Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log - Virtumonde Infection? Help!


  • This topic is locked This topic is locked
6 replies to this topic

#1 mad2smile

mad2smile

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 20 July 2008 - 02:08 PM

Let me start this by saying that i learned my lesson well. i will NEVER use interned explorer ever again. not secure enough for my needs. anyway, the problems ive had are .dll errors, slow computer, connectivity issues, fake security alerts, pop-ups while browsing, and an "anti-spyware program" that installed itself and started doing who knows what while it was "scanning" in the background.

steps ive taken to remedy these issues are:
Complete system scans with AVG Anti-virus, AVG Anti-spyware, AVG Anti-rootkit, Adaware, Spybot S&D, and Trend Micro Housecall. after all that, im still having most of the problems.

Heres my combofix log:





ComboFix 08-07-09.5 - Scholl 2008-07-20 14:24:40.4 - NTFSx86
Running from: C:\Documents and Settings\Scholl\desktop\combo-fix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM83d9682d.txt
C:\WINDOWS\system32\asmilxrk.ini
C:\WINDOWS\system32\cdfvie.dll
C:\WINDOWS\system32\ejavhcyh.ini
C:\WINDOWS\system32\ghhkTvut.ini
C:\WINDOWS\system32\ghhkTvut.ini2
C:\WINDOWS\system32\mkggrycq.ini
C:\WINDOWS\system32\VxxHNqss.ini
C:\WINDOWS\system32\VxxHNqss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-20 12:37 . 2008-07-20 12:37 81,216 --a------ C:\WINDOWS\system32\krxlimsa.dll
2008-07-20 12:34 . 2008-07-20 12:34 105,248 --a------ C:\WINDOWS\system32\sbgkxl.dll
2008-07-20 12:34 . 2008-07-20 12:34 105,248 --a------ C:\WINDOWS\system32\cutuqgdu.dll
2008-07-12 18:36 . 2008-07-12 18:36 81,152 --a------ C:\WINDOWS\system32\qcyrggkm.dll
2008-07-12 18:33 . 2008-07-12 18:32 105,248 --a------ C:\WINDOWS\system32\lqjhft.dll
2008-07-12 18:32 . 2008-07-12 18:32 105,248 --a------ C:\WINDOWS\system32\qxrieqry.dll
2008-07-12 18:31 . 2008-07-12 18:31 90,992 --a------ C:\WINDOWS\system32\yktvcnwj.dll
2008-07-12 18:29 . 2008-07-12 18:29 314,688 --a------ C:\WINDOWS\system32\ssqNHxxV.dll
2008-07-12 14:52 . 2008-07-12 14:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 14:51 . 2008-07-12 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 14:48 . 2008-07-12 14:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 12:14 . 2008-07-12 12:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-11 20:15 . 2008-07-11 20:15 81,168 --a------ C:\WINDOWS\system32\hychvaje.dll
2008-07-11 20:14 . 2008-07-11 20:14 105,248 --a------ C:\WINDOWS\system32\rjhfsniy.dll
2008-07-11 20:14 . 2008-07-11 20:14 105,248 --a------ C:\WINDOWS\system32\hdnpek.dll
2008-07-11 20:14 . 2008-07-11 20:14 90,928 --a------ C:\WINDOWS\system32\pnlfbrfj.dll
2008-07-11 11:24 . 2008-07-11 11:30 354 --ahs---- C:\WINDOWS\system32\rthpqlkh.ini
2008-07-11 10:57 . 2008-07-11 10:57 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-07-11 10:54 . 2008-07-11 10:54 105,248 --a------ C:\WINDOWS\system32\wxrqko.dll
2008-07-11 10:54 . 2008-07-11 10:54 105,248 --a------ C:\WINDOWS\system32\rgsemhbe.dll
2008-07-11 10:53 . 2008-07-11 10:53 90,928 --a------ C:\WINDOWS\system32\jbevsnpq.dll
2008-07-11 10:49 . 2008-07-11 10:49 90,928 --a------ C:\WINDOWS\system32\hycsvpbl.dll
2008-07-11 10:48 . 2008-07-11 10:48 90,928 --a------ C:\WINDOWS\system32\niadremj.dll
2008-07-11 03:26 . 2008-07-11 10:45 354 --ahs---- C:\WINDOWS\system32\lottjkyh.ini
2008-07-10 23:35 . 2008-07-10 23:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 23:35 . 2008-07-11 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 20:22 . 2008-07-11 11:40 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 13:41 . 2008-07-11 10:57 64,332 --a------ C:\WINDOWS\system32\xpujzrsmbytxysk.exe
2008-07-10 13:34 . 2008-07-10 13:34 90,912 --a------ C:\WINDOWS\system32\xdfqgsqj.dll
2008-07-10 12:37 . 2008-07-10 12:37 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-10 12:20 . 2008-07-10 12:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-10 12:05 . 2008-07-10 12:05 81,120 --a------ C:\WINDOWS\system32\cjluwatf.dll
2008-07-10 11:08 . 2008-07-20 12:56 110,419 --a------ C:\WINDOWS\BM83d9682d.xml
2008-07-10 11:08 . 2008-07-10 11:08 90,912 --a------ C:\WINDOWS\system32\qaxyiwug.dll
2008-07-10 11:02 . 2008-07-10 11:02 49,160 --a------ C:\WINDOWS\system32\rrwnw64p.exe
2008-07-10 01:27 . 2008-07-10 01:27 152,148 --a------ C:\WINDOWS\system32\g40.exe
2008-07-10 01:26 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-10 01:25 . 2008-07-10 10:02 <DIR> d-------- C:\WINDOWS\system32\tfig
2008-07-10 01:25 . 2008-07-20 13:43 <DIR> d-------- C:\WINDOWS\system32\cREG
2008-07-10 01:25 . 2008-07-12 14:19 <DIR> d-------- C:\WINDOWS\system32\1030
