Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command.exe, Virtumunde, Slow Browser And Windows, Please Assist!


  • This topic is locked This topic is locked
10 replies to this topic

#1 kgrind11

kgrind11

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 21 June 2008 - 12:13 AM

Hello. I am struggling to remove the virtumunde? virus. Mozilla will only load certain web pages and my Windows Vista is running very slowly. The black command prompt windows pop up quickly when I boot up, and I also get the antispywaremaster popups. I've tried to combat this with Spybot S&D, Ad-aware, and AVG Free to no avail. To make matters worse, when I run DSS it does not display an extra.txt and I cannot locate it on my computer. Any type of help would be greatly appreciated, I have to WORK!! Thank you very much volunteers you are providing peace of mind for many.

Deckard's System Scanner v20071014.68
Run by Dax on 2008-06-20 23:45:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Dax.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:09 PM, on 6/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\mjc\mjc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\mobsync.exe
C:\Users\Dax\Desktop\DJ\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dax.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {08402176-C23F-4578-AFDF-B396F44C916B} - C:\Windows\system32\iifeeBRk.dll (file missing)
O2 - BHO: (no name) - {0F8F84CF-DCBA-4426-AC18-30A8AB00C526} - C:\Windows\system32\ljJBttRL.dll
O2 - BHO: {356ffe7a-258a-8e9b-9294-a4ee6ce1e3d4} - {4d3e1ec6-ee4a-4929-b9e8-a852a7eff653} - C:\Windows\system32\xbiwtgjt.dll
O2 - BHO: (no name) - {5ED8F407-7F54-402E-8B05-89FE3E719EC7} - C:\Windows\system32\ssqPFXQG.dll (file missing)
O2 - BHO: (no name) - {7B098207-1330-4725-B859-5C1223117AA9} - C:\Windows\system32\nnnmlKCT.dll (file missing)
O2 - BHO: (no name) - {E0D26187-CFC9-4A9E-8173-2BF62747091C} - C:\Windows\system32\tuvWolJC.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {2A9788F6-727D-4CEE-9C9F-A6D2A47FD34A} - (no file)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljJBttRL.dll,#1
O4 - HKLM\..\Run: [winlogon] C:\Users\Dax\svchost.exe
O4 - HKLM\..\Run: [calc.exe] C:\Users\Dax\AppData\Local\Temp\calc.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [187a87ae] rundll32.exe "C:\Windows\system32\mgfyjhkw.dll",b
O4 - HKLM\..\Run: [BM1b49b432] Rundll32.exe "C:\Windows\system32\uajnobpu.dll",s
O4 - HKCU\..\Run: [winlogon] C:\Users\Dax\svchost.exe
O4 - HKCU\..\Run: [run] regsvr32.exe /s "C:\Users\Dax\AppData\Roaming\sp1\qtfinal.dll"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\schedsvc.dll,-100 (Schedule) - Unknown owner - C:\Windows\system32\drivers\services.exe (file missing)
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdrac.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7468 bytes

-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-20 23:17:41 33792 --a------ C:\Windows\system32\ljJBttRL.dll
2008-06-20 17:41:57 86016 --a------ C:\Windows\system32\mgfyjhkw.dll
2008-06-20 17:35:57 101888 --a------ C:\Windows\system32\xbiwtgjt.dll
2008-06-20 17:33:36 93696 --a------ C:\Windows\system32\uajnobpu.dll
2008-06-20 17:32:55 748366 --ahs---- C:\Windows\system32\CJloWvut.ini2
2008-06-20 17:32:30 285696 --a------ C:\Windows\system32\tuvWolJC.dll
2008-06-20 11:07:16 101888 --a------ C:\Windows\system32\ppfjphru.dll
2008-06-20 11:04:52 93696 --a------ C:\Windows\system32\jbtscalr.dll
2008-06-20 11:04:01 740202 --ahs---- C:\Windows\system32\GQXFPqss.ini2
2008-06-20 10:59:56 0 d--h----- C:\$AVG8.VAULT$
2008-06-20 02:04:02 101376 --a------ C:\Windows\system32\hydplfvr.dll
2008-06-20 02:03:55 86016 --a------ C:\Windows\system32\kppybhaa.dll
2008-06-20 02:01:09 93696 --a------ C:\Windows\system32\hgbkbhra.dll
2008-06-20 02:00:46 722156 --ahs---- C:\Windows\system32\kRBeefii.ini2
2008-06-20 00:34:58 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-20 00:25:50 0 d-------- C:\HJT
2008-06-20 00:05:21 0 d-------- C:\Program Files\Trend Micro
2008-06-19 18:58:41 0 d-------- C:\ie-spyad_zo
2008-06-19 18:51:01 0 d-------- C:\Program Files\SpywareBlaster
2008-06-19 17:09:29 0 d-------- C:\Program Files\Panda Security
2008-06-19 14:38:22 0 d-------- C:\Windows\BDOSCAN8
2008-06-19 12:53:05 0 d-------- C:\Windows\system32\drivers\Avg
2008-06-19 12:52:49 0 d-------- C:\Program Files\AVG
2008-06-19 12:52:48 0 d-------- C:\Users\All Users\avg8
2008-06-19 11:47:01 86016 --a------ C:\Windows\system32\xwscdcbr.dll
2008-06-19 11:46:53 101376 --a------ C:\Windows\system32\teswhkll.dll
2008-06-19 11:44:17 93696 --a------ C:\Windows\system32\rfbubdba.dll
2008-06-19 11:40:53 727254 --ahs---- C:\Windows\system32\TCKlmnnn.ini2
2008-06-18 11:57:42 0 d-------- C:\Users\All Users\Avira
2008-06-18 11:57:42 0 d-------- C:\Program Files\Avira
2008-06-18 11:53:32 0 d-------- C:\Windows\owom
2008-06-18 11:53:32 0 d-------- C:\Program Files\Common Files\owom
2008-06-18 11:53:30 0 d--hs---- C:\Windows\RGF4
2008-06-18 11:48:39 163840 --a------ C:\Windows\egqk.exe
2008-06-18 11:48:28 0 d-------- C:\Program Files\Spcron
2008-06-18 11:48:25 0 d-------- C:\Program Files\Svconr
2008-06-18 11:48:20 0 d-------- C:\Program Files\mjc
2008-06-18 11:48:18 0 d-------- C:\Program Files\Temporary
2008-06-18 11:46:52 47104 --a------ C:\xkdpjhj.exe
2008-06-18 11:45:12 4096 --a------ C:\mxuxc.exe
2008-06-18 08:28:04 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-18 00:26:27 0 d-------- C:\Program Files\Enigma Software Group
2008-06-18 00:15:19 0 d-------- C:\VundoFix Backups
2008-06-18 00:11:43 683143 --ahs---- C:\Windows\system32\oYabdcfe.ini2
2008-06-16 19:16:06 1657479 ---hs---- C:\Windows\system32\lilwxqed.ini2
2008-06-16 19:12:08 684340 --ahs---- C:\Windows\system32\BdMUFLUt.ini2
2008-06-07 20:06:30 0 d-------- C:\Program Files\InterActual
2008-06-05 19:37:37 12 --a------ C:\Windows\bthservsdp.dat


