\18e2ca85]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySpotter System Defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2C-CA-A2-2A-ZN}]
C:\WINDOWS\system32\qommjjk.dll
C:\WINDOWS\system32\mgfqcfcr.dll
C:\WINDOWS\system32\nldyltet.dll
C:\WINDOWS\system32\urqnmmj.dll
C:\WINDOWS\system32\gepufcrx.dll
C:\WINDOWS\system32\wigktlic.dll
C:\WINDOWS\system32\aemalovn.exe
C:\WINDOWS\system32\rMa06yy
C:\WINDOWS\system32\jkkhebx.dll
C:\WINDOWS\system32\jkkjhgd.dll.vir
C:\WINDOWS\system32\xejroxaj.dll
C:\WINDOWS\system32\xmpijtim.dll
C:\WINDOWS\system32\sjqlgjul.exe
C:\WINDOWS\system32\juvvjkvl.dll
C:\WINDOWS\system32\ebmbiksg.dll
C:\WINDOWS\system32\awtuutr.dll
C:\WINDOWS\system32\luseqctr.exe
C:\WINDOWS\system32\wvutrqr.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\nxhjevmg.dll
C:\WINDOWS\system32\fpadhqnh.exe
C:\WINDOWS\system32\tqhbnygs.exe
C:\WINDOWS\system32\efcdecc.dll
C:\WINDOWS\system32\yoqrabgn.dll
C:\WINDOWS\system32\jbfbehpk.exe
C:\WINDOWS\system32\xxyyvss.dll
C:\WINDOWS\mrofinu1000106.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2538ab79-2371-4dbd-99ca-d954fed5a0ce}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D05111EF-336A-4AC7-8D16-494ADD9614B1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"runner1"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggeeeb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wukenmvu]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\18e2ca85]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySpotter System Defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2C-CA-A2-2A-ZN}]
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
====================
Then run HijackThis.
Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Then exit Or Close HijackThis.
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
QUOTE(HJThis @ Nov 12 2007, 06:19 PM)
Hi.Oldmartian
Sorry for the holdup here.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
====================
Then run HijackThis.
Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Then exit Or Close HijackThis.
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
Sorry for the holdup here.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
====================
Then run HijackThis.
Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Then exit Or Close HijackThis.
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
I did all you said and here is the log for ComboFix. I don't find a log for HijackThis corresponding to the date/time I ran it.
Another problem has come up:
Since I originally ran the ComboFix the popups have ceased, but with this last set of instructions above, as soon as I ran HiJackThis the pop-ups have returned. It made it difficult but not impossible to match your lines with HijackThis lines and remove them.
But the pop-ups are back.
Anyway, here is the log for ComboFix:
ComboFix 07-11-08.1 - Owner 2007-11-12 15:31:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.875 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\rcfcqfgm.ini
C:\WINDOWS\system32\rcfcqfgm.ini2
C:\WINDOWS\system32\rcfcqfgm.tmp
C:\WINDOWS\system32\ykicfuqz.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.