2008-07-10 01:24 . 2008-07-10 10:02 <DIR> d-------- C:\WINDOWS\system32\wNT
2008-07-10 01:24 . 2008-07-12 14:19 <DIR> d-------- C:\WINDOWS\system32\olixds01
2008-07-10 01:24 . 2008-07-10 01:34 <DIR> d-------- C:\WINDOWS\system32\net
2008-07-10 01:24 . 2008-07-10 01:25 <DIR> d-------- C:\Temp\stmpv4
2008-07-10 01:24 . 2008-07-10 01:24 26,016 --------- C:\WINDOWS\system32\wvUoNGYR.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 19:18 --------- d-----w C:\Program Files\PeerGuardian2
2008-07-12 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-10_13.13.30.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-10 18:05:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-20 19:36:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-10-28 01:14:18 448,128 ------w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys
- 2007-02-16 02:10:34 8,738 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
+ 2008-07-11 03:19:52 8,972 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
- 2007-02-16 02:10:27 86,327 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
+ 2008-07-11 03:22:08 86,327 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
- 2007-02-16 02:10:34 2,112 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-07-11 03:22:08 2,722 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
- 2004-08-04 12:00:00 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2004-10-28 01:21:01 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2004-08-04 12:00:00 176,512 -c--a-w C:\WINDOWS\system32\dllcache\rdbss.sys
+ 2004-10-28 01:13:58 174,592 -c--a-w C:\WINDOWS\system32\dllcache\rdbss.sys
+ 2008-04-29 16:19:50 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
+ 2008-04-29 16:19:54 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
- 2004-08-04 12:00:00 451,456 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
+ 2004-10-28 01:14:18 448,128 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
+ 2008-04-29 16:20:00 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2004-08-04 12:00:00 176,512 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
+ 2004-10-28 01:13:58 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
- 2004-08-04 12:00:00 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2004-10-28 01:21:01 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb5bc78b-bf6a-4e5e-bcd2-ccdbbbd38e0e}]
2008-07-20 12:34 105248 --a------ C:\WINDOWS\system32\sbgkxl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C738F3D2-1891-449D-AE67-D1969094F1DF}]
2008-07-10 01:24 26016 --------- C:\WINDOWS\system32\wvUoNGYR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF9255C3-EF0D-41FE-BE4A-3738931E382C}]
2008-07-12 18:29 314688 --a------ C:\WINDOWS\system32\ssqNHxxV.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"80ea5bb1"="C:\WINDOWS\system32\krxlimsa.dll" [2008-07-20 12:37 81216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 19:25 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C738F3D2-1891-449D-AE67-D1969094F1DF}"= "C:\WINDOWS\system32\wvUoNGYR.dll" [2008-07-10 01:24 26016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoNGYR]
2008-07-10 01:24 26016 C:\WINDOWS\system32\wvUoNGYR.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Scholl^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Documents and Settings\Scholl\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"RasMan"=2 (0x2)
"Irmon"=2 (0x2)
"FastUserSwitchingCompatibility"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=C:\Program Files\Valve\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
"PRONoMgrWired"=C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cf3306b-45da-11dc-8e91-00061bdc75a0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 01:04:05 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-05 13:38:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{673D964E-2B5E-4BD6-942E-2F17861B6786} - C:\WINDOWS\system32\tuvTkhhg.dll
HKLM-Run-BM83d9682d - C:\WINDOWS\system32\ovojutxg.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 14:41:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\wvUoNGYR.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-20 14:48:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-20 19:48:23
ComboFix2.txt 2008-07-11 16:30:18
ComboFix3.txt 2008-07-10 18:14:34

Pre-Run: 3,460,431,872 bytes free
Post-Run: 3,439,468,544 bytes free

193 --- E O F --- 2008-07-11 16:41:14

BC AdBot (Login to Remove)

 


#2 mad2smile

mad2smile
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 20 July 2008 - 07:35 PM

bump.

sorry for the duplicate posts. had weird connection issue and kept hitting post without seeing any result. anyway, please help me out here.