-- Find3M Report ---------------------------------------------------------------

2008-06-20 22:15:00 0 d-------- C:\Users\Dax\AppData\Roaming\Digidesign
2008-06-20 22:04:13 32 --a------ C:\Windows\system32\msvcsv60.dll
2008-06-20 22:04:13 32 --a------ C:\Windows\msocreg32.dat
2008-06-20 17:56:26 0 d-------- C:\Users\Dax\AppData\Roaming\Mozilla
2008-06-20 15:53:11 0 d-------- C:\Program Files\RocketDock
2008-06-20 11:47:23 0 d-------- C:\Users\Dax\AppData\Roaming\SpeedRunner
2008-06-19 17:01:48 0 d-------- C:\Program Files\Common Files
2008-06-19 15:33:47 0 d-------- C:\Users\Dax\AppData\Roaming\sp1
2008-06-19 13:47:34 65965 --a------ C:\Users\Dax\AppData\Roaming\nvModes.001
2008-06-19 00:44:32 0 d-------- C:\Users\Dax\AppData\Roaming\PACE Anti-Piracy
2008-06-18 11:48:45 0 d-------- C:\Users\Dax\AppData\Roaming\s?stem
2008-06-18 11:39:12 0 d-------- C:\Users\Dax\AppData\Roaming\Uniblue
2008-06-18 10:59:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 08:23:54 0 d-------- C:\Users\Dax\AppData\Roaming\ErrorSmart
2008-06-17 19:04:30 0 d-------- C:\Program Files\Windows Mail
2008-06-17 06:57:03 65965 --a------ C:\Users\Dax\AppData\Roaming\nvModes.dat
2008-06-16 18:10:34 2028 --a------ C:\Users\Dax\AppData\Roaming\wklnhst.dat
2008-06-02 11:06:11 0 d-------- C:\Users\Dax\AppData\Roaming\Template
2008-05-29 13:48:31 0 d-------- C:\Program Files\Easy Adder
2008-05-22 13:39:57 200 --a------ C:\Windows\AUDC80UI.dat
2008-05-16 11:15:24 0 d-------- C:\Users\Dax\AppData\Roaming\IDMComp
2008-05-14 11:50:41 0 d-------- C:\Program Files\OpenOffice.org 3
2008-05-14 11:50:00 0 d-------- C:\Program Files\OpenOffice.org
2008-05-14 10:12:16 0 d-------- C:\Users\Dax\AppData\Roaming\OpenOffice.org3
2008-05-07 17:43:23 0 d-------- C:\Program Files\AbiSuite2
2008-05-02 09:57:05 0 d-------- C:\Program Files\Audacity
2008-05-01 13:45:50 0 d-------- C:\Program Files\Common Files\Native Instruments
2008-05-01 13:44:48 0 d-------- C:\Program Files\Native Instruments
2008-05-01 13:05:12 1700352 --a------ C:\Windows\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-29 13:57:29 0 d-------- C:\Program Files\BitComet
2008-04-28 20:16:04 0 d-------- C:\Program Files\Lavasoft
2008-04-20 00:08:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-27 06:54:00 174 --ahs---- C:\Program Files\desktop.ini
2008-03-27 06:09:56 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08402176-C23F-4578-AFDF-B396F44C916B}]
C:\Windows\system32\iifeeBRk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F8F84CF-DCBA-4426-AC18-30A8AB00C526}]
06/18/2008 11:44 AM 33792 --a------ C:\Windows\system32\ljJBttRL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4d3e1ec6-ee4a-4929-b9e8-a852a7eff653}]
06/20/2008 05:35 PM 101888 --a------ C:\Windows\system32\xbiwtgjt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ED8F407-7F54-402E-8B05-89FE3E719EC7}]
C:\Windows\system32\ssqPFXQG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B098207-1330-4725-B859-5C1223117AA9}]
C:\Windows\system32\nnnmlKCT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0D26187-CFC9-4A9E-8173-2BF62747091C}]
06/20/2008 05:32 PM 285696 --a------ C:\Windows\system32\tuvWolJC.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"="C:\Windows\system32\ljJBttRL.dll" [06/18/2008 11:44 AM]
"winlogon"="C:\Users\Dax\svchost.exe" []
"calc.exe"="C:\Users\Dax\AppData\Local\Temp\calc.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/19/2008 12:52 PM]
"187a87ae"="C:\Windows\system32\mgfyjhkw.dll" [06/20/2008 05:41 PM]
"BM1b49b432"="C:\Windows\system32\uajnobpu.dll" [06/20/2008 05:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winlogon"="C:\Users\Dax\svchost.exe" []
"run"="regsvr32.exe" [11/02/2006 04:45 AM C:\Windows\System32\regsvr32.exe]
"Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" []
"mjc"="C:\Program Files\mjc\mjc.exe" [06/18/2008 11:48 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0F8F84CF-DCBA-4426-AC18-30A8AB00C526}"= C:\Windows\system32\ljJBttRL.dll [06/18/2008 11:44 AM 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\tuvWolJC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Dax^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\Dax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]

