Been trying to follow the advice you guys have given to everyone, but this D*mn thing keeps coming back after a few hours. I've run Ad-Aware (obviously), Spybot, Window Defender, VundoFix, SDFix, SmitFraud Fix, FixIEDef, ComboFix, etc. I'll post my ComboFix and DSS scan results. Any help would be greatly appreciated...
Deckard's System Scanner v20071014.68
Run by on 2007-11-23 09:33:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Percentage of Memory in Use: 84% (more than 75%).
-- HijackThis (run as .exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:33, on 2007-11-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\XXX\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\XXX.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {0025FF5C-8A6F-421E-9C34-E2C63D9579D6} - C:\Program Files\MSN\meroxej4444.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {f33713d3-82ca-2c68-e2b4-53fa7fe2fdf1} - {1fdf2ef7-af35-4b2e-86c2-ac283d31733f} - C:\WINDOWS\system32\eqvjrcbk.dll
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - C:\WINDOWS\system32\cbxvsst.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {584E5B14-9FC3-4763-9F6D-59A91968D0C0} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {631F5407-5479-4634-A37F-E5C95C296670} - C:\WINDOWS\system32\mljgf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A695CA06-632B-4BA8-A2F1-225599FFE066} - C:\Program Files\MSN\meroxej83122.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195654983611
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.us-resources.com/dwa7W.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FMFC.com
O17 - HKLM\Software\..\Telephony: DomainName = FMFC.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FMFC.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FMFC.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cbxvsst - C:\WINDOWS\SYSTEM32\cbxvsst.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing)
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8042 bytes
-- Files created between 2007-10-23 and 2007-11-23 -----------------------------
2007-11-23 09:23:49 6637 --ahs---- C:\WINDOWS\system32\fgjlm.ini2
2007-11-23 09:23:44 325728 --a------ C:\WINDOWS\system32\mljgf.dll
2007-11-22 00:39:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-22 00:39:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-22 00:29:12 0 d-------- C:\VundoFix Backups
2007-11-22 00:19:16 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-22 00:19:16 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-22 00:19:16 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-22 00:19:16 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-22 00:19:16 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-21 23:30:18 0 d-------- C:\WINDOWS\pss
2007-11-21 22:56:50 85056 --a------ C:\WINDOWS\system32\guhlqxnm.dll
2007-11-21 22:56:10 80960 --a------ C:\WINDOWS\system32\eqvjrcbk.dll
2007-11-21 13:41:14 0 d-------- C:\Program Files\LogMeIn
2007-11-21 10:21:09 0 d-------- C:\Program Files\Windows Live Safety Center
2007-11-20 23:42:52 1762 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-20 23:38:33 0 d-------- C:\Program Files\Java
2007-11-20 23:38:25 0 d-------- C:\Program Files\Common Files\Java
2007-11-19 00:43:11 0 d-------- C:\WINDOWS\ERUNT
2007-11-17 23:50:06 38912 --a------ C:\WINDOWS\system32\ddcyxyv.dll
2007-11-17 23:49:31 38912 --a------ C:\WINDOWS\system32\opnllij.dll
2007-11-17 23:46:18 0 d-------- C:\WINDOWS\system32\484748514A535
2007-11-17 23:45:41 124416 --a------ C:\WINDOWS\system32\2423242D262F2.exe <Not Verified; ; Explorer>
2007-11-17 23:44:57 0 d-------- C:\WINDOWS\system32\rMa01yy
2007-11-17 23:44:57 38912 --a------ C:\WINDOWS\system32\cbxvsst.dll
2007-10-23 12:20:47 0 d--h----- C:\_rpcs
2007-10-23 12:08:22 0 d-------- C:\Documents and Settings\mike\Application Data\Intel
2007-10-23 12:08:22 0 d-------- C:\Documents and Settings\mike\Application Data\Identities