#3 mad2smile

mad2smile
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 21 July 2008 - 10:26 AM

hey, still havent gotten a reply. if someone could help me out here, i would REALLY appreciate it.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 21 July 2008 - 05:14 PM

Hello.. My name is fenzodahl512 and welcome to BC...


hey, still havent gotten a reply. if someone could help me out here, i would REALLY appreciate it.



Please be patience as we are all volunteers and we do have our own real-life..


Please do the following..


**Note: In the event you already have Combofix, please delete your version of ComboFix. This is a new version that I need you to download. It is important that it is saved directly to your Desktop**


Installing Recovery Console:

It appears your computer has no Recovery Console installed. We need to install Recovery Console first before proceed to our next fix. Please do the following..

Please go to Microsoft's website => HERE
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After successfully install Recovery Console, a pop-on will appear asking to run ComboFix, please select NO.




NEXT



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\krxlimsa.dll
C:\WINDOWS\system32\sbgkxl.dll
C:\WINDOWS\system32\cutuqgdu.dll
C:\WINDOWS\system32\qcyrggkm.dll
C:\WINDOWS\system32\lqjhft.dll
C:\WINDOWS\system32\qxrieqry.dll
C:\WINDOWS\system32\yktvcnwj.dll
C:\WINDOWS\system32\ssqNHxxV.dll
C:\WINDOWS\system32\hychvaje.dll
C:\WINDOWS\system32\rjhfsniy.dll
C:\WINDOWS\system32\hdnpek.dll
C:\WINDOWS\system32\pnlfbrfj.dll'
C:\WINDOWS\system32\rthpqlkh.ini
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\wxrqko.dll
C:\WINDOWS\system32\rgsemhbe.dll
C:\WINDOWS\system32\jbevsnpq.dll
C:\WINDOWS\system32\hycsvpbl.dll
C:\WINDOWS\system32\niadremj.dll
C:\WINDOWS\system32\lottjkyh.ini
C:\WINDOWS\system32\xpujzrsmbytxysk.exe
C:\WINDOWS\system32\xdfqgsqj.dll
C:\WINDOWS\system32\cjluwatf.dll
C:\WINDOWS\BM83d9682d.xml
C:\WINDOWS\system32\qaxyiwug.dll
C:\WINDOWS\system32\rrwnw64p.exe
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\wvUoNGYR.dll

Folder::
C:\WINDOWS\system32\tfig
C:\WINDOWS\system32\cREG
C:\WINDOWS\system32\1030
C:\WINDOWS\system32\wNT
C:\WINDOWS\system32\olixds01
C:\WINDOWS\system32\net
C:\Temp\stmpv4

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb5bc78b-bf6a-4e5e-bcd2-ccdbbbd38e0e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C738F3D2-1891-449D-AE67-D1969094F1DF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF9255C3-EF0D-41FE-BE4A-3738931E382C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"80ea5bb1"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C738F3D2-1891-449D-AE67-D1969094F1DF}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoNGYR]

3. Save the above as CFScript.txt in your Desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 mad2smile

mad2smile
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 22 July 2008 - 11:02 PM

hey, still havent gotten a reply. if someone could help me out here, i would REALLY appreciate it.



Please be patience as we are all volunteers and we do have our own real-life..

i totally get it. wasnt trying to be demanding or anything. i guess im just eager to get my laptop back up to 100% again.

i wouldve posted all this last night, but had connection issues again and couldnt reach this site. anyway, below are the requested revised logs. thanks alot for the help.


----------------------------------------------------------------------------------------------------

ComboFix log:

ComboFix 08-07-21.2 - Scholl 2008-07-22 23:03:23.5 - NTFSx86
Running from: C:\Documents and Settings\Scholl\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scholl\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM83d9682d.xml
C:\WINDOWS\system32\cjluwatf.dll
C:\WINDOWS\system32\cutuqgdu.dll
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\hdnpek.dll
C:\WINDOWS\system32\hychvaje.dll
C:\WINDOWS\system32\hycsvpbl.dll
C:\WINDOWS\system32\jbevsnpq.dll
C:\WINDOWS\system32\krxlimsa.dll
C:\WINDOWS\system32\lottjkyh.ini
C:\WINDOWS\system32\lqjhft.dll
C:\WINDOWS\system32\niadremj.dll
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\pnlfbrfj.dll'
C:\WINDOWS\system32\qaxyiwug.dll
C:\WINDOWS\system32\qcyrggkm.dll
C:\WINDOWS\system32\qxrieqry.dll
C:\WINDOWS\system32\rgsemhbe.dll
C:\WINDOWS\system32\rjhfsniy.dll
C:\WINDOWS\system32\rrwnw64p.exe
C:\WINDOWS\system32\rthpqlkh.ini
C:\WINDOWS\system32\sbgkxl.dll
C:\WINDOWS\system32\ssqNHxxV.dll
C:\WINDOWS\system32\wvUoNGYR.dll
C:\WINDOