Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bunch Of Different Virus's Hjt File Inside


  • This topic is locked This topic is locked
19 replies to this topic

#1 makaveli3005

makaveli3005

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 04 February 2008 - 09:52 PM

So I downloaded some program off of Limewire and now everything is messed up. When you try to open internet explorer its very slow. It goes to the homepage and then a bunch of pop ups come. I also get error messages such as microsoft C++ buffer underrun error. The popups are like this...http://www.interracialsingles.net/in...D1909&opt=6943

or CID Popups and others. also my desktop background is just the white error that says restore to active desktop I click it and get another error message. How do i fix all this. Am i gonna use Hijackthis and Combofix?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:52, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\limewire\limewire.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\U74CKH7L\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {d92a6334-bebc-a6cb-f294-431d0fb388e0} - {0e883bf0-d134-492f-bc6a-cbeb4336a29d} - C:\WINDOWS\system32\pojhkyuy.dll
O2 - BHO: (no name) - {24C61C09-62C0-42ED-B640-53F7FEC9098A} - C:\WINDOWS\system32\iifeefd.dll
O2 - BHO: (no name) - {27EB87B7-2C51-4337-9BBA-794CFC4CB694} - C:\Program Files\Common Files\home83122.dll
O2 - BHO: (no name) - {2e3b89ea-e180-4628-8ca8-5a8c94dfe69d} - C:\WINDOWS\system32\jlithob.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {76A6E582-0173-4617-84A0-6437AABAE342} - C:\Program Files\Common Files\home4444.dll
O2 - BHO: (no name) - {7A6217A0-041B-4AA7-816D-0602FE93F012} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\iqdblysv.dll
O2 - BHO: 0 - {B16C1992-E89C-4FF9-48B2-248F4FDE3543} - C:\Program Files\Internet Explorer\laxuki190.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe
O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\ecxfvnhg.dll",b
O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: iifeefd - C:\WINDOWS\SYSTEM32\iifeefd.dll
O20 - Winlogon Notify: iqdblysv - C:\WINDOWS\SYSTEM32\iqdblysv.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prohdyxe.html
O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\prohdyxe.html

--
End of file - 10346 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:24 PM

Posted 05 February 2008 - 09:51 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 05 February 2008 - 07:55 PM

"Valued Customer" - 2008-02-05 7:19:16 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\mllji.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Internet Explorer\prohdyxe.html
C:\Program Files\Internet Explorer\laxuki.dll
C:\Program Files\Internet Explorer\laxuki190.dll
C:\Program Files\Internet Explorer\laxuki205.dll
C:\Program Files\Internet Explorer\laxuki267.dll
C:\Program Files\Internet Explorer\laxuki541.dll
C:\Program Files\web buying\v1.8.8\wbuninst.exe
C:\Program Files\web buying\v1.8.8\webbuying.exe
C:\WINDOWS\b122.exe
C:\Program Files\web buying
C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 ))))))))))))))))))))))))))))))))))