[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
"C:\Program Files\HP\QuickPlay\QPService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
"C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
bthsvcs BthServ


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-20 23:46:29 ------------

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:49 PM

Posted 21 June 2008 - 12:17 PM

Hello Kgrind11 :thumbsup:

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:49 PM

Posted 22 June 2008 - 07:23 AM

Hi :thumbsup:

You have two antiviruses running at the same time, AVG8 and Avira AntiVir. Please uninstall one of them now.


Then download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Please post Combofix log and a fresh hijackthis log back here :)
Posted Image

#4 kgrind11

kgrind11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 June 2008 - 05:29 PM

Thank you so much for your help. This infection is causing my Internet browsing to only only certain sites, (I have to log in with safe mode to visit bleepingcomputer.com), Windows constantly restarts, and some of my programs constantly error and freeze.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:33 PM, on 6/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {08402176-C23F-4578-AFDF-B396F44C916B} - C:\Windows\system32\iifeeBRk.dll (file missing)
O2 - BHO: (no name) - {5ED8F407-7F54-402E-8B05-89FE3E719EC7} - C:\Windows\system32\ssqPFXQG.dll (file missing)
O2 - BHO: (no name) - {7B098207-1330-4725-B859-5C1223117AA9} - C:\Windows\system32\nnnmlKCT.dll (file missing)
O2 - BHO: {f9c834ee-f5aa-ae39-cd24-d594967a0e2d} - {d2e0a769-495d-42dc-93ea-aa5fee438c9f} - C:\Windows\system32\erklsuqu.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {2A9788F6-727D-4CEE-9C9F-A6D2A47FD34A} - (no file)
O4 - HKLM\..\Run: [187a87ae] rundll32.exe "C:\Windows\system32\uhanccnb.dll",b
O4 - HKLM\..\Run: [BM1b49b432] Rundll32.exe "C:\Windows\system32\bjuwpbps.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdrac.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5264 bytes