2007-10-23 12:08:22 0 d-------- C:\Documents and Settings\mike\Application Data\Google
2007-10-23 12:08:22 0 d-------- C:\Documents and Settings\mike\Application Data\Adobe
2007-10-23 12:08:21 0 dr------- C:\Documents and Settings\mike\Favorites
2007-10-23 12:08:21 0 d-------- C:\Documents and Settings\mike\Desktop
2007-10-23 12:08:21 0 d--hs---- C:\Documents and Settings\mike\Cookies
2007-10-23 12:08:21 0 dr-h----- C:\Documents and Settings\mike\Application Data
2007-10-23 12:08:21 0 d-------- C:\Documents and Settings\mike\Application Data\Sun
2007-10-23 12:08:21 0 d-------- C:\Documents and Settings\mike\Application Data\Sonic
2007-10-23 12:08:21 0 d---s---- C:\Documents and Settings\mike\Application Data\Microsoft
2007-10-23 12:08:18 0 d--h----- C:\Documents and Settings\mike\Local Settings
2007-10-23 12:08:17 0 d---s---- C:\Documents and Settings\mike\UserData
2007-10-23 12:08:17 0 d--h----- C:\Documents and Settings\mike\Templates
2007-10-23 12:08:17 0 dr------- C:\Documents and Settings\mike\Start Menu
2007-10-23 12:08:17 0 dr-h----- C:\Documents and Settings\mike\SendTo
2007-10-23 12:08:17 0 dr-h----- C:\Documents and Settings\mike\Recent
2007-10-23 12:08:17 0 d--h----- C:\Documents and Settings\mike\PrintHood
2007-10-23 12:08:17 0 d--h----- C:\Documents and Settings\mike\NetHood
2007-10-23 12:08:17 0 dr------- C:\Documents and Settings\mike\My Documents
2007-10-23 12:08:15 1048576 --ah----- C:\Documents and Settings\mike\NTUSER.DAT
-- Find3M Report ---------------------------------------------------------------
2007-11-21 23:57:12 0 d-------- C:\Program Files\Windows Defender
2007-11-21 13:59:56 0 d-------- C:\Program Files\Trillian
2007-11-20 23:38:25 0 d-------- C:\Program Files\Common Files
2007-11-20 21:54:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-20 21:52:33 0 d-------- C:\Program Files\EA GAMES
2007-11-18 23:38:50 0 d-------- C:\Program Files\Trend Micro
2007-11-12 16:00:29 0 d-------- C:\Documents and Settings\XXX\Application Data\AdobeUM
2007-10-24 09:58:12 0 d-------- C:\Documents and Settings\XXX\Application Data\ShoreWare Client
2007-10-12 12:25:28 0 d-------- C:\Program Files\A.M. Best Company
2007-10-12 12:25:08 0 d-------- C:\Documents and Settings\XXX\Application Data\InstallShield
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0025FF5C-8A6F-421E-9C34-E2C63D9579D6}]
C:\Program Files\MSN\meroxej4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1fdf2ef7-af35-4b2e-86c2-ac283d31733f}]
2007-11-21 22:56 80960 --a------ C:\WINDOWS\system32\eqvjrcbk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-17 23:44 38912 --a------ C:\WINDOWS\system32\cbxvsst.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{584E5B14-9FC3-4763-9F6D-59A91968D0C0}]
C:\WINDOWS\system32\jkhfc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{631F5407-5479-4634-A37F-E5C95C296670}]
2007-11-23 09:23 325728 --a------ C:\WINDOWS\system32\mljgf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A695CA06-632B-4BA8-A2F1-225599FFE066}]
C:\Program Files\MSN\meroxej83122.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-07 19:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= C:\WINDOWS\system32\cbxvsst.dll [2007-11-17 23:44 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvsst]
cbxvsst.dll 2007-11-17 23:44 38912 C:\WINDOWS\system32\cbxvsst.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1003\Scripts\Logon\]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1112\Scripts\Logon\]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\]
"Script"=ACCT.BAT
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\1]
"Script"=acctexec.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-500\Scripts\Logon\]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
ComboFix 07-11-19.3 XXX - 2007-11-23 0:24:31.2 - NTFSx86
Running from: C:\Documents and Settings\XXX\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\sstqp.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.