2008-02-05 07:31 <DIR> d-------- C:\temp\tn3
2008-02-04 20:30 36,864 --a------ C:\WINDOWS\system32\fcccabb.dll
2008-02-04 19:29 93,248 --a------ C:\WINDOWS\system32\ivjlehof.dll
2008-02-04 19:29 163,904 --a------ C:\WINDOWS\system32\iqdblysv.dll
2008-02-04 19:29 163,904 --a------ C:\WINDOWS\system32\foyniuto.dll
2008-02-04 19:27 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-04 19:26 <DIR> d-------- C:\Program Files\Temporary
2008-02-04 19:26 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-04 19:23 86,016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\system32\iifeefd.dll
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\mrofinu1188.exe
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-02-04 19:23 171,520 --a------ C:\WINDOWS\system32\jlithob.dll
2008-02-04 19:23 169,147 --a------ C:\WINDOWS\TTC-4444.exe
2008-02-04 19:23 135,168 --a------ C:\WINDOWS\tk58.exe
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\tip4
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\rom1
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\nGpxx18
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\lis6
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\kps5
2008-02-04 19:23 <DIR> d-------- C:\temp\gTiis19
2008-02-04 19:23 <DIR> d-------- C:\temp\cXzz9
2008-02-04 19:23 <DIR> d-------- C:\temp\1cb
2008-02-04 19:22 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-04 08:50 93,248 --a------ C:\WINDOWS\system32\pojhkyuy.dll
2008-02-04 08:50 88,128 --a------ C:\WINDOWS\system32\ecxfvnhg.dll
2008-02-01 15:44 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\CyberLink
2008-01-26 15:53 <DIR> d-------- C:\Program Files\iPod
2008-01-15 19:27 <DIR> d-------- C:\Program Files\findokayrect
2008-01-10 21:22 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 21:20 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 21:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-10 21:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-10 21:20 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-05 01:15:06 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-26 20:52:30 -------- d-----w C:\Program Files\QuickTime
2008-01-16 16:35:03 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\findokayrect
2008-01-12 18:37:47 -------- d-----w C:\Program Files\Kazaa
2007-12-27 18:21:23 -------- d-----w C:\Program Files\mIRC
2007-12-27 00:13:15 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-27 00:13:15 -------- d-----w C:\Program Files\ToneThis 3.0
2007-12-27 00:13:12 -------- d-----w C:\Program Files\3wPlayer
2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0e883bf0-d134-492f-bc6a-cbeb4336a29d}=C:\WINDOWS\system32\pojhkyuy.dll [2008-02-04 08:50]
{24C61C09-62C0-42ED-B640-53F7FEC9098A}=C:\WINDOWS\system32\iifeefd.dll [2008-02-04 19:23]
{27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll [2007-08-02 08:43]
{2e3b89ea-e180-4628-8ca8-5a8c94dfe69d}=C:\WINDOWS\system32\jlithob.dll [2008-02-04 19:23]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 02:23]
{76A6E582-0173-4617-84A0-6437AABAE342}=C:\Program Files\Common Files\home4444.dll [2007-08-02 08:43]
{A95B2816-1D7E-4561-A202-68C0DE02353A}=C:\WINDOWS\system32\iqdblysv.dll [2008-02-04 19:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 15:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-02-05 07:33]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22]
"ec731d21"="C:\WINDOWS\system32\ecxfvnhg.dll" [2008-02-04 08:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 18:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 20:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-29 13:04]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" [2008-01-15 19:27]
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-04 19:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 11:55]
"{24C61C09-62C0-42ED-B640-53F7FEC9098A}"="C:\WINDOWS\system32\iifeefd.dll" [2008-02-04 19:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
iqdblysv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\mllji

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe


Contents of the 'Scheduled Tasks' folder
2008-02-04 16:48:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-02-05 12:00:00 C:\WINDOWS\tasks\BA78920780B33787.job
2008-02-05 12:34:44 C:\WINDOWS\tasks\MP Scheduled Scan.job
2008-02-02 01:00:03 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Valued Customer.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 07:32:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2008-02-05 7:44:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-02-05 07:44
C:\ComboFix2.txt ... 2007-05-31 19:05
C:\ComboFix3.txt ... 2007-05-20 21:35

--- E O F ---

#4 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 06 February 2008 - 12:29 AM

I can barely use IE now. every 2 mins ill have a page open and then a milion about blank pages pop up.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:24 PM

Posted 06 February 2008 - 09:47 AM

I can see why. You have a very badly infected computer. This next step should help.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\temp\tn3
C:\Program Files\Temporary
C:\Program Files\Drmupgds
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\rom1
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\kps5
C:\temp\gTiis19
C:\temp\cXzz9
C:\temp\1cb
C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
C:\Documents and Settings\All Users\Application Data\part dead amok eggs
C:\Documents and Settings\All Users\Application Data\beep axis mode free
C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1

File::
C:\WINDOWS\system32\fcccabb.dll
C:\WINDOWS\system32\ivjlehof.dll
C:\WINDOWS\system32\iqdblysv.dll
C:\WINDOWS\system32\foyniuto.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\drivers\ipfltdrvv.sys
C:\WINDOWS\system32\iifeefd.dll
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\jlithob.dll
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\system32\pojhkyuy.dll
C:\WINDOWS\system32\ecxfvnhg.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\watelkj.exe
C:\Program Files\Internet Explorer\prohdyxe.html
C:\Program Files\ComPlus Applications\prohdyxe.html
C:\WINDOWS\tasks\BA78920780B33787.job

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0e883bf0-d134-492f-bc6a-cbeb4336a29d}=-
{24C61C09-62C0-42ED-B640-53F7FEC9098A}=-
{2e3b89ea-e180-4628-8ca8-5a8c94dfe69d}=-
{A95B2816-1D7E-4561-A202-68C0DE02353A}=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"watelkj"=-
"o"=-
"Amok Eggs Four Web"=-
"MODE FREE BIRD SURF"=-
"ec731d21"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"logo link"=-
"Drmupgds"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=-
"o"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24C61C09-62C0-42ED-B640-53F7FEC9098A}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 06 February 2008 - 05:32 PM

Heres both my file readouts. Nothing has changed though I still get these bad pop ups. The About.Blank beng the worst or the CID.