ComboFix 08-06-20.4 - Dax 2008-06-22 16:51:12.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2179 [GMT -5:00]
Running from: C:\Users\Dax\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 21:07 --------- d-----w C:\ProgramData\Avg8
2008-06-22 20:45 --------- d-----w C:\Users\Dax\AppData\Roaming\Digidesign
2008-06-22 18:36 101,888 ----a-w C:\Windows\System32\erklsuqu.dll
2008-06-22 18:30 95,232 ----a-w C:\Windows\System32\bjuwpbps.dll
2008-06-22 16:23 86,016 ----a-w C:\Windows\System32\uhanccnb.dll
2008-06-22 16:23 101,888 ----a-w C:\Windows\System32\mratmfhh.dll
2008-06-20 22:35 101,888 ----a-w C:\Windows\System32\xbiwtgjt.dll
2008-06-20 20:53 --------- d-----w C:\Program Files\RocketDock
2008-06-20 20:52 --------- d-----w C:\Program Files\Panda Security
2008-06-20 16:07 101,888 ----a-w C:\Windows\System32\ppfjphru.dll
2008-06-20 15:24 --------- d---a-w C:\ProgramData\TEMP
2008-06-20 07:03 86,016 ----a-w C:\Windows\System32\kppybhaa.dll
2008-06-20 06:15 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-20 05:55 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-20 05:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-20 05:05 --------- d-----w C:\Program Files\Trend Micro
2008-06-19 23:51 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-19 20:02 --------- d-----w C:\Program Files\Common Files\owom
2008-06-19 16:47 86,016 ----a-w C:\Windows\System32\xwscdcbr.dll
2008-06-19 05:44 --------- d-----w C:\Users\Dax\AppData\Roaming\PACE Anti-Piracy
2008-06-19 05:44 --------- d-----w C:\ProgramData\PACE Anti-Piracy
2008-06-18 16:57 --------- d-----w C:\ProgramData\Avira
2008-06-18 16:57 --------- d-----w C:\Program Files\Avira
2008-06-18 16:48 --------- d-----w C:\Program Files\mjc
2008-06-18 16:47 47,104 ----a-w C:\xkdpjhj.exe
2008-06-18 16:45 4,096 ----a-w C:\mxuxc.exe
2008-06-18 16:39 --------- d-----w C:\Users\Dax\AppData\Roaming\Uniblue
2008-06-18 15:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 13:28 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-06-18 13:23 --------- d-----w C:\Users\Dax\AppData\Roaming\ErrorSmart
2008-06-18 05:27 30,760 ----a-w C:\Windows\System32\eeaprmzj.exe
2008-06-18 00:04 --------- d-----w C:\Program Files\Windows Mail
2008-06-17 11:57 65,965 ----a-w C:\Users\Dax\AppData\Roaming\nvModes.dat
2008-06-16 23:10 2,028 ----a-w C:\Users\Dax\AppData\Roaming\wklnhst.dat
2008-06-08 01:07 --------- d-----w C:\Program Files\InterActual
2008-06-06 03:02 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2008-06-02 16:06 --------- d-----w C:\Users\Dax\AppData\Roaming\Template
2008-05-29 18:48 --------- d-----w C:\Program Files\Easy Adder
2008-05-16 16:15 --------- d-----w C:\Users\Dax\AppData\Roaming\IDMComp
2008-05-14 16:50 --------- d-----w C:\Program Files\OpenOffice.org 3
2008-05-14 16:50 --------- d-----w C:\Program Files\OpenOffice.org
2008-05-14 15:12 --------- d-----w C:\Users\Dax\AppData\Roaming\OpenOffice.org3
2008-05-14 14:49 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-10 01:33 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-07 22:43 --------- d-----w C:\Program Files\AbiSuite2
2008-05-02 14:57 --------- d-----w C:\Program Files\Audacity
2008-05-01 18:45 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-05-01 18:44 --------- d-----w C:\Program Files\Native Instruments
2008-05-01 18:05 1,700,352 ----a-w C:\Windows\System32\gdiplus.dll
2008-04-29 18:57 --------- d-----w C:\Program Files\BitComet
2008-04-29 01:16 --------- d-----w C:\ProgramData\Lavasoft
2008-04-29 01:16 --------- d-----w C:\Program Files\Lavasoft
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-03-27 11:54 174 --sha-w C:\Program Files\desktop.ini
2008-03-27 11:32 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-27 11:32 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-27 11:09 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-03-27 11:09 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-22_16.49.49.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-22 21:51:06 6,189,056 ----a-w C:\Windows\ERDNT\Hiv-backup\SCHEMA.DAT
- 2008-06-22 21:22:40 8,966 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3638489192-2795439887-951695889-1000_UserData.bin
+ 2008-06-22 21:48:53 9,644 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3638489192-2795439887-951695889-1000_UserData.bin
- 2008-06-22 21:22:40 75,802 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-22 21:48:52 75,872 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08402176-C23F-4578-AFDF-B396F44C916B}]
C:\Windows\system32\iifeeBRk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ED8F407-7F54-402E-8B05-89FE3E719EC7}]
C:\Windows\system32\ssqPFXQG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B098207-1330-4725-B859-5C1223117AA9}]
C:\Windows\system32\nnnmlKCT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d2e0a769-495d-42dc-93ea-aa5fee438c9f}]
2008-06-22 13:36 101888 --a------ C:\Windows\system32\erklsuqu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"187a87ae"="C:\Windows\system32\uhanccnb.dll" [2008-06-22 11:23 86016]
"BM1b49b432"="C:\Windows\system32\bjuwpbps.dll" [2008-06-22 13:30 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"midi1"= mbx2midu.dll
"midi4"= rddv1027.dll
"wave1"= Digi32.dll
"midi3"= mbx2midu.dll
"MIDI2"= diomidi.dll
"midi5"= rddv1027.dll
"midi6"= mbx2midu.dll
"midi7"= mbx2midu.dll

[HKLM\~\startupfolder\C:^Users^Dax^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\Dax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]

[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 01:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2007-08-22 18:31 80896 C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-03-17 17:59 2289664 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-09-30 22:34 181544 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-08-17 02:13 218408 C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{29DA7670-1067-4EF0-89EE-9BD6B12C9B54}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CABE275A-2E71-4CD7-BEFE-592949AFE45F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3EC86714-8387-408B-96E6-981610836165}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6F50D2C4-8E6C-46EE-88E2-254E72827181}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{39B3D989-6E77-4032-8CD7-F8CA94EF8C0D}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{45353C69-11B0-49DF-A153-FAEF489D2F33}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B9D5E06F-0DF6-4F61-A359-53B94B0B938C}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F6A10BF2-F0DE-4AAE-BFE2-504D153C766F}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{170CDA6A-111A-4A9A-98ED-2A85D43D77DB}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B81F62E7-E9A4-4330-BE2B-FBF881E4FAB3}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2F635961-175D-4664-B4FD-26A3D12F4096}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8DE69E36-7000-42CE-8079-ECDD127C4B11}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{531DC3B0-E437-400A-9641-C88996470A03}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{1A02EF13-9872-4A87-AEFB-9DF8F7EC6180}"= UDP:13537:BitComet 13537 TCP
"{4F7440B8-9A9E-44CA-B068-E90E00F81508}"= TCP:13537:BitComet 13537 UDP
"TCP Query User{81B3E0F8-E34F-4EE0-822A-2BAB01C93C93}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{3A650E31-4E76-4258-B55B-9AE6B19F6883}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{6641AFED-EC66-463E-A3FF-29D076C13F69}"= Disabled:UDP:13537:BitComet 13537 TCP
"{7F59FC91-F623-400B-ADBE-F9070B922749}"= Disabled:TCP:13537:BitComet 13537 UDP
"TCP Query User{7AF79C50-6AE4-4C2B-A339-22D64238D3BB}C:\\program files\\bitcomet\\bitcomet.exe"= Disabled:UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{66C34C4C-77BE-4066-B0D0-3588428D6D46}C:\\program files\\bitcomet\\bitcomet.exe"= Disabled:TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 DigiNet;Digidesign Ethernet Support;C:\Windows\system32\DRIVERS\diginet.sys [2007-10-31 02:16]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-18 23:33]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-18 23:33]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 13:30]
S2 Windows Tribute Service;Windows Tribute Service;C:\Windows\system32\kdrac.exe []
S3 dalwdmservice;dal service;C:\Windows\system32\drivers\dalwdm.sys [2007-10-31 02:15]
S3 iLokDrvr;iLok;C:\Windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 12:05]
S3 MBX2DFU;MBX2DFU;C:\Windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 02:16]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\Windows\system32\drivers\mbx2midk.sys [2007-10-31 02:16]
S3 RDID1027;EDIROL PCR;C:\Windows\system32\Drivers\rdwm1027.sys [2003-10-31 05:59]
S3 SeratoUsb;SeratoUsb driver;C:\Windows\system32\Drivers\SeratoUsb.sys [2007-05-21 17:04]
S4 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-09-30 22:34]
S4 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-09-30 22:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-06-22 21:50:15 C:\Windows\Tasks\User_Feed_Synchronization-{FDDCA2E2-E101-4280-8727-D41CE0BA28FC}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 16:52:17
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\uhanccnb.dll
-> C:\Windows\system32\bjuwpbps.dll
.
Completion time: 2008-06-22 16:52:55
ComboFix-quarantined-files.txt 2008-06-22 21:52:48
ComboFix2.txt 2008-06-22 21:50:08

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

200 --- E O F --- 2008-06-17 22:55:33

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:49 PM

Posted 23 June 2008 - 09:47 AM

Hello :thumbsup:

Step #1
Did you uninstall both of your antiviruses?
If you did, please install one antivirus now:

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Step #2
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O2 - BHO: (no name) - {08402176-C23F-4578-AFDF-B396F44C916B} - C:\Windows\system32\iifeeBRk.dll (file missing)
O2 - BHO: (no name) - {5ED8F407-7F54-402E-8B05-89FE3E719EC7} - C:\Windows\system32\ssqPFXQG.dll (file missing)
O2 - BHO: (no name) - {7B098207-1330-4725-B859-5C1223117AA9} - C:\Windows\system32\nnnmlKCT.dll (file missing)
O2 - BHO: {f9c834ee-f5aa-ae39-cd24-d594967a0e2d} - {d2e0a769-495d-42dc-93ea-aa5fee438c9f} - C:\Windows\system32\erklsuqu.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {2A9788F6-727D-4CEE-9C9F-A6D2A47FD34A} - (no file)
O4 - HKLM\..\Run: [187a87ae] rundll32.exe "C:\Windows\system32\uhanccnb.dll",b
O4 - HKLM\..\Run: [BM1b49b432] Rundll32.exe "C:\Windows\system32\bjuwpbps.dll",s

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


Step #3
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\System32\erklsuqu.dll
C:\Windows\System32\bjuwpbps.dll
C:\Windows\System32\uhanccnb.dll
C:\Windows\System32\mratmfhh.dll
C:\Windows\System32\xbiwtgjt.dll
C:\Windows\System32\ppfjphru.dll
C:\Windows\System32\kppybhaa.dll
C:\Windows\System32\xwscdcbr.dll
C:\xkdpjhj.exe
C:\mxuxc.exe
C:\Windows\System32\eeaprmzj.exe
C:\Windows\system32\kdrac.exe

Folder::
C:\Users\Dax\AppData\Roaming\ErrorSmart
C:\Program Files\mjc

Driver::
Windows Tribute Service

DirLook::
C:\Program Files\Common Files\owom


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Step #4
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step #5
Please post Combofix log, Mbam log and a fresh HijackThis log back here :)
Posted Image

#6 kgrind11

kgrind11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 23 June 2008 - 08:54 PM

Thank you very much for your help again.