2007-11-22 00:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-22 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-22 00:30 <DIR> d-------- C:\Deckard
2007-11-22 00:29 <DIR> d-------- C:\VundoFix Backups
2007-11-22 00:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-22 00:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-22 00:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-21 22:56 85,056 --a------ C:\WINDOWS\system32\guhlqxnm.dll
2007-11-21 22:56 80,960 --a------ C:\WINDOWS\system32\eqvjrcbk.dll
2007-11-21 13:43 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-11-21 13:41 <DIR> d-------- C:\Program Files\LogMeIn
2007-11-21 10:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-21 09:24 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-20 23:40 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-20 23:38 <DIR> d-------- C:\Program Files\Java
2007-11-20 23:38 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-19 11:49 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-11-19 00:43 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-17 23:50 38,912 --a------ C:\WINDOWS\system32\ddcyxyv.dll
2007-11-17 23:49 38,912 --a------ C:\WINDOWS\system32\opnllij.dll
2007-11-17 23:46 <DIR> d-------- C:\WINDOWS\system32\484748514A535
2007-11-17 23:45 124,416 --a------ C:\WINDOWS\system32\2423242D262F2.exe
2007-11-17 23:44 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-17 23:44 <DIR> d-------- C:\Temp\abW9
2007-11-17 23:44 38,912 --a------ C:\WINDOWS\system32\cbxvsst.dll
2007-10-23 12:20 <DIR> d--h----- C:\_rpcs
2007-10-23 12:08 <DIR> d---s---- C:\Documents and Settings\mike\UserData
2007-10-23 12:08 <DIR> d-------- C:\Documents and Settings\mike\Application Data\Sonic
2007-10-23 12:08 <DIR> d-------- C:\Documents and Settings\mike\Application Data\Intel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 04:57 --------- d-----w C:\Program Files\Windows Defender
2007-11-21 18:59 --------- d-----w C:\Program Files\Trillian
2007-11-21 02:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 02:52 --------- d-----w C:\Program Files\EA GAMES
2007-11-19 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 04:38 --------- d-----w C:\Program Files\Trend Micro
2007-11-15 23:46 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2007-11-15 23:46 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-15 23:46 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2007-11-15 23:46 21,496 ----a-w C:\WINDOWS\system32\LMIport.dll
2007-11-15 23:46 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2007-11-12 21:00 --------- d-----w C:\Documents and Settings\XXX\Application Data\AdobeUM
2007-10-24 14:58 --------- d-----w C:\Documents and Settings\XXX\Application Data\ShoreWare Client
2007-10-20 21:18 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-10-20 21:18 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-10-12 17:25 --------- d-----w C:\Program Files\A.M. Best Company
2007-10-12 17:25 --------- d-----w C:\Documents and Settings\XXX\Application Data\InstallShield
2007-10-04 04:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-09-28 16:45 --------- d-----w C:\Documents and Settings\XXX\Application Data\InstallShield
2007-09-12 14:19 8,784 ----a-w C:\WINDOWS\system32\ractrlkeyhook.dll
2007-09-06 04:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
.
((((((((((((((((((((((((((((( snapshot@2007-11-22_16.38.20.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-23 05:36:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2e8.dat
+ 2007-11-23 05:36:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b7c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0025FF5C-8A6F-421E-9C34-E2C63D9579D6}]
C:\Program Files\MSN\meroxej4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1fdf2ef7-af35-4b2e-86c2-ac283d31733f}]
2007-11-21 22:56 80960 --a------ C:\WINDOWS\system32\eqvjrcbk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-17 23:44 38912 --a------ C:\WINDOWS\system32\cbxvsst.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{584E5B14-9FC3-4763-9F6D-59A91968D0C0}]
C:\WINDOWS\system32\jkhfc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A695CA06-632B-4BA8-A2F1-225599FFE066}]
C:\Program Files\MSN\meroxej83122.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-07 19:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= C:\WINDOWS\system32\cbxvsst.dll [2007-11-17 23:44 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvsst]
cbxvsst.dll 2007-11-17 23:44 38912 C:\WINDOWS\system32\cbxvsst.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1003\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1112\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\0\0]
"Script"=ACCT.BAT
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\1\0]
"Script"=acctexec.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-500\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XXX^Start Menu^Programs^Startup^IRM Offline Refresh.lnk]
path=C:\Documents and Settings\XXX\Start Menu\Programs\Startup\IRM Offline Refresh.lnk
backup=C:\WINDOWS\pss\IRM Offline Refresh.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00cdadb8]
rundll32.exe C:\WINDOWS\system32\guhlqxnm.dll,b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECEBECF5EEF7F6F]
2423242D262F2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kic]
C:\Documents and Settings\XXX\Application Data\M?crosoft.NET\wowexec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2007-08-03 15:09 63048 --a------ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srrp]
C:\PROGRA~1\MBOLS~1\scanregw.exe -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 06:44:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 09:19:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-23 9:21:44 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-22 16:39
.