"Valued Customer" - 2008-02-06 17:03:19 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\"
Command switches used :: ""C:\Documents and Settings\Valued Customer\Desktop\CFScript.txt""


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 ))))))))))))))))))))))))))))))))))


2008-02-06 17:10 <DIR> d-------- C:\temp\tn3
2008-02-06 07:39 92,224 --a------ C:\WINDOWS\system32\ewxqcyuu.dll
2008-02-05 07:40 90,688 --a------ C:\WINDOWS\system32\mtewjpbf.dll
2008-02-05 07:38 94,272 --a------ C:\WINDOWS\system32\cuffbslm.dll
2008-02-05 07:37 308,444 --ahs---- C:\WINDOWS\system32\utstv.ini2
2008-02-05 07:37 263,168 --a------ C:\WINDOWS\system32\vtstu.dll
2008-02-04 20:30 36,864 --a------ C:\WINDOWS\system32\fcccabb.dll
2008-02-04 19:29 93,248 --a------ C:\WINDOWS\system32\ivjlehof.dll
2008-02-04 19:29 163,904 --a------ C:\WINDOWS\system32\iqdblysv.dll
2008-02-04 19:29 163,904 --a------ C:\WINDOWS\system32\foyniuto.dll
2008-02-04 19:27 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-04 19:26 <DIR> d-------- C:\Program Files\Temporary
2008-02-04 19:23 86,016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\system32\iifeefd.dll
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\mrofinu1188.exe
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-02-04 19:23 171,520 --a------ C:\WINDOWS\system32\jlithob.dll
2008-02-04 19:23 169,147 --a------ C:\WINDOWS\TTC-4444.exe
2008-02-04 19:23 135,168 --a------ C:\WINDOWS\tk58.exe
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\tip4
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\rom1
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\nGpxx18
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\lis6
2008-02-04 19:23 <DIR> d-------- C:\WINDOWS\system32\kps5
2008-02-04 19:23 <DIR> d-------- C:\temp\gTiis19
2008-02-04 19:23 <DIR> d-------- C:\temp\cXzz9
2008-02-04 19:23 <DIR> d-------- C:\temp\1cb
2008-02-04 19:22 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-04 08:50 93,248 --a------ C:\WINDOWS\system32\pojhkyuy.dll
2008-02-01 15:44 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\CyberLink
2008-01-26 15:53 <DIR> d-------- C:\Program Files\iPod
2008-01-10 21:22 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 21:20 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 21:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-10 21:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-10 21:20 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-06 05:40:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 01:15:06 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-26 20:52:30 -------- d-----w C:\Program Files\QuickTime
2008-01-16 16:35:03 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\findokayrect
2008-01-12 18:37:47 -------- d-----w C:\Program Files\Kazaa
2007-12-27 18:21:23 -------- d-----w C:\Program Files\mIRC
2007-12-27 00:13:15 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-27 00:13:15 -------- d-----w C:\Program Files\ToneThis 3.0
2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1CB343F0-CA64-4025-A6D6-504B1954CA3C}=C:\WINDOWS\system32\vtstu.dll [2008-02-05 07:37]
{24C61C09-62C0-42ED-B640-53F7FEC9098A}=C:\WINDOWS\system32\iifeefd.dll [2008-02-04 19:23]
{27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll [2007-08-02 08:43]
{2e3b89ea-e180-4628-8ca8-5a8c94dfe69d}=C:\WINDOWS\system32\jlithob.dll [2008-02-04 19:23]
{3c1be1e9-c89a-42ac-aa06-fed141de5bcf}=C:\WINDOWS\system32\ewxqcyuu.dll [2008-02-06 07:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 00:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 02:23]
{76A6E582-0173-4617-84A0-6437AABAE342}=C:\Program Files\Common Files\home4444.dll [2007-08-02 08:43]
{A95B2816-1D7E-4561-A202-68C0DE02353A}=C:\WINDOWS\system32\iqdblysv.dll [2008-02-04 19:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 15:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-02-06 17:13]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22]
"ec731d21"="C:\WINDOWS\system32\mtewjpbf.dll" [2008-02-05 07:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 18:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 20:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-29 13:04]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" [2008-01-15 19:27]
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 11:55]
"{24C61C09-62C0-42ED-B640-53F7FEC9098A}"="C:\WINDOWS\system32\iifeefd.dll" [2008-02-04 19:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
iqdblysv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe


Contents of the 'Scheduled Tasks' folder
2008-02-04 16:48:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-02-06 22:00:00 C:\WINDOWS\tasks\BA78920780B33787.job
2008-02-06 22:15:24 C:\WINDOWS\tasks\MP Scheduled Scan.job
2008-02-02 01:00:03 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Valued Customer.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 17:12:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2008-02-06 17:22:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-02-06 17:22
C:\ComboFix2.txt ... 2008-02-05 07:44
C:\ComboFix3.txt ... 2007-05-31 19:05

--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:55 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Documents and Settings\Valued Customer\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe
O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\mtewjpbf.dll",b
O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prohdyxe.html
O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\prohdyxe.html

--
End of file - 8724 bytes

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:24 PM

Posted 06 February 2008 - 10:25 PM

It didn't work. Did you follow the instructions carefully in my previous post?
It doesn't appear that the script was created correctly.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 07 February 2008 - 11:42 AM

Yes I followed them exacly. Copy and pasted the script you wroet to notepad save cfscript on my desktop. then moved it to combofix and combofix ran. It restrarted then I ran Hijackthis after combo was done.

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:24 PM

Posted 07 February 2008 - 09:27 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\temp\tn3
    C:\Program Files\Temporary
    C:\Program Files\Drmupgds
    C:\WINDOWS\system32\tip4
    C:\WINDOWS\system32\rom1
    C:\WINDOWS\system32\nGpxx18
    C:\WINDOWS\system32\lis6
    C:\WINDOWS\system32\kps5
    C:\temp\gTiis19
    C:\temp\cXzz9
    C:\temp\1cb
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
    C:\Documents and Settings\All Users\Application Data\part dead amok eggs
    C:\Documents and Settings\All Users\Application Data\beep axis mode free
    C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1
    C:\WINDOWS\system32\fcccabb.dll
    C:\WINDOWS\system32\ivjlehof.dll
    C:\WINDOWS\system32\iqdblysv.dll
    C:\WINDOWS\system32\foyniuto.dll
    C:\WINDOWS\system32\vbzip10.dll
    C:\WINDOWS\system32\drivers\ipfltdrvv.sys
    C:\WINDOWS\system32\iifeefd.dll
    C:\WINDOWS\mrofinu1188.exe
    C:\WINDOWS\mrofinu1000106.exe
    C:\WINDOWS\system32\jlithob.dll
    C:\WINDOWS\TTC-4444.exe
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\system32\pojhkyuy.dll
    C:\WINDOWS\system32\ecxfvnhg.dll
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\watelkj.exe
    C:\Program Files\Internet Explorer\prohdyxe.html
    C:\Program Files\ComPlus Applications\prohdyxe.html
    C:\WINDOWS\tasks\BA78920780B33787.job
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 08 February 2008 - 02:46 PM

I did everything in the above statement exactly as told so. I still have popups not as bad as before but still some. Also the internet seems much slower. It takes forever to load this page. Also I get Error messages constanly. One is
During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1F SYSVER 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED

Another has to do with an error in Home83122.dll

Here is the combo fix report.
"Valued Customer" - 2008-02-08 14:03:34 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 ))))))))))))))))))))))))))))))))))