ComboFix 08-06-20.4 - Dax 2008-06-23 20:21:32.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2099 [GMT -5:00]
Running from: C:\Users\Dax\Desktop\ComboFix.exe
Command switches used :: C:\Users\Dax\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\mxuxc.exe
C:\Windows\System32\bjuwpbps.dll
C:\Windows\System32\eeaprmzj.exe
C:\Windows\System32\erklsuqu.dll
C:\Windows\system32\kdrac.exe
C:\Windows\System32\kppybhaa.dll
C:\Windows\System32\mratmfhh.dll
C:\Windows\System32\ppfjphru.dll
C:\Windows\System32\uhanccnb.dll
C:\Windows\System32\xbiwtgjt.dll
C:\Windows\System32\xwscdcbr.dll
C:\xkdpjhj.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\mxuxc.exe
C:\Program Files\mjc
C:\Program Files\mjc\mjc.exe
C:\Users\Dax\AppData\Roaming\ErrorSmart
C:\Users\Dax\AppData\Roaming\ErrorSmart\Registry Backups\2008-06-18_08-23-55.reg
C:\Users\Dax\AppData\Roaming\ErrorSmart\Registry Backups\2008-06-18_08-37-28.reg
C:\Users\Dax\AppData\Roaming\ErrorSmart\Registry Backups\2008-06-18_10-54-20.reg
C:\Windows\System32\bjuwpbps.dll
C:\Windows\System32\eeaprmzj.exe
C:\Windows\System32\erklsuqu.dll
C:\Windows\System32\kppybhaa.dll
C:\Windows\System32\mratmfhh.dll
C:\Windows\system32\msvcsv60.dll
C:\Windows\System32\ppfjphru.dll
C:\Windows\System32\uhanccnb.dll
C:\Windows\System32\xbiwtgjt.dll
C:\Windows\System32\xwscdcbr.dll
C:\xkdpjhj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Windows Tribute Service


((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-23 18:48 . 2008-06-23 18:48 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-23 18:41 . 2008-06-23 18:43 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-06-23 18:41 . 2008-06-23 18:41 <DIR> d-------- C:\Program Files\AVG
2008-06-23 18:41 . 2008-06-23 18:41 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-06-23 18:41 . 2008-06-23 18:41 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-06-23 18:41 . 2008-06-23 18:41 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-06-22 16:47 . 2008-06-23 18:37 774 ---hs---- C:\Windows\System32\bnccnahu.ini
2008-06-22 16:07 . 2008-06-23 18:41 <DIR> d-------- C:\Users\All Users\Avg8
2008-06-22 16:07 . 2008-06-23 18:41 <DIR> d-------- C:\ProgramData\Avg8
2008-06-20 00:56 . 2008-06-20 15:49 462 --a------ C:\Windows\wininit.ini
2008-06-20 00:34 . 2008-06-20 01:15 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-20 00:34 . 2008-06-20 01:15 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-06-20 00:34 . 2008-06-20 00:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 00:25 . 2008-06-20 00:25 <DIR> d-------- C:\HJT
2008-06-20 00:05 . 2008-06-20 00:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-19 19:05 . 2008-06-19 19:05 <DIR> d-------- C:\Deckard
2008-06-19 18:58 . 2008-06-19 18:58 <DIR> d-------- C:\ie-spyad_zo
2008-06-19 18:51 . 2008-06-19 18:51 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-19 17:09 . 2008-06-20 15:52 <DIR> d-------- C:\Program Files\Panda Security
2008-06-19 14:38 . 2008-06-19 16:35 <DIR> d-------- C:\Windows\BDOSCAN8
2008-06-19 11:47 . 2008-06-19 12:25 414 ---hs---- C:\Windows\System32\rbcdcswx.ini
2008-06-18 11:57 . 2008-06-18 11:57 <DIR> d-------- C:\Users\All Users\Avira
2008-06-18 11:57 . 2008-06-18 11:57 <DIR> d-------- C:\ProgramData\Avira
2008-06-18 11:57 . 2008-06-18 11:57 <DIR> d-------- C:\Program Files\Avira
2008-06-18 11:53 . 2008-06-19 15:38 <DIR> d--hs---- C:\Windows\RGF4
2008-06-18 11:53 . 2008-06-18 11:53 <DIR> d-------- C:\Windows\owom
2008-06-18 11:53 . 2008-06-19 15:02 <DIR> d-------- C:\Program Files\Common Files\owom
2008-06-18 11:39 . 2008-06-18 11:39 <DIR> d-------- C:\Users\Dax\AppData\Roaming\Uniblue
2008-06-18 08:28 . 2008-06-18 08:28 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-18 08:28 . 2008-06-18 08:28 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-06-18 00:26 . 2008-06-20 00:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-18 00:15 . 2008-06-18 00:15 <DIR> d-------- C:\VundoFix Backups
2008-06-07 20:10 . 2008-06-07 22:13 0 --a------ C:\dump_dvd.vob
2008-06-07 20:06 . 2008-06-07 20:07 <DIR> d-------- C:\Program Files\InterActual
2008-06-05 22:02 . 2008-06-05 22:02 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2008-06-05 19:37 . 2008-06-23 20:10 12 --a------ C:\Windows\bthservsdp.dat
2008-06-02 11:06 . 2008-06-02 11:06 <DIR> d-------- C:\Users\Dax\AppData\Roaming\Template
2008-06-02 11:06 . 2008-06-23 09:07 2,028 --a------ C:\Users\Dax\AppData\Roaming\wklnhst.dat
2008-05-28 07:53 . 2008-03-07 21:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-28 07:53 . 2008-03-07 23:21 1,695,744 --a------ C:\Windows\System32\gameux.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 23:40 --------- d-----w C:\Users\Dax\AppData\Roaming\Digidesign
2008-06-20 20:53 --------- d-----w C:\Program Files\RocketDock
2008-06-20 15:24 --------- d---a-w C:\ProgramData\TEMP
2008-06-19 05:44 --------- d-----w C:\Users\Dax\AppData\Roaming\PACE Anti-Piracy
2008-06-19 05:44 --------- d-----w C:\ProgramData\PACE Anti-Piracy
2008-06-18 15:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 00:04 --------- d-----w C:\Program Files\Windows Mail
2008-06-17 11:57 65,965 ----a-w C:\Users\Dax\AppData\Roaming\nvModes.dat
2008-05-29 18:48 --------- d-----w C:\Program Files\Easy Adder
2008-05-16 16:15 --------- d-----w C:\Users\Dax\AppData\Roaming\IDMComp
2008-05-14 16:50 --------- d-----w C:\Program Files\OpenOffice.org 3
2008-05-14 16:50 --------- d-----w C:\Program Files\OpenOffice.org
2008-05-14 15:12 --------- d-----w C:\Users\Dax\AppData\Roaming\OpenOffice.org3
2008-05-14 14:49 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-10 01:33 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-07 22:43 --------- d-----w C:\Program Files\AbiSuite2
2008-05-02 14:57 --------- d-----w C:\Program Files\Audacity
2008-05-01 18:45 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-05-01 18:44 --------- d-----w C:\Program Files\Native Instruments
2008-05-01 18:05 1,700,352 ----a-w C:\Windows\System32\gdiplus.dll
2008-04-29 18:57 --------- d-----w C:\Program Files\BitComet
2008-04-29 01:16 --------- d-----w C:\ProgramData\Lavasoft
2008-04-29 01:16 --------- d-----w C:\Program Files\Lavasoft
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-03-27 11:54 174 --sha-w C:\Program Files\desktop.ini
2008-03-27 11:32 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-27 11:32 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-27 11:09 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-03-27 11:09 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Common Files\owom ----

