Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pls Help Infected: Not-a-virus:adware.win32.onestep.c


  • This topic is locked This topic is locked
18 replies to this topic

#1 Buriedindream

Buriedindream

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 14 May 2008 - 11:28 PM

Hello, i would apprciate help with this i seem to have 7 Viruses according to Kaspersky, though AVG bought up a few too, i didnt now which to delete or which were healed through AVG. I also have Spybot. And my search online with one of the viruses took me into a forum that told me to download something to fix my connection and upon installing that i think that also may have been a virus! My Computer connection to the internet is so unstable now it constantly freezes and the task bar will disappear for a few minutes, i think in trying to clean the problem up online i ceated bigger problems as i had several viruses pop up.
I appear to have viruses, Trojans and a worm. Also a few times i had a small black screen pop up from nowhere, where you could type things.. as though someone had control of my computer? Not sure?

I am not all that technical at all and am at a loss. Please help me!

I am attaching the Kaspersky report and the Hijackthis report..
No idea how to beging to remove them and how bad te infections are, and what they are doing.

Thank you so much!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 15, 2008 3:31:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/05/2008
Kaspersky Anti-Virus database records: 774093
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Me\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 20691
Number of viruses found: 7
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 00:57:04

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\2fc78b.msi/oswdvaz118.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Installer\2fc78b.msi Embedded: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\Dil26.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rlvknlg.exe Infected: not-a-virus:AdWare.Win32.RK.n skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WinData.cab Object is locked skipped
C:\WINDOWS\Temp\ONE1.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.h skipped
C:\WINDOWS\Temp\ONE1.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE1.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE1.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE1.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\WINDOWS\Temp\ONE18.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\WINDOWS\Temp\ONE18.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE18.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE18.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE18.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\WINDOWS\w3kpopup.dll Infected: not-a-virus:AdWare.Win32.Web3000.a skipped
C:\WINDOWS\w3kselfinst.exe Infected: not-a-virus:AdWare.Win32.Web3000.b skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Me\LOCALS~1\Temp\despmed.exe Infected: Trojan.Win32.Small.avj skipped
C:\DOCUME~1\Me\LOCALS~1\Temp\~DFCD36.tmp Object is locked skipped
C:\DOCUME~1\Me\LOCALS~1\Temp\~DFCD41.tmp Object is locked skipped

Scan process completed.






HIJACKTHIS REPORT:

Deckard's System Scanner v20071014.68
Run by Me on 2008-05-15 16:21:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as Me.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:43 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\Me\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Me.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5D0764A5-E939-4D15-986F-22260EB25A68} - C:\WINDOWS\system32\wvUlmlLE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9AB28FA-ED73-4E5E-BA11-0925D85120D1} - C:\WINDOWS\system32\iifefFYP.dll (file missing)
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [6477dd6d] rundll32.exe "C:\WINDOWS\system32\mnnqrnol.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Reboot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129952396230
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: iifefFYP - iifefFYP.dll (file missing)
O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe

--
End of file - 7311 bytes

-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 15:48:40 0 d-------- C:\Program Files\Trend Micro
2008-05-15 09:36:10 0 d-------- C:\WINDOWS\LastGood
2008-05-14 13:13:31 0 d-------- C:\ERDNT
2008-05-14 11:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 11:19:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 13:40:17 91776 --a------ C:\WINDOWS\system32\mnnqrnol.dll
2008-05-11 22:55:28 91776 --a------ C:\WINDOWS\system32\rfskeayv.dll
2008-05-11 22:29:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 21:50:59 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-11 21:50:59 2571 --a------ C:\WINDOWS\unins000.dat
2008-05-11 10:57:00 0 d-------- C:\VundoFix Backups
2008-05-11 10:53:37 91776 --a------ C:\WINDOWS\system32\kthjdjks.dll
2008-05-11 10:51:26 84898 --ahs---- C:\WINDOWS\system32\ELlmlUvw.ini2
2008-05-11 10:46:47 2 --a------ C:\1685577154
2008-05-11 10:46:29 14976 --a------ C:\WINDOWS\system32\drivers\Dil26.sys
2008-04-22 11:54:17 0 d-------- C:\Program Files\Avernum Demo
2008-04-18 09:51:25 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 09:50:29 0 d-------- C:\Program Files\Windows Live
2008-04-18 09:49:10 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-05-13 10:36:14 0 d-------- C:\Documents and Settings\Me\Application Data\AVG7
2008-05-11 23:46:03 0 d-------- C:\Program Files\Google
2008-05-11 22:18:05 0 d-------- C:\Program Files\Spybot - Search & Destroy SECOND INSTALL
2008-04-26 02:19:05 0 d-------- C:\Program Files\Java
2008-04-18 09:51:25 0 d-------- C:\Program Files\Common Files
2008-02-26 09:31:19 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D0764A5-E939-4D15-986F-22260EB25A68}]
C:\WINDOWS\system32\wvUlmlLE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}]
C:\WINDOWS\system32\iifefFYP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sncntr"="c:\windows\system32\sncntr.exe" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 02:50 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/15/2008 11:48 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"VTPreset"="VTPreset.exe" [02/24/2004 07:17 PM C:\WINDOWS\system32\VTPreset.exe]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/21/2006 12:42 AM]
"6477dd6d"="C:\WINDOWS\system32\mnnqrnol.dll" [05/12/2008 01:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:56 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Me\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [6/23/2005 2:56:57 PM]
Reboot.exe [8/20/2002 6:26:48 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}"= C:\WINDOWS\system32\iifefFYP.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefFYP]
iifefFYP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinNt32]
WinNt32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUlmlLE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Dil26.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Error Nuker]
C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"W3KNetwork"=RunDll32.exe w3knet.dll,DLLInitRun
"P2P Networking"=C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
"LXSUPMON"=C:\WINDOWS\System32\LXSUPMON.EXE RUN




-- End of Deckard's System Scanner: finished at 2008-05-15 16:23:37 ------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:53 AM

Posted 15 May 2008 - 11:06 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\mnnqrnol.dll
    C:\WINDOWS\system32\rfskeayv.dll
    C:\WINDOWS\system32\kthjdjks.dll
    C:\WINDOWS\system32\ELlmlUvw.ini2
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 15 May 2008 - 05:03 PM

Hello Sam :thumbsup: Thanks so much for helping..

Here are the files you asked for, after running the moveit, it didnt ask me to restart my computer but i did anyway, and on loading i got this error message:

Error loading C:\windows\system32\mnnqrnol.dll The specified module could not be found
Everything loaded ok though..


MOVEIT FILE RESULT

DllUnregisterServer procedure not found in C:\WINDOWS\system32\mnnqrnol.dll
C:\WINDOWS\system32\mnnqrnol.dll NOT unregistered.
C:\WINDOWS\system32\mnnqrnol.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rfskeayv.dll
C:\WINDOWS\system32\rfskeayv.dll NOT unregistered.
C:\WINDOWS\system32\rfskeayv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kthjdjks.dll
C:\WINDOWS\system32\kthjdjks.dll NOT unregistered.
C:\WINDOWS\system32\kthjdjks.dll moved successfully.
C:\WINDOWS\system32\ELlmlUvw.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05162008_094446




HIJACKTHIS REPORT

Deckard's System Scanner v20071014.68
Run by Me on 2008-05-16 09:55:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 90% (more than 75%).
Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as Me.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:22 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Me\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Me.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5D0764A5-E939-4D15-986F-22260EB25A68} - C:\WINDOWS\system32\wvUlmlLE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9AB28FA-ED73-4E5E-BA11-0925D85120D1} - C:\WINDOWS\system32\iifefFYP.dll (file missing)
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [6477dd6d] rundll32.exe "C:\WINDOWS\system32\mnnqrnol.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Reboot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129952396230
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: iifefFYP - iifefFYP.dll (file missing)
O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6931 bytes