2008-02-08 14:15 <DIR> d-------- C:\temp\tn3
2008-02-08 13:49 <DIR> d-------- C:\DOCUME~1\VALUED~1\APPLIC~1\findokayrect
2008-02-08 13:24 88,640 --a------ C:\WINDOWS\system32\ucburhpr.dll
2008-02-08 13:21 94,784 --a------ C:\WINDOWS\system32\utwnhwwq.dll
2008-02-07 11:36 95,808 --a------ C:\WINDOWS\system32\mrfeqpry.dll
2008-02-07 11:36 87,616 --------- C:\WINDOWS\system32\xqqishum.dll
2008-02-06 07:39 92,224 --a------ C:\WINDOWS\system32\ewxqcyuu.dll
2008-02-05 07:38 94,272 --a------ C:\WINDOWS\system32\cuffbslm.dll
2008-02-05 07:37 302,526 --ahs---- C:\WINDOWS\system32\utstv.ini2
2008-02-05 07:37 263,168 --a------ C:\WINDOWS\system32\vtstu.dll
2008-02-04 19:29 163,904 --a------ C:\WINDOWS\system32\iqdblysv.dll
2008-02-04 19:23 86,016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\system32\iifeefd.dll
2008-02-01 15:44 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\CyberLink
2008-01-26 15:53 <DIR> d-------- C:\Program Files\iPod
2008-01-10 21:22 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 21:20 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 21:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-10 21:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-10 21:20 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-06 05:40:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 01:15:06 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-26 20:52:30 -------- d-----w C:\Program Files\QuickTime
2008-01-12 18:37:47 -------- d-----w C:\Program Files\Kazaa
2007-12-27 18:21:23 -------- d-----w C:\Program Files\mIRC
2007-12-27 00:13:15 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-27 00:13:15 -------- d-----w C:\Program Files\ToneThis 3.0


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{24C61C09-62C0-42ED-B640-53F7FEC9098A}=C:\WINDOWS\system32\iifeefd.dll [2008-02-04 19:23]
{27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll [2007-08-02 08:43]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 00:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 02:23]
{76A6E582-0173-4617-84A0-6437AABAE342}=C:\Program Files\Common Files\home4444.dll [2007-08-02 08:43]
{9B8A4AE5-6526-4EF7-9FDD-D60A5F3D9CF5}=C:\WINDOWS\system32\vtstu.dll [2008-02-05 07:37]
{A95B2816-1D7E-4561-A202-68C0DE02353A}=C:\WINDOWS\system32\iqdblysv.dll [2008-02-04 19:29]
{c5a655b4-d9f3-46be-9543-606e29deeef9}=C:\WINDOWS\system32\utwnhwwq.dll [2008-02-08 13:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 15:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-02-08 14:19]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22]
"ec731d21"="C:\WINDOWS\system32\ucburhpr.dll" [2008-02-08 13:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 18:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 20:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-29 13:04]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" []
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 11:55]
"{24C61C09-62C0-42ED-B640-53F7FEC9098A}"="C:\WINDOWS\system32\iifeefd.dll" [2008-02-04 19:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
iqdblysv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe


Contents of the 'Scheduled Tasks' folder
2008-02-04 16:48:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-02-08 19:20:19 C:\WINDOWS\tasks\MP Scheduled Scan.job
2008-02-02 01:00:03 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Valued Customer.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 14:18:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\Valued Customer\Local Settings\Temp\etilqs_xC1Wen7YVbm4YJX 0 bytes

scan completed successfully
hidden files: 1


********************************************************************

Completion time: 2008-02-08 14:31:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-02-08 14:31
C:\ComboFix2.txt ... 2008-02-06 17:22
C:\ComboFix3.txt ... 2008-02-05 07:44

--- E O F ---

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:24 PM

Posted 08 February 2008 - 10:24 PM

I still need to see this log as requested in my previous post.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 09 February 2008 - 02:43 PM