2008-06-18 11:55 0 --a------ C:\Program Files\Common Files\owom\owoml.lck
2008-06-18 11:53 0 --a------ C:\Program Files\Common Files\owom\owomm.lck
2008-06-18 11:53 0 --a------ C:\Program Files\Common Files\owom\owoma.lck
2004-04-19 21:26 4933375 --a------ C:\Program Files\Common Files\owom\owomd\class-barrel


((((((((((((((((((((((((((((( snapshot@2008-06-22_16.49.49.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 21:33:50 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-24 01:12:11 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-22 21:44:22 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-24 01:13:28 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-22 21:44:27 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-24 01:13:28 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-23 23:41:29 26,184 ----a-w C:\Windows\System32\drivers\avgmfx86.sys
- 2008-06-22 21:38:20 101,350 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-24 01:20:03 101,350 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-22 21:38:20 595,684 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-24 01:20:03 595,684 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-22 21:47:20 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-06-22 22:05:11 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-06-22 21:22:40 8,966 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3638489192-2795439887-951695889-1000_UserData.bin
+ 2008-06-24 01:14:54 10,066 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3638489192-2795439887-951695889-1000_UserData.bin
- 2008-06-22 21:22:40 75,802 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-24 01:14:54 76,126 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-22 21:22:39 40,648 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-23 23:38:43 40,790 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-06-19 18:56:59 313,188 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-06-23 14:18:40 314,714 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-23 18:41 1177368]
"BM1b49b432"="C:\Windows\system32\bjuwpbps.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"midi1"= mbx2midu.dll
"midi4"= rddv1027.dll
"wave1"= Digi32.dll
"midi3"= mbx2midu.dll
"MIDI2"= diomidi.dll
"midi5"= rddv1027.dll
"midi6"= mbx2midu.dll
"midi7"= mbx2midu.dll

[HKLM\~\startupfolder\C:^Users^Dax^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\Dax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]