--- E O F ---
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XXX^Start Menu^Programs^Startup^IRM Offline Refresh.lnk]
path=C:\Documents and Settings\XXX\Start Menu\Programs\Startup\IRM Offline Refresh.lnk
backup=C:\WINDOWS\pss\IRM Offline Refresh.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupregcdadb8]
rundll32.exe "C:\WINDOWS\system32\guhlqxnm.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECEBECF5EEF7F6F]
2423242D262F2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kic]
"C:\Documents and Settings\XXX\Application Data\M?crosoft.NET\wowexec.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srrp]
"C:\PROGRA~1\MBOLS~1\scanregw.exe" -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
-- End of Deckard's System Scanner: finished at 2007-11-23 09:34:13 ------------
Full Version: Another win32.trojandownloader.zlob problem
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Can anyone help here? My problem disappeared but then reappeared exactly as before after 12 hours. I've mirrored about every suggestions I could find from other posts but I am not having any lucky here....
Hello.chicago & Welcome
Please don't post anymore logs unless asked for.
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;
Filename: vundofix.vft
Save As Type: All Files (*.*)
* Close all other windows and programs.
* Double-click VundoFix.exe to run it.
* Drag vundofix.vft onto the listbox (white box) of VundoFix.
* Click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new combofix log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting
Gogo
Please don't post anymore logs unless asked for.
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;
Filename: vundofix.vft
Save As Type: All Files (*.*)
CODE
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\guhlqxnm.dll
C:\WINDOWS\system32\eqvjrcbk.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\ddcyxyv.dll
C:\WINDOWS\system32\opnllij.dll
C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\2423242D262F2.exe
C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\guhlqxnm.dll
C:\WINDOWS\system32\eqvjrcbk.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\ddcyxyv.dll
C:\WINDOWS\system32\opnllij.dll
C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\2423242D262F2.exe
C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\jkhfc.dll
* Close all other windows and programs.
* Double-click VundoFix.exe to run it.
* Drag vundofix.vft onto the listbox (white box) of VundoFix.
* Click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new combofix log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting
Gogo
Thanks for checking into this. I did as you requested and ran VundoFix and ComboFix. Vundo could not delete all the files, but attached are the logs. Thanks.
VundoFix V6.6.2
Checking Java version...
Scan started at 12:29:12 AM 11/22/2007
Listing files found while scanning....
C:\windows\system32\efqrpofj.dll
C:\windows\system32\efqrpofj.dllbox
C:\windows\system32\ydrfwwcy.dll
Beginning removal...
Attempting to delete C:\windows\system32\efqrpofj.dll
C:\windows\system32\efqrpofj.dll Has been deleted!
Attempting to delete C:\windows\system32\efqrpofj.dllbox
C:\windows\system32\efqrpofj.dllbox Has been deleted!
Attempting to delete C:\windows\system32\ydrfwwcy.dll
C:\windows\system32\ydrfwwcy.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 10:16:51 PM 11/23/07
Listing files found while scanning....
C:\windows\system32\qoixaokn.dll
C:\windows\system32\qoixaokn.dllbox
C:\windows\system32\wleduqxo.dll
Beginning removal...
Attempting to delete C:\windows\system32\qoixaokn.dll
C:\windows\system32\qoixaokn.dll Could not be deleted.
Attempting to delete C:\windows\system32\qoixaokn.dllbox
C:\windows\system32\qoixaokn.dllbox Has been deleted!
Attempting to delete C:\windows\system32\wleduqxo.dll
C:\windows\system32\wleduqxo.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\qoixaokn.dll
C:\windows\system32\qoixaokn.dll Has been deleted!
Attempting to delete C:\windows\system32\qoixaokn.dllbox
C:\windows\system32\qoixaokn.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 15:38:25 2007-11-24
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\2423242D262F2.exe
C:\WINDOWS\system32\2423242D262F2.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\484748514A535 Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\cbxvsst.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ddcyxyv.dll
C:\WINDOWS\system32\ddcyxyv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\eqvjrcbk.dll
C:\WINDOWS\system32\eqvjrcbk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnllij.dll
C:\WINDOWS\system32\opnllij.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.reg Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\484748514A535 Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\cbxvsst.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\484748514A535 Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\cbxvsst.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
ComboFix 07-11-19.3 - jwawok 2007-11-25 13:09:40.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -5:00]
Running from: C:\Documents and Settings\jwawok\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.
2007-11-24 20:56 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-24 20:56 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-24 20:54 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-24 20:54 2,885,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-24 20:54 40,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-24 20:54 14,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-24 20:54 2,324 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-24 20:45 <DIR> d-------- C:\KAV
2007-11-24 12:08 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-23 21:34 776,411 --ahs---- C:\WINDOWS\system32\wiixuefl.ini
2007-11-23 21:33 83,520 --a------ C:\WINDOWS\system32\rnqlvoah.dll
2007-11-22 00:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-22 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-22 00:30 <DIR> d-------- C:\Deckard
2007-11-22 00:29 <DIR> d-------- C:\VundoFix Backups
2007-11-21 22:57 713,636 --ahs---- C:\WINDOWS\system32\mnxqlhug.ini
2007-11-21 13:43 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-21 13:43 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-11-21 13:43 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-11-21 13:42 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-11-21 13:41 <DIR> d-------- C:\Program Files\LogMeIn
2007-11-21 10:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-21 09:24 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-20 23:42 0 --a------ C:\WINDOWS\system32\tmp.txt
2007-11-20 23:40 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-20 23:39 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-20 23:38 <DIR> d-------- C:\Program Files\Java
2007-11-20 23:38 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-19 11:49 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-11-19 00:43 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-18 23:32 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-17 23:46 <DIR> d-------- C:\WINDOWS\system32\484748514A535
2007-11-17 23:44 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-17 23:44 <DIR> d-------- C:\Temp\abW9
2007-11-17 23:44 38,912 --------- C:\WINDOWS\system32\cbxvsst.dll
2007-11-15 18:46 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-11-15 18:46 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 04:57 --------- d-----w C:\Program Files\Windows Defender
2007-11-21 18:59 --------- d-----w C:\Program Files\Trillian
2007-11-21 02:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 02:52 --------- d-----w C:\Program Files\EA GAMES
2007-11-19 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 04:38 --------- d-----w C:\Program Files\Trend Micro
2007-11-12 21:00 --------- d-----w C:\Documents and Settings\jwawok\Application Data\AdobeUM
2007-10-24 14:58 --------- d-----w C:\Documents and Settings\jwawok\Application Data\ShoreWare Client
2007-10-20 21:18 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-10-20 21:18 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-10-12 17:25 --------- d-----w C:\Program Files\A.M. Best Company
2007-10-12 17:25 --------- d-----w C:\Documents and Settings\jwawok\Application Data\InstallShield
2007-09-28 16:45 --------- d-----w C:\Documents and Settings\klines\Application Data\InstallShield
2007-09-12 14:19 8,784 ----a-w C:\WINDOWS\system32\ractrlkeyhook.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-22_16.38.20.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 17:10:22 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2007-11-24 17:10:23 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2007-11-24 17:10:23 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2007-11-24 17:10:30 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-25 15:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 15:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2007-11-24 17:10:32 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2007-11-24 17:10:24 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2007-10-25 15:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 15:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-06-27 22:31:58 186,640 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