C:\temp\tn3 moved successfully.
C:\Program Files\Temporary moved successfully.
File/Folder C:\Program Files\Drmupgds not found.
C:\WINDOWS\system32\tip4 moved successfully.
C:\WINDOWS\system32\rom1 moved successfully.
C:\WINDOWS\system32\nGpxx18 moved successfully.
C:\WINDOWS\system32\lis6 moved successfully.
C:\WINDOWS\system32\kps5 moved successfully.
C:\temp\gTiis19 moved successfully.
C:\temp\cXzz9 moved successfully.
C:\temp\1cb moved successfully.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP moved successfully.
C:\Documents and Settings\All Users\Application Data\part dead amok eggs moved successfully.
Folder move failed. C:\Documents and Settings\All Users\Application Data\beep axis mode free scheduled to be moved on reboot.
C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fcccabb.dll
C:\WINDOWS\system32\fcccabb.dll NOT unregistered.
C:\WINDOWS\system32\fcccabb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ivjlehof.dll
C:\WINDOWS\system32\ivjlehof.dll NOT unregistered.
C:\WINDOWS\system32\ivjlehof.dll moved successfully.
C:\WINDOWS\system32\iqdblysv.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\iqdblysv.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\foyniuto.dll unregistered successfully.
C:\WINDOWS\system32\foyniuto.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vbzip10.dll NOT unregistered.
C:\WINDOWS\system32\vbzip10.dll moved successfully.
File move failed. C:\WINDOWS\system32\drivers\ipfltdrvv.sys scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifeefd.dll
C:\WINDOWS\system32\iifeefd.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\iifeefd.dll scheduled to be moved on reboot.
C:\WINDOWS\mrofinu1188.exe moved successfully.
C:\WINDOWS\mrofinu1000106.exe moved successfully.
C:\WINDOWS\system32\jlithob.dll unregistered successfully.
C:\WINDOWS\system32\jlithob.dll moved successfully.
C:\WINDOWS\TTC-4444.exe moved successfully.
C:\WINDOWS\tk58.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pojhkyuy.dll
C:\WINDOWS\system32\pojhkyuy.dll NOT unregistered.
C:\WINDOWS\system32\pojhkyuy.dll moved successfully.
File/Folder C:\WINDOWS\system32\ecxfvnhg.dll not found.
File move failed. C:\WINDOWS\system32\drivers\core.cache.dsk scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\watelkj.exe not found.
File/Folder C:\Program Files\Internet Explorer\prohdyxe.html not found.
File/Folder C:\Program Files\ComPlus Applications\prohdyxe.html not found.
C:\WINDOWS\tasks\BA78920780B33787.job moved successfully.

OTMoveIt2 v1.0.19 log created on 02082008_134853

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:24 PM

Posted 09 February 2008 - 07:52 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\temp\tn3

Driver::
ipfltdrvv

File::
C:\WINDOWS\system32\ucburhpr.dll
C:\WINDOWS\system32\utwnhwwq.dll
C:\WINDOWS\system32\mrfeqpry.dll
C:\WINDOWS\system32\xqqishum.dll
C:\WINDOWS\system32\ewxqcyuu.dll
C:\WINDOWS\system32\cuffbslm.dll
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\iqdblysv.dll
C:\WINDOWS\system32\drivers\ipfltdrvv.sys
C:\WINDOWS\system32\iifeefd.dll
C:\WINDOWS\system32\drivers\core.cache.dsk

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{24C61C09-62C0-42ED-B640-53F7FEC9098A}=-
{9B8A4AE5-6526-4EF7-9FDD-D60A5F3D9CF5}=-
{A95B2816-1D7E-4561-A202-68C0DE02353A}=-
{c5a655b4-d9f3-46be-9543-606e29deeef9}=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"watelkj"=-
"o"=-
"Amok Eggs Four Web"=-
"MODE FREE BIRD SURF"=-
"ec731d21"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"logo link"=-
"Drmupgds"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=-
"o"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 February 2008 - 06:25 PM

Tried it again as you said. Took me a while to even get back to this site. Actually a couple of days. This i what I got. Still popups and blank pages.

"Valued Customer" - 2008-02-17 19:25:52 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\"
Command switches used :: ""C:\Documents and Settings\Valued Customer\Desktop\CFScript.txt""


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-17 ))))))))))))))))))))))))))))))))))