[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 01:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2007-08-22 18:31 80896 C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-03-17 17:59 2289664 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-09-30 22:34 181544 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-08-17 02:13 218408 C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{29DA7670-1067-4EF0-89EE-9BD6B12C9B54}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CABE275A-2E71-4CD7-BEFE-592949AFE45F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3EC86714-8387-408B-96E6-981610836165}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6F50D2C4-8E6C-46EE-88E2-254E72827181}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{39B3D989-6E77-4032-8CD7-F8CA94EF8C0D}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{45353C69-11B0-49DF-A153-FAEF489D2F33}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B9D5E06F-0DF6-4F61-A359-53B94B0B938C}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F6A10BF2-F0DE-4AAE-BFE2-504D153C766F}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{170CDA6A-111A-4A9A-98ED-2A85D43D77DB}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B81F62E7-E9A4-4330-BE2B-FBF881E4FAB3}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2F635961-175D-4664-B4FD-26A3D12F4096}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8DE69E36-7000-42CE-8079-ECDD127C4B11}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{531DC3B0-E437-400A-9641-C88996470A03}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{1A02EF13-9872-4A87-AEFB-9DF8F7EC6180}"= UDP:13537:BitComet 13537 TCP
"{4F7440B8-9A9E-44CA-B068-E90E00F81508}"= TCP:13537:BitComet 13537 UDP
"TCP Query User{81B3E0F8-E34F-4EE0-822A-2BAB01C93C93}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{3A650E31-4E76-4258-B55B-9AE6B19F6883}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{6641AFED-EC66-463E-A3FF-29D076C13F69}"= Disabled:UDP:13537:BitComet 13537 TCP
"{7F59FC91-F623-400B-ADBE-F9070B922749}"= Disabled:TCP:13537:BitComet 13537 UDP
"TCP Query User{7AF79C50-6AE4-4C2B-A339-22D64238D3BB}C:\\program files\\bitcomet\\bitcomet.exe"= Disabled:UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{66C34C4C-77BE-4066-B0D0-3588428D6D46}C:\\program files\\bitcomet\\bitcomet.exe"= Disabled:TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{5C8D4DD3-633A-45AD-AB67-54BD3F7C6A63}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{4FC45A41-9E89-4523-91B9-DAA923874824}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-23 18:41]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-23 18:41]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-23 18:41]
R2 DigiNet;Digidesign Ethernet Support;C:\Windows\system32\DRIVERS\diginet.sys [2007-10-31 02:16]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-18 23:33]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-18 23:33]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-23 18:41]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 13:30]
S3 dalwdmservice;dal service;C:\Windows\system32\drivers\dalwdm.sys [2007-10-31 02:15]
S3 iLokDrvr;iLok;C:\Windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 12:05]
S3 MBX2DFU;MBX2DFU;C:\Windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 02:16]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\Windows\system32\drivers\mbx2midk.sys [2007-10-31 02:16]
S3 RDID1027;EDIROL PCR;C:\Windows\system32\Drivers\rdwm1027.sys [2003-10-31 05:59]
S3 SeratoUsb;SeratoUsb driver;C:\Windows\system32\Drivers\SeratoUsb.sys [2007-05-21 17:04]
S4 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-09-30 22:34]
S4 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-09-30 22:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 00:26:32 C:\Windows\Tasks\User_Feed_Synchronization-{FDDCA2E2-E101-4280-8727-D41CE0BA28FC}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 20:22:48
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-23 20:23:41
ComboFix-quarantined-files.txt 2008-06-24 01:23:36
ComboFix2.txt 2008-06-22 21:52:55
ComboFix3.txt 2008-06-22 21:50:08

Pre-Run: 186,392,399,872 bytes free
Post-Run: 186,359,083,008 bytes free

270 --- E O F --- 2008-06-23 01:23:45

Malwarebytes' Anti-Malware 1.18
Database version: 884

8:36:23 PM 6/23/2008
mbam-log-6-23-2008 (20-36-23).txt

Scan type: Quick Scan
Objects scanned: 33343
Time elapsed: 1 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vrmdtneg.bxwk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vrmdtneg.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1b49b432 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Delete on reboot.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:02 PM, on 6/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4903 bytes

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:49 PM

Posted 24 June 2008 - 10:52 AM

Hello :thumbsup:

Step #1
Please visit Virustotal
* Click the Browse... button
* Navigate to the file C:\Program Files\Common Files\owom\owoml.lck
* Click the Open button
* Click the Send button
* Copy and paste the results back here

Step #2
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

Step #3
Please post a fresh hijackthis log and virustotal results back here :)
How's your computer working?
Posted Image

#8 kgrind11

kgrind11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 24 June 2008 - 11:57 AM

Hello.

My computer seems to be running okay. Memory intensive programs like Pro Tools constantly freeze and need to be restarted. I can resume normal Internet browsing. Thanks a lot, this website is the greatest! Heavy recommendations will be made.

the results of the virustotal scan is :

0 bytes size received / Se ha recibido un archivo vacio


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:42 AM, on 6/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5256 bytes

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:49 PM

Posted 24 June 2008 - 12:16 PM

Hello

Did you install firewall?
Posted Image

#10 kgrind11

kgrind11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 24 June 2008 - 12:27 PM

I haven't added an additional firewall. Windows tells me that its firewall is enabled. Should I install an additional one?

#11 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:49 PM

Posted 24 June 2008 - 01:11 PM

Oh, no. I saw I asked you to download firewall.. I'm Sorry :thumbsup: Your Windows Vista's firewall is enough.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
  • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

    or

    Windows Vista System Restore Guide
Re-enable system restore with instructions from tutorial above
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for Spybot S & D

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Edited by Baabiouz, 24 June 2008 - 01:13 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users