2007-11-12 15:42 32,768 --a------ C:\Documents and Settings\Owner\pdf.exe
2007-11-12 08:38 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-12 08:13 <DIR> d-------- C:\VundoFix Backups
2007-11-12 06:57 36,352 --a------ C:\WINDOWS\system32\qommjjk.dll
2007-11-11 14:59 <DIR> d-------- C:\Program Files\LavasoftAd-Aware 2007
2007-11-11 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-11 14:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 14:52 <DIR> d-------- C:\Program Files\Combofix
2007-11-11 14:20 88,128 --a------ C:\WINDOWS\system32\mgfqcfcr.dll
2007-11-11 14:17 79,936 --a------ C:\WINDOWS\system32\nldyltet.dll
2007-11-11 14:11 36,352 --a------ C:\WINDOWS\system32\urqnmmj.dll
2007-11-11 11:13 <DIR> d-------- C:\Program Files\QuickPar-FM
2007-11-11 11:12 <DIR> d-------- C:\Program Files\D*mn NFO Viewer-FM
2007-11-11 11:03 88,128 --a------ C:\WINDOWS\system32\gepufcrx.dll
2007-11-11 10:47 79,936 --a------ C:\WINDOWS\system32\wigktlic.dll
2007-11-11 10:47 71,232 --a------ C:\WINDOWS\system32\aemalovn.exe
2007-11-11 10:34 <DIR> d-------- C:\WINDOWS\system32\rMa06yy
2007-11-11 10:34 <DIR> d-------- C:\WINDOWS\Sun
2007-11-11 10:34 <DIR> d-------- C:\Program Files\uTorrent
2007-11-11 09:43 36,352 --a------ C:\WINDOWS\system32\jkkhebx.dll
2007-11-10 13:58 36,352 --a------ C:\WINDOWS\system32\jkkjhgd.dll.vir
2007-11-10 11:20 81,472 --a------ C:\WINDOWS\system32\xejroxaj.dll
2007-11-10 11:14 145,984 --a------ C:\WINDOWS\system32\xmpijtim.dll
2007-11-10 11:14 71,232 --a------ C:\WINDOWS\system32\sjqlgjul.exe
2007-11-10 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 01:03 81,472 --a------ C:\WINDOWS\system32\juvvjkvl.dll
2007-11-10 01:01 85,056 --a------ C:\WINDOWS\system32\ebmbiksg.dll
2007-11-10 01:01 36,352 --a------ C:\WINDOWS\system32\awtuutr.dll
2007-11-09 08:13 71,232 --a------ C:\WINDOWS\system32\luseqctr.exe
2007-11-09 00:02 172,032 --a------ C:\winlogon.exe
2007-11-09 00:02 35,328 --a------ C:\WINDOWS\system32\wvutrqr.dll
2007-11-09 00:02 2,069 --a------ C:\Documents and Settings\Owner\z.dat
2007-11-09 00:02 888 --a------ C:\Documents and Settings\Owner\x.dat
2007-11-08 14:58 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-08 14:58 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-08 14:58 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-08 13:15 35,328 --a------ C:\WINDOWS\system32\gebbyvv.dll
2007-11-08 13:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-11-08 08:30 86,080 --a------ C:\WINDOWS\system32\nxhjevmg.dll
2007-11-08 08:30 71,232 --a------ C:\WINDOWS\system32\fpadhqnh.exe
2007-11-08 04:15 71,232 --a------ C:\WINDOWS\system32\tqhbnygs.exe
2007-11-07 14:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-07 07:06 35,328 --a------ C:\WINDOWS\system32\efcdecc.dll
2007-11-06 15:58 87,104 --a------ C:\WINDOWS\system32\yoqrabgn.dll
2007-11-06 15:58 71,232 --a------ C:\WINDOWS\system32\jbfbehpk.exe
2007-11-06 08:25 35,328 --a------ C:\WINDOWS\system32\xxyyvss.dll
2007-11-02 12:08 <DIR> d-------- C:\Program Files\RegSeeker
2007-11-02 10:23 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-02 09:05 634,880 --a------ C:\WINDOWS\uninstall-temp.exe
2007-11-02 09:04 <DIR> d-------- C:\Program Files\Java
2007-11-02 09:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-01 09:00 <DIR> d-------- C:\Program Files\Foxit Software
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\WINDOWS
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\VERITAS
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Symantec
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\InterTrust
2007-10-31 12:43 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Corel
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-10-31 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-10-31 11:39 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-31 11:39 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-31 11:39 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-31 11:39 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-31 11:39 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-31 11:39 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-31 11:39 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-31 11:39 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-31 10:56 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-10-31 10:56 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-10-31 10:56 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-10-31 10:55 75,064 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-10-31 10:54 <DIR> d-------- C:\Program Files\LogMeIn
2007-10-30 06:53 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-30 06:53 <DIR> d-------- C:\Temp
2007-10-29 07:25 589 --a------ C:\WINDOWS\system32\opimcrri.dll
2007-10-28 18:31 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-28 18:28 134 --a------ C:\n.bat
2007-10-28 18:27 28,672 --a------ C:\Documents and Settings\Owner\update.exe
2007-10-25 13:38 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-10-24 12:45 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-10-24 12:45 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-10-24 12:44 <DIR> d-------- C:\Program Files\MusicETC