- 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:32 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2007-11-25 18:07:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4c0.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 155,648 2004-09-13 22:33:20 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 344,064 2005-05-13 03:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 110,592 2004-01-07 07:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 53,248 2004-04-26 14:04:14 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 684,032 2005-09-01 23:24:08 C:\Program Files\Dell\QuickSet\bak\quickset.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
----a-w 385,024 2004-10-30 20:59:54 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
----a-w 139,264 2006-05-02 18:11:48 C:\Program Files\McAfee\Managed VirusScan\Agent\bak\myagttry.exe
----a-w 409,600 2006-05-02 18:27:26 C:\Program Files\McAfee\Managed VirusScan\Agent\bak\Splash.exe
----a-w 282,624 2006-08-23 03:15:42 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-09-01 20:57:48 C:\Program Files\QuickTime\qttask.exe
----a-w 777,424 2006-04-03 22:12:24 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\MSASCui.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 127,035 2004-12-06 07:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0025FF5C-8A6F-421E-9C34-E2C63D9579D6}]
C:\Program Files\MSN\meroxej4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-17 23:44 38912 --------- C:\WINDOWS\system32\cbxvsst.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{584E5B14-9FC3-4763-9F6D-59A91968D0C0}]
C:\WINDOWS\system32\jkhfc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83b2c75f-e948-4b5a-85fe-d8665d63bc77}]
2007-11-23 21:33 83520 --a------ C:\WINDOWS\system32\rnqlvoah.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A695CA06-632B-4BA8-A2F1-225599FFE066}]
C:\Program Files\MSN\meroxej83122.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= C:\WINDOWS\system32\cbxvsst.dll [2007-11-17 23:44 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
C:\WINDOWS\system32\klogon.dll 2007-06-28 12:51 206088 C:\WINDOWS\system32\klogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1003\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1112\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\0\0]
"Script"=ACCT.BAT
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\1\0]
"Script"=acctexec.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-500\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jwawok^Start Menu^Programs^Startup^IRM Offline Refresh.lnk]
path=C:\Documents and Settings\jwawok\Start Menu\Programs\Startup\IRM Offline Refresh.lnk
backup=C:\WINDOWS\pss\IRM Offline Refresh.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00cdadb8]
rundll32.exe C:\WINDOWS\system32\guhlqxnm.dll,b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECEBECF5EEF7F6F]
2423242D262F2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kic]
C:\Documents and Settings\jwawok\Application Data\M?crosoft.NET\wowexec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2007-08-03 15:09 63048 --a------ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srrp]
C:\PROGRA~1\MBOLS~1\scanregw.exe -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 18:10:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 13:12:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-25 13:13:56
C:\ComboFix2.txt ... 2007-11-25 12:58
C:\ComboFix3.txt ... 2007-11-25 12:16
.
--- E O F ---
VundoFix V6.6.2
Checking Java version...
Scan started at 12:29:12 AM 11/22/2007
Listing files found while scanning....
C:\windows\system32\efqrpofj.dll
C:\windows\system32\efqrpofj.dllbox
C:\windows\system32\ydrfwwcy.dll
Beginning removal...
Attempting to delete C:\windows\system32\efqrpofj.dll
C:\windows\system32\efqrpofj.dll Has been deleted!
Attempting to delete C:\windows\system32\efqrpofj.dllbox
C:\windows\system32\efqrpofj.dllbox Has been deleted!
Attempting to delete C:\windows\system32\ydrfwwcy.dll
C:\windows\system32\ydrfwwcy.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 10:16:51 PM 11/23/07
Listing files found while scanning....
C:\windows\system32\qoixaokn.dll
C:\windows\system32\qoixaokn.dllbox
C:\windows\system32\wleduqxo.dll
Beginning removal...
Attempting to delete C:\windows\system32\qoixaokn.dll
C:\windows\system32\qoixaokn.dll Could not be deleted.
Attempting to delete C:\windows\system32\qoixaokn.dllbox
C:\windows\system32\qoixaokn.dllbox Has been deleted!
Attempting to delete C:\windows\system32\wleduqxo.dll
C:\windows\system32\wleduqxo.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\qoixaokn.dll
C:\windows\system32\qoixaokn.dll Has been deleted!
Attempting to delete C:\windows\system32\qoixaokn.dllbox
C:\windows\system32\qoixaokn.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Scan started at 15:38:25 2007-11-24
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\2423242D262F2.exe
C:\WINDOWS\system32\2423242D262F2.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\484748514A535 Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\cbxvsst.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ddcyxyv.dll
C:\WINDOWS\system32\ddcyxyv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\eqvjrcbk.dll
C:\WINDOWS\system32\eqvjrcbk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnllij.dll
C:\WINDOWS\system32\opnllij.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.reg Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\484748514A535 Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\cbxvsst.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\484748514A535 Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\cbxvsst.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
ComboFix 07-11-19.3 - jwawok 2007-11-25 13:09:40.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -5:00]
Running from: C:\Documents and Settings\jwawok\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.