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-15 15:48:40 0 d-------- C:\Program Files\Trend Micro
2008-05-14 13:13:31 0 d-------- C:\ERDNT
2008-05-14 11:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 11:19:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-11 22:29:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 21:50:59 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-11 21:50:59 2571 --a------ C:\WINDOWS\unins000.dat
2008-05-11 10:57:00 0 d-------- C:\VundoFix Backups
2008-05-11 10:46:47 2 --a------ C:\1685577154
2008-05-11 10:46:29 14976 --a------ C:\WINDOWS\system32\drivers\Dil26.sys
2008-04-22 11:54:17 0 d-------- C:\Program Files\Avernum Demo
2008-04-18 09:51:25 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 09:50:29 0 d-------- C:\Program Files\Windows Live
2008-04-18 09:49:10 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-05-15 16:10:09 0 d-------- C:\Documents and Settings\Me\Application Data\AVG7
2008-05-11 23:46:03 0 d-------- C:\Program Files\Google
2008-05-11 22:18:05 0 d-------- C:\Program Files\Spybot - Search & Destroy SECOND INSTALL
2008-04-26 02:19:05 0 d-------- C:\Program Files\Java
2008-04-18 09:51:25 0 d-------- C:\Program Files\Common Files
2008-02-26 09:31:19 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D0764A5-E939-4D15-986F-22260EB25A68}]
C:\WINDOWS\system32\wvUlmlLE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}]
C:\WINDOWS\system32\iifefFYP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sncntr"="c:\windows\system32\sncntr.exe" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 02:50 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/15/2008 11:48 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"VTPreset"="VTPreset.exe" [02/24/2004 07:17 PM C:\WINDOWS\system32\VTPreset.exe]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/21/2006 12:42 AM]
"6477dd6d"="C:\WINDOWS\system32\mnnqrnol.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:56 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Me\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [6/23/2005 2:56:57 PM]
Reboot.exe [8/20/2002 6:26:48 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B9AB28FA-ED73-4E5E-BA11-0925D85120D1}"= C:\WINDOWS\system32\iifefFYP.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefFYP]
iifefFYP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinNt32]
WinNt32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUlmlLE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Dil26.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Error Nuker]
C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"W3KNetwork"=RunDll32.exe w3knet.dll,DLLInitRun
"P2P Networking"=C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
"LXSUPMON"=C:\WINDOWS\System32\LXSUPMON.EXE RUN




-- End of Deckard's System Scanner: finished at 2008-05-16 09:57:04 ------------

#4 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 15 May 2008 - 05:24 PM

I also discovered these image files in my documents folder which mysteriously turned up during infection (attached screenshot minus the kaspersky file) and on trying to delete them i get an error message saying they are system files and i shouldnt delete them (also attached)...

Attached Files



#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:53 AM

Posted 16 May 2008 - 01:53 AM

You must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

=================


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {5D0764A5-E939-4D15-986F-22260EB25A68} - C:\WINDOWS\system32\wvUlmlLE.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B9AB28FA-ED73-4E5E-BA11-0925D85120D1} - C:\WINDOWS\system32\iifefFYP.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [6477dd6d] rundll32.exe "C:\WINDOWS\system32\mnnqrnol.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: iifefFYP - iifefFYP.dll (file missing)
O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing)



Reboot your computer.