2007-10-18 19:47 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-10-18 19:47 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 20:42 9,808 ----a-w C:\b.exe
2007-11-12 20:42 32,768 ----a-w C:\svchost.exe
2007-11-12 20:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\SlimBrowser
2007-11-11 17:29 --------- dc----w C:\Program Files\HPSelect
2007-11-07 20:14 --------- d-----w C:\Program Files\SlimBrowser
2007-11-02 14:24 --------- d-----w C:\Program Files\Common Files\Real
2007-11-01 21:20 512 ---ha-w C:\os455975.bin
2007-11-01 14:04 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-01 13:54 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-01 13:38 --------- d-----w C:\Program Files\CasinoOnNet
2007-11-01 13:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 16:52 --------- d-----w C:\Program Files\Google
2007-10-28 23:31 278,536 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-28 23:26 278,535 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-10-25 17:10 --------- d-----w C:\Program Files\HP
2007-09-12 14:20 10,144 ----a-w C:\WINDOWS\system32\drivers\lmimirr.sys
2007-05-30 14:32 463,872 ----a-w C:\Program Files\UnitConversion.exe
2001-08-18 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((( snapshot@2007-11-10_14.00.44.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-11-12 20:42:40 36,352 ----a-w C:\WINDOWS\system32\hggeeeb.dll
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2007-11-11 15:35:01 9,027,336 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-11-07 18:26:48 32,768 ----a-w C:\WINDOWS\system32\rMa06yy\rMa06yy1083.exe
+ 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2007-11-12 20:39:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2538ab79-2371-4dbd-99ca-d954fed5a0ce}]
2007-11-11 14:17 79936 --a------ C:\WINDOWS\system32\nldyltet.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C5B9CF8-7E88-4291-8C74-F41EEC57789B}]
C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF760E-4840-4B29-92CC-393E4D721222}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D05111EF-336A-4AC7-8D16-494ADD9614B1}]
C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 22:56]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 09:46]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-12 05:20]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-10-28 18:26]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 09:20]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"18e2ca85"="C:\WINDOWS\system32\mgfqcfcr.dll" [2007-11-11 14:20]
"runner1"="C:\WINDOWS\mrofinu1188.exe" [2007-11-12 15:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\WINDOWS\system32\hggeeeb.dll [2007-11-12 15:42 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggeeeb]
hggeeeb.dll 2007-11-12 15:42 36352 C:\WINDOWS\system32\hggeeeb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-10-18 19:47 75064 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wukenmvu]
wukenmvu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\18e2ca85]
rundll32.exe "C:\WINDOWS\system32\gepufcrx.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorGuard]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySpotter System Defender]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufmq]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2C-CA-A2-2A-ZN}]
C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 15:40:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\rcfcqfgm.ini 590356 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2007-11-12 15:47:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 14:15
C:\ComboFix3.txt ... 2007-11-10 14:05
.
--- E O F ---
QUOTE(HJThis @ Nov 12 2007, 06:19 PM)
Hi.Oldmartian
Sorry for the holdup here.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
====================
Then run HijackThis.
Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Then exit Or Close HijackThis.
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
Sorry for the holdup here.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
====================
Then run HijackThis.
Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: {ec0a5def-459d-ac99-dbd4-173297ba8352} - {2538ab79-2371-4dbd-99ca-d954fed5a0ce} - C:\WINDOWS\system32\nldyltet.dll
O2 - BHO: (no name) - {3FD133FD-CD3E-4277-9B4F-C47CAEEAE9DB} - \
O2 - BHO: (no name) - {6C5B9CF8-7E88-4291-8C74-F41EEC57789B} - C:\Program Files\Windows NT\qusodyC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {AEBF760E-4840-4B29-92CC-393E4D721222} - (no file)
O2 - BHO: (no name) - {D05111EF-336A-4AC7-8D16-494ADD9614B1} - C:\Program Files\Windows NT\qusodyC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\mgfqcfcr.dll",b
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: wukenmvu - wukenmvu.dll (file missing)
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Then exit Or Close HijackThis.
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
I got confused when running HijackThis this time. I didn't go to the main menu and instead clicked "scan."