2008-02-17 19:37 <DIR> d-------- C:\temp\tn3
2008-02-17 17:58 87,616 --a------ C:\WINDOWS\system32\kuxhgsob.dll
2008-02-17 17:55 97,344 --a------ C:\WINDOWS\system32\ushbxjlj.dll
2008-02-16 17:53 92,736 --a------ C:\WINDOWS\system32\xynqnljn.dll
2008-02-15 17:52 91,712 --a------ C:\WINDOWS\system32\rbjvlksm.dll
2008-02-14 17:51 91,200 --a------ C:\WINDOWS\system32\dbmjpncr.dll
2008-02-13 15:47 88,128 --a------ C:\WINDOWS\system32\omciemue.dll
2008-02-12 14:30 93,248 --a------ C:\WINDOWS\system32\ljdpwsak.dll
2008-02-11 14:30 93,248 --a------ C:\WINDOWS\system32\rfdlsotn.dll
2008-02-10 14:31 93,248 --a------ C:\WINDOWS\system32\eutvfatx.dll
2008-02-09 14:28 93,760 --a------ C:\WINDOWS\system32\ojbkkqqd.dll
2008-02-08 13:49 <DIR> d-------- C:\DOCUME~1\VALUED~1\APPLIC~1\findokayrect
2008-02-08 13:21 94,784 --a------ C:\WINDOWS\system32\utwnhwwq.dll
2008-02-07 11:36 95,808 --a------ C:\WINDOWS\system32\mrfeqpry.dll
2008-02-07 11:36 87,616 --------- C:\WINDOWS\system32\xqqishum.dll
2008-02-06 07:39 92,224 --a------ C:\WINDOWS\system32\ewxqcyuu.dll
2008-02-05 07:38 94,272 --a------ C:\WINDOWS\system32\cuffbslm.dll
2008-02-05 07:37 283,410 --ahs---- C:\WINDOWS\system32\utstv.ini2
2008-02-05 07:37 263,168 --a------ C:\WINDOWS\system32\vtstu.dll
2008-02-04 19:29 163,904 --a------ C:\WINDOWS\system32\iqdblysv.dll
2008-02-04 19:23 86,016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys
2008-02-04 19:23 36,864 --a------ C:\WINDOWS\system32\iifeefd.dll
2008-02-01 15:44 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\CyberLink
2008-01-26 15:53 <DIR> d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-06 05:40:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 01:15:06 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-26 20:53:48 -------- d-----w C:\Program Files\iTunes
2008-01-26 20:52:30 -------- d-----w C:\Program Files\QuickTime
2008-01-12 18:37:47 -------- d-----w C:\Program Files\Kazaa
2008-01-11 02:20:38 -------- d-----w C:\Program Files\Apple Software Update
2008-01-11 02:20:10 -------- d-----w C:\Program Files\Common Files\Apple
2007-12-27 18:21:23 -------- d-----w C:\Program Files\mIRC
2007-12-27 00:13:15 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-27 00:13:15 -------- d-----w C:\Program Files\ToneThis 3.0
2007-12-18 09:51:35 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-04 18:38:13 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 08:44:15 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0F2D697B-5347-4E02-A858-8172B428A009}=C:\WINDOWS\system32\vtstu.dll [2008-02-05 07:37]
{24C61C09-62C0-42ED-B640-53F7FEC9098A}=C:\WINDOWS\system32\iifeefd.dll [2008-02-04 19:23]
{27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll [2007-08-02 08:43]
{2d1b3a0e-b2ce-49e0-adbb-d4e1662e4fff}=C:\WINDOWS\system32\ushbxjlj.dll [2008-02-17 17:55]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 00:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 02:23]
{76A6E582-0173-4617-84A0-6437AABAE342}=C:\Program Files\Common Files\home4444.dll [2007-08-02 08:43]
{A95B2816-1D7E-4561-A202-68C0DE02353A}=C:\WINDOWS\system32\iqdblysv.dll [2008-02-04 19:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 15:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-02-17 19:39]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22]
"ec731d21"="C:\WINDOWS\system32\kuxhgsob.dll" [2008-02-17 17:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 18:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 20:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-29 13:04]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" []
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" []
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 11:55]
"{24C61C09-62C0-42ED-B640-53F7FEC9098A}"="C:\WINDOWS\system32\iifeefd.dll" [2008-02-04 19:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
iqdblysv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe


Contents of the 'Scheduled Tasks' folder
2008-02-11 16:48:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-02-18 00:39:55 C:\WINDOWS\tasks\MP Scheduled Scan.job
2008-02-16 07:04:10 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Valued Customer.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 19:38:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2008-02-17 19:51:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-02-17 19:51
C:\ComboFix2.txt ... 2008-02-08 14:31
C:\ComboFix3.txt ... 2008-02-06 17:22

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 02/1-01-08 to 02/17/2008 ))))))))))))))))))))))))))))))))))


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:39 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Valued Customer\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe
O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\kuxhgsob.dll",b
O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prohdyxe.html
O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\prohdyxe.html

--
End of file - 8618 bytes

#15 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 February 2008 - 06:26 PM

And now my C drive in the my computer icon has changed from a computer to a Red X. And in the file i have a hundrew POSAA3.tmp files.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users