2007-11-24 20:56 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-24 20:56 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-24 20:54 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-24 20:54 2,885,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-24 20:54 40,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-24 20:54 14,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-24 20:54 2,324 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-24 20:45 <DIR> d-------- C:\KAV
2007-11-24 12:08 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-23 21:34 776,411 --ahs---- C:\WINDOWS\system32\wiixuefl.ini
2007-11-23 21:33 83,520 --a------ C:\WINDOWS\system32\rnqlvoah.dll
2007-11-22 00:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-22 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-22 00:30 <DIR> d-------- C:\Deckard
2007-11-22 00:29 <DIR> d-------- C:\VundoFix Backups
2007-11-21 22:57 713,636 --ahs---- C:\WINDOWS\system32\mnxqlhug.ini
2007-11-21 13:43 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-21 13:43 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-11-21 13:43 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-11-21 13:42 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-11-21 13:41 <DIR> d-------- C:\Program Files\LogMeIn
2007-11-21 10:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-21 09:24 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-20 23:42 0 --a------ C:\WINDOWS\system32\tmp.txt
2007-11-20 23:40 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-20 23:39 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-20 23:38 <DIR> d-------- C:\Program Files\Java
2007-11-20 23:38 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-19 11:49 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-11-19 00:43 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-18 23:32 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-17 23:46 <DIR> d-------- C:\WINDOWS\system32\484748514A535
2007-11-17 23:44 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-17 23:44 <DIR> d-------- C:\Temp\abW9
2007-11-17 23:44 38,912 --------- C:\WINDOWS\system32\cbxvsst.dll
2007-11-15 18:46 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-11-15 18:46 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 04:57 --------- d-----w C:\Program Files\Windows Defender
2007-11-21 18:59 --------- d-----w C:\Program Files\Trillian
2007-11-21 02:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 02:52 --------- d-----w C:\Program Files\EA GAMES
2007-11-19 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 04:38 --------- d-----w C:\Program Files\Trend Micro
2007-11-12 21:00 --------- d-----w C:\Documents and Settings\jwawok\Application Data\AdobeUM
2007-10-24 14:58 --------- d-----w C:\Documents and Settings\jwawok\Application Data\ShoreWare Client
2007-10-20 21:18 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-10-20 21:18 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-10-12 17:25 --------- d-----w C:\Program Files\A.M. Best Company
2007-10-12 17:25 --------- d-----w C:\Documents and Settings\jwawok\Application Data\InstallShield
2007-09-28 16:45 --------- d-----w C:\Documents and Settings\klines\Application Data\InstallShield
2007-09-12 14:19 8,784 ----a-w C:\WINDOWS\system32\ractrlkeyhook.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-22_16.38.20.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 17:10:22 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2007-11-24 17:10:23 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2007-11-24 17:10:23 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2007-11-24 17:10:30 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-25 15:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 15:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2007-11-24 17:10:32 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2007-11-24 17:10:24 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2007-10-25 15:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 15:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-06-27 22:31:58 186,640 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
- 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:32 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2007-11-25 18:07:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4c0.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 155,648 2004-09-13 22:33:20 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 344,064 2005-05-13 03:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 110,592 2004-01-07 07:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 53,248 2004-04-26 14:04:14 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 684,032 2005-09-01 23:24:08 C:\Program Files\Dell\QuickSet\bak\quickset.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
----a-w 385,024 2004-10-30 20:59:54 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
----a-w 139,264 2006-05-02 18:11:48 C:\Program Files\McAfee\Managed VirusScan\Agent\bak\myagttry.exe
----a-w 409,600 2006-05-02 18:27:26 C:\Program Files\McAfee\Managed VirusScan\Agent\bak\Splash.exe
----a-w 282,624 2006-08-23 03:15:42 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-09-01 20:57:48 C:\Program Files\QuickTime\qttask.exe
----a-w 777,424 2006-04-03 22:12:24 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\MSASCui.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 127,035 2004-12-06 07:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0025FF5C-8A6F-421E-9C34-E2C63D9579D6}]
C:\Program Files\MSN\meroxej4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-17 23:44 38912 --------- C:\WINDOWS\system32\cbxvsst.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{584E5B14-9FC3-4763-9F6D-59A91968D0C0}]
C:\WINDOWS\system32\jkhfc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83b2c75f-e948-4b5a-85fe-d8665d63bc77}]
2007-11-23 21:33 83520 --a------ C:\WINDOWS\system32\rnqlvoah.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A695CA06-632B-4BA8-A2F1-225599FFE066}]
C:\Program Files\MSN\meroxej83122.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= C:\WINDOWS\system32\cbxvsst.dll [2007-11-17 23:44 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
C:\WINDOWS\system32\klogon.dll 2007-06-28 12:51 206088 C:\WINDOWS\system32\klogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1003\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1112\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\0\0]
"Script"=ACCT.BAT
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-1981\Scripts\Logon\1\0]
"Script"=acctexec.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-269370820-263920120-1236795852-500\Scripts\Logon\0\0]
"Script"=is.bat
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jwawok^Start Menu^Programs^Startup^IRM Offline Refresh.lnk]
path=C:\Documents and Settings\jwawok\Start Menu\Programs\Startup\IRM Offline Refresh.lnk
backup=C:\WINDOWS\pss\IRM Offline Refresh.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00cdadb8]
rundll32.exe C:\WINDOWS\system32\guhlqxnm.dll,b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECEBECF5EEF7F6F]
2423242D262F2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kic]
C:\Documents and Settings\jwawok\Application Data\M?crosoft.NET\wowexec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2007-08-03 15:09 63048 --a------ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srrp]
C:\PROGRA~1\MBOLS~1\scanregw.exe -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 18:10:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 13:12:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-25 13:13:56
C:\ComboFix2.txt ... 2007-11-25 12:58
C:\ComboFix3.txt ... 2007-11-25 12:16
.
--- E O F ---
Hi.chicago
Sorry for the hold-up here.
Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.
=============================
WINDOWS DEFENDER
* Click Start > Programs > Windows Defender or launch from the system tray icon.
* Click on Tools & Settings > Options.
* Under Real-time protection options, uncheck the "Real-time protection" check box.
* Click Save.
* Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
* (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)
=============================
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
Sorry for the hold-up here.
Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.
=============================
WINDOWS DEFENDER
* Click Start > Programs > Windows Defender or launch from the system tray icon.
* Click on Tools & Settings > Options.
* Under Real-time protection options, uncheck the "Real-time protection" check box.
* Click Save.
* Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
* (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)
=============================
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.
QUOTE
File::
C:\WINDOWS\system32\wiixuefl.ini
C:\WINDOWS\system32\rnqlvoah.dll
C:\WINDOWS\system32\mnxqlhug.ini
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\lmimirr.dll
C:\WINDOWS\system32\lmimirr2.dll
Folder::
C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\rMa01yy
C:\Temp\abW9
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0025FF5C-8A6F-421E-9C34-E2C63D9579D6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{584E5B14-9FC3-4763-9F6D-59A91968D0C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83b2c75f-e948-4b5a-85fe-d8665d63bc77}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A695CA06-632B-4BA8-A2F1-225599FFE066}]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECEBECF5EEF7F6F]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kic]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srrp]
C:\WINDOWS\system32\wiixuefl.ini
C:\WINDOWS\system32\rnqlvoah.dll
C:\WINDOWS\system32\mnxqlhug.ini
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\cbxvsst.dll
C:\WINDOWS\system32\lmimirr.dll
C:\WINDOWS\system32\lmimirr2.dll
Folder::
C:\WINDOWS\system32\484748514A535
C:\WINDOWS\system32\rMa01yy
C:\Temp\abW9
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0025FF5C-8A6F-421E-9C34-E2C63D9579D6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{584E5B14-9FC3-4763-9F6D-59A91968D0C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83b2c75f-e948-4b5a-85fe-d8665d63bc77}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A695CA06-632B-4BA8-A2F1-225599FFE066}]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECEBECF5EEF7F6F]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kic]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srrp]
Save this as CFScript.txt, in the same location as ComboFix.exe
Click to view attachment
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Then come back here with both the HijackThis log and ComboFix.txt
Gogo
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.