I see one of the items is back with a different file name, One is back the same as it is in your list, and a new one is there that looks suspicious:
Changed one:
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\qadfpxi.dll",b
One is back:
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
One is new:
O20 - Winlogon Notify: mvjuolfrhggeeeb - C:\WINDOWS\SYSTEM32\mvjuolfr.dll
I hope I didn't mess anything up, but the pop-ups are still popping. I now have 8 IE windows suggesting I buy some malware propection.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:34:49 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\aylvbafi.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.spaceweather.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - C:\WINDOWS\system32\hggeeeb.dll
O2 - BHO: {70a5ca71-dd59-7f4a-b204-53a928b75e81} - {18e57b82-9a35-402b-a4f7-95dd17ac5a07} - C:\WINDOWS\system32\gjguldsi.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mvjuolfr.dll
O2 - BHO: (no name) - {E23C27E9-CB73-41FD-9207-DBB70F551E0C} - C:\WINDOWS\system32\ssqpp.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mvjuolfr.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [18e2ca85] rundll32.exe "C:\WINDOWS\system32\lqadfpxi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm027XXUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1488f2f8062bf893f022/...ip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094070805359
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.samsphotoclub.com/upload/WebUploadClient.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: hggeeeb - C:\WINDOWS\SYSTEM32\hggeeeb.dll
O20 - Winlogon Notify: mvjuolfr - C:\WINDOWS\SYSTEM32\mvjuolfr.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\LavasoftAd-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\aylvbafi.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 8241 bytes
Hi.Oldmartian
Hm let's try this.
Please download
VundoFix.exe
to your desktop.
Don't run just Yet.
=====================
Please just update it for now, Run this after you use VundoFix.
Download and then run SuperAntispyware
1. On the first page select Check for Updates
2. On completion select SCAN YOUR COMPUTER
3. On the next page select COMPLETE SCAN and tick ALL your drives
4. The next stage will take a while as your entire drive(s), memory and registry are scanned
5. When it has completed click NEXT
6. The next screen shows the problems found click OK
7. On the next screen place a tick against all items and select NEXT
8. Now to get the log Go to the PREFERENCES button on the right bottom
9. Select the STATISTICS/LOG tab
10. Highlight the scan just completed and click VIEW LOG
11. This will open a notepad text file copy and paste this to your next reply
=======================
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
Then return here with the Vundo log and SuperAntispyware log
Gogo
Hm let's try this.
Please download
VundoFix.exe
to your desktop.
Don't run just Yet.
=====================
Please just update it for now, Run this after you use VundoFix.
Download and then run SuperAntispyware
1. On the first page select Check for Updates
2. On completion select SCAN YOUR COMPUTER
3. On the next page select COMPLETE SCAN and tick ALL your drives
4. The next stage will take a while as your entire drive(s), memory and registry are scanned
5. When it has completed click NEXT
6. The next screen shows the problems found click OK
7. On the next screen place a tick against all items and select NEXT
8. Now to get the log Go to the PREFERENCES button on the right bottom
9. Select the STATISTICS/LOG tab
10. Highlight the scan just completed and click VIEW LOG
11. This will open a notepad text file copy and paste this to your next reply
=======================
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
Then return here with the Vundo log and SuperAntispyware log
Gogo
QUOTE(HJThis @ Nov 12 2007, 09:42 PM)
Hi.Oldmartian
Hm let's try this.
Please download
VundoFix.exe
to your desktop.
Don't run just Yet.
=====================
Please just update it for now, Run this after you use VundoFix.
Download and then run SuperAntispyware
1. On the first page select Check for Updates
2. On completion select SCAN YOUR COMPUTER
3. On the next page select COMPLETE SCAN and tick ALL your drives
4. The next stage will take a while as your entire drive(s), memory and registry are scanned
5. When it has completed click NEXT
6. The next screen shows the problems found click OK
7. On the next screen place a tick against all items and select NEXT
8. Now to get the log Go to the PREFERENCES button on the right bottom
9. Select the STATISTICS/LOG tab
10. Highlight the scan just completed and click VIEW LOG
11. This will open a notepad text file copy and paste this to your next reply
=======================
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
Then return here with the Vundo log and SuperAntispyware log
Gogo
Hm let's try this.
Please download
VundoFix.exe
to your desktop.
Don't run just Yet.
=====================
Please just update it for now, Run this after you use VundoFix.