=================


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 16 May 2008 - 04:36 AM

Ok, did all you asked and here is the logfile.
Thank you Sam :thumbsup:


ComboFix 08-05-15.2 - Me 2008-05-16 21:00:05.1 - NTFSx86
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\SSSInst\bin\SSSInst.dll
C:\Program Files\screensavers.com\SSSInst\bin\SSSUninst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\Dil26.sys
C:\WINDOWS\system32\lonrqnnm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\skjdjhtk.ini
C:\WINDOWS\system32\vyaeksfr.ini
C:\WINDOWS\system32\WinData.cab

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DIL26
-------\Service_Dil26
-------\Service_pjsapdg


((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 21:09 . 2008-05-16 21:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 21:09 . 2008-05-16 21:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 09:44 . 2008-05-16 09:44 <DIR> d-------- C:\_OTMoveIt
2008-05-15 15:48 . 2008-05-15 15:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 15:36 . 2008-05-15 15:36 <DIR> d-------- C:\Deckard
2008-05-14 13:13 . 2008-05-14 13:13 <DIR> d-------- C:\ERDNT
2008-05-14 11:20 . 2008-05-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 11:19 . 2008-05-14 11:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 21:24 . 2007-03-30 00:56 409,600 -----c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-05-12 21:24 . 2007-03-30 00:56 18,944 -----c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-05-12 21:24 . 2007-03-30 00:56 8,192 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-05-12 21:24 . 2007-03-30 00:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-05-12 21:24 . 2007-03-30 00:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-05-12 21:24 . 2007-03-30 00:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-05-11 22:29 . 2008-05-11 23:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 21:50 . 2008-05-11 21:47 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-11 21:50 . 2008-05-11 21:51 2,571 --a------ C:\WINDOWS\unins000.dat
2008-05-11 10:57 . 2008-05-11 10:57 <DIR> d-------- C:\VundoFix Backups
2008-05-11 10:51 . 2008-05-12 16:54 84,898 --ahs---- C:\WINDOWS\system32\ELlmlUvw.ini
2008-05-11 10:46 . 2008-05-14 13:34 2 --a------ C:\1685577154
2008-04-22 11:54 . 2008-04-22 12:05 <DIR> d-------- C:\Program Files\Avernum Demo
2008-04-19 08:32 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-19 08:32 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-19 08:32 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-18 09:51 . 2008-04-18 09:52 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 09:50 . 2008-04-18 09:50 <DIR> d-------- C:\Program Files\Windows Live
2008-04-18 09:49 . 2008-04-18 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 08:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 04:10 --------- d-----w C:\Documents and Settings\Me\Application Data\AVG7
2008-05-11 11:46 --------- d-----w C:\Program Files\Google
2008-05-11 10:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy SECOND INSTALL
2008-05-11 09:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-25 14:19 --------- d-----w C:\Program Files\Java
2008-04-15 11:48 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2006-07-01 12:34 122,880 ----a-w C:\Program Files\runescape.exe
2005-12-14 21:42 16,150,144 ----a-w C:\Program Files\avg71free_371a669 SECOND INSTALL.exe
2005-07-10 00:06 586 ----a-w C:\Program Files\PLAYERS.DAT
2005-06-23 02:58 17,411 ----a-w C:\Program Files\DeIsL1.isu
2002-07-19 03:26 49,152 ----a-w C:\Program Files\_UnInstall.dll
2002-07-09 03:22 348,160 ----a-w C:\Program Files\Mss32.dll
2002-04-30 00:14 159,232 ----a-w C:\Program Files\smackw32.dll
2002-03-08 04:04 3,719,168 ----a-w C:\Program Files\INF1.EXE
2001-06-14 02:59 709 ----a-w C:\Documents and Settings\Me\layout.bin
1999-01-12 01:34 23,541 ----a-w C:\Documents and Settings\Me\lang.dat
1998-10-27 03:06 27,648 ----a-w C:\Documents and Settings\Me\_ISDel.exe
1998-09-29 06:34 34,816 ----a-w C:\Documents and Settings\Me\_Setup.dll
1998-07-27 07:41 450 ----a-w C:\Documents and Settings\Me\os.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 19:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sncntr"="c:\windows\system32\sncntr.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 23:48 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"VTPreset"="VTPreset.exe" [2004-02-24 19:17 45056 C:\WINDOWS\system32\VTPreset.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-21 00:42 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 19:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:32 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 19:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Me\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-06-23 14:56:57 225280]
Reboot.exe [2002-08-20 18:26:48 432128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPGL"= jpgl.dll
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Error Nuker]
C:\Program Files\Error Nuker\bin\ErrorNuker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
--a------ 2002-02-20 20:01 49152 C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-21 00:42 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"W3KNetwork"=RunDll32.exe w3knet.dll,DLLInitRun
"P2P Networking"=C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
"LXSUPMON"=C:\WINDOWS\System32\LXSUPMON.EXE RUN