Download and then run SuperAntispyware
1. On the first page select Check for Updates
2. On completion select SCAN YOUR COMPUTER
3. On the next page select COMPLETE SCAN and tick ALL your drives
4. The next stage will take a while as your entire drive(s), memory and registry are scanned
5. When it has completed click NEXT
6. The next screen shows the problems found click OK
7. On the next screen place a tick against all items and select NEXT
8. Now to get the log Go to the PREFERENCES button on the right bottom
9. Select the STATISTICS/LOG tab
10. Highlight the scan just completed and click VIEW LOG
11. This will open a notepad text file copy and paste this to your next reply
=======================
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt
Then return here with the Vundo log and SuperAntispyware log
Gogo
I just got this email a minute after I shut her computer down. She's not home, so I'll have to do this in the morning. Thanks. OM
QUOTE(Oldmartian @ Nov 12 2007, 09:58 PM)
I just got this email a minute after I shut her computer down. She's not home, so I'll have to do this in the morning. Thanks. OM
I talked to her this morning ans she said that the Windows login window came up and wants a password. She doesn't use a password or the login window when she starts the computer. She's the only user. I'm going down to investigate. I'll try a Safe Mode log-in and see what I can find.
Thanks for waiting...
Fred (Oldmartian)
QUOTE(Oldmartian @ Nov 13 2007, 11:33 AM)
I talked to her this morning ans she said that the Windows login window came up and wants a password. She doesn't use a password or the login window when she starts the computer. She's the only user. I'm going down to investigate. I'll try a Safe Mode log-in and see what I can find.
Thanks for waiting...
Fred (Oldmartian)
Thanks for waiting...
Fred (Oldmartian)
REAL TROUBLE!
No Safe Mode or administrator or Owner logins work. They all need a password. I've tried the usual suspects, "admin", administrator, password, <blank>, all to no avail. Her computer is locked up tight. She's never used a password. I'm at her house now using a laptop on "dial-up" typing this message.
I'm going tp seek help elsewhere on the Net to try to get in to the computer. If you know any sites that might offer help in this regard, please respond. At this point we're desperate.
The only data loss is all her emails and all her MyDocuments stuff, which isn't too much, but this is embarrassing to me.
Thanks in advance for any ideas you might have.
Oldmartian (Fred)
Hi.Oldmartian
Sorry some how you got pass me. She does have a lot of stuff on the PC, I hate to say it but a Reinstall or Reformat, Maybe the best way to go. As I said I hate to say it. But sometimes it's the way to go.
Best of luck till what's up.
Gogo
Sorry some how you got pass me. She does have a lot of stuff on the PC, I hate to say it but a Reinstall or Reformat, Maybe the best way to go. As I said I hate to say it. But sometimes it's the way to go.
Best of luck till what's up.
Gogo
QUOTE(HJThis @ Nov 15 2007, 09:49 AM)
Hi.Oldmartian
Sorry some how you got pass me. She does have a lot of stuff on the PC, I hate to say it but a Reinstall or Reformat, Maybe the best way to go. As I said I hate to say it. But sometimes it's the way to go.
Best of luck till what's up.
Gogo
Sorry some how you got pass me. She does have a lot of stuff on the PC, I hate to say it but a Reinstall or Reformat, Maybe the best way to go. As I said I hate to say it. But sometimes it's the way to go.
Best of luck till what's up.
Gogo
I've also come to that conclusion. I tired to install a parallel WinXP (different directory) because her HD won't partition. I tried OPHCRACK .iso (Linux LiveCD boot disk to read the passwords. Both fields are "empty." I tried the disk on my own computer and it discovered my password pretty quickly. Anyway, the new WinXP install didn't work because of CD read errors. Her computer has a black cloud over it.
I'm going to take it to my house and boot a Linux LiveCD distro and see if I can recover her email addresses. I tik she'd be happy with that.
I think as far as the viru, this is a "case closed" condition because I'm going to format and reinstall, as you suggested above. I haven't answered because I spent a good deal of time trying to find software to recover passwords and then the attempt at reinstall. If I cannot even get beyond the login screen, I don't have to worry avout the virus/trojan or whatever!!
I thank you for your help, though. I really thought we had it licked, though.
Fred (Oldmartian)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.