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 01:12]
S3 DCamUSBNW800;CIF USB Camera (2110);C:\WINDOWS\system32\DRIVERS\pcam800.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 18:01]

.
Contents of the 'Scheduled Tasks' folder
"2005-12-14 13:13:01 C:\WINDOWS\Tasks\New Task.job"
"2008-05-16 08:37:26 C:\WINDOWS\Tasks\User_Feed_Synchronization-{88123F82-E9B5-4662-B8BC-964F01BCF1C5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 21:14:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
.
**************************************************************************
.
Completion time: 2008-05-16 21:26:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 09:25:54

Pre-Run: 8,911,171,584 bytes free
Post-Run: 9,269,039,104 bytes free

166 --- E O F --- 2008-05-14 21:40:15

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:53 AM

Posted 16 May 2008 - 08:15 AM

Fix this line with Hijackthis.

O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm


Reboot and post a new log from DSS.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 16 May 2008 - 08:44 AM

Its much more stable, its not freezing and the taskbar isnt disappearing anymore..



Deckard's System Scanner v20071014.68
Run by Me on 2008-05-17 01:39:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as Me.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:44 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Me\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Me.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Reboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129952396230
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5948 bytes

-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-16 20:57:37 68096 --a------ C:\WINDOWS\zip.exe
2008-05-16 20:57:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-16 20:57:37 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-16 20:57:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-16 20:57:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-16 20:57:37 98816 --a------ C:\WINDOWS\sed.exe
2008-05-16 20:57:37 80412 --a------ C:\WINDOWS\grep.exe
2008-05-16 20:57:37 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-15 15:48:40 0 d-------- C:\Program Files\Trend Micro
2008-05-14 13:13:31 0 d-------- C:\ERDNT
2008-05-14 11:20:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 11:19:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-11 22:29:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 21:50:59 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-11 21:50:59 2571 --a------ C:\WINDOWS\unins000.dat
2008-05-11 10:57:00 0 d-------- C:\VundoFix Backups
2008-05-11 10:46:47 2 --a------ C:\1685577154
2008-04-22 11:54:17 0 d-------- C:\Program Files\Avernum Demo
2008-04-18 09:51:25 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 09:50:29 0 d-------- C:\Program Files\Windows Live
2008-04-18 09:49:10 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-05-15 16:10:09 0 d-------- C:\Documents and Settings\Me\Application Data\AVG7
2008-05-11 23:46:03 0 d-------- C:\Program Files\Google
2008-05-11 22:18:05 0 d-------- C:\Program Files\Spybot - Search & Destroy SECOND INSTALL
2008-04-26 02:19:05 0 d-------- C:\Program Files\Java
2008-04-18 09:51:25 0 d-------- C:\Program Files\Common Files
2008-02-26 09:31:19 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 02:50 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/15/2008 11:48 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"VTPreset"="VTPreset.exe" [02/24/2004 07:17 PM C:\WINDOWS\system32\VTPreset.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/21/2006 12:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Me\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [6/23/2005 2:56:57 PM]
Reboot.exe [8/20/2002 6:26:48 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Error Nuker]
C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"W3KNetwork"=RunDll32.exe w3knet.dll,DLLInitRun
"P2P Networking"=C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
"LXSUPMON"=C:\WINDOWS\System32\LXSUPMON.EXE RUN




-- End of Deckard's System Scanner: finished at 2008-05-17 01:40:23 ------------

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:53 AM

Posted 16 May 2008 - 08:53 AM

Looks pretty good to me!

Just a few last things and you should be good to go! :)


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 16 May 2008 - 09:47 AM

Thank you so very very much Sam :thumbsup: :thumbsup: :thumbsup:

I appreciate so much what you have taken time to do for me, and free of charge too!
I know you help people out everyday with these kinds of problems but let me tell you, You are a real lifesaver!
I intend to be much more careful with what i open online now.

Thanks again for your expert advice you deserve some chocolate biscuits and a hot cup of coffee! :)

#11 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 16 May 2008 - 08:24 PM

Hi again, sorry to be a pain, but pon running kaspersky online check again i still appear to have 3 viruses..

Are these left over and will be removable with spybot and AVG or do the same viruses linger on my computer.
Really sorry, just totally unsure.
Many thanks in advance!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 17, 2008 1:19:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/05/2008
Kaspersky Anti-Virus database records: 779486
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Me\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 20481
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:56:29

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\2fc78b.msi/oswdvaz118.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Installer\2fc78b.msi Embedded: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\w3kpopup.dll Infected: not-a-virus:AdWare.Win32.Web3000.a skipped
C:\WINDOWS\w3kselfinst.exe Infected: not-a-virus:AdWare.Win32.Web3000.b skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:53 AM

Posted 17 May 2008 - 08:58 AM

Not too bad. You should be to locate and delete these manually.

C:\WINDOWS\Installer\2fc78b.msi
C:\WINDOWS\w3kpopup.dll
C:\WINDOWS\w3kselfinst.exe



Let me know if they give you problems.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 17 May 2008 - 09:20 AM

Will do. Thanks Sam :)

On deleting C:\WINDOWS\Installer\2fc78b.msi i saw in the subject line it had something called "inallitsglory"
I came across this in my add and remove programs in control panel, and wondered what it was (this was when i first suspected a virus being on computer) , i looked for it online and havent come up with much, are you aware of this program or is it something new perhaps?

..And of course is it safe to delete it from my add and removes.. and if i do delete it will i need to remove those files i just removed again and then turn system restore off?

Thanks so much :thumbsup:

Edited by Buriedindream, 17 May 2008 - 09:39 AM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:53 AM

Posted 17 May 2008 - 06:57 PM

I couldn't find anything on inallitsglory either, but it definitely doesn't sound like anything vital. If you don't know what it is, I would uninstall it.

You still need to make sure those files are gone. And then I would turn off system restore to flush everything out again and then turn it on and set a new restore point that you know is clean.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buriedindream

Buriedindream
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:53 PM

Posted 17 May 2008 - 10:01 PM

Ok, i tried to uninstall inallitsglory and got this error msg (attached image)
so then i restored from the recycle bin those last three files you told me to remove (as one had something to do with the install of inallitsglory, and i was then able to successfully remove inallitsglory, and i also found that that file was to do with something called "tropical heaven" which was also in add and remove, i think this may have been an old screensaver, anyway removed them both with no problem.

Also this file " erdnt " which was in C drive as seen on the hijackthis i deleted, it wasnt in add or remove though, this was that registry thing i installed and it seemed to muck my computer up more. not sure if it was installed or what..

(EDIT) I restored the erdnt file from recycle bin as on doing a search i found ERDNT was actually in the actual windows file as well as C:\ERDNT safe to remove this and how Please?


And you told me to remove this O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm using hijackthis
which i did and i also came across a file in add or remove called sncntr so will be ok if i remove that too?

Thanks Sam, and sorry for being a pain.

Attached Files


Edited by Buriedindream, 17 May 2008 - 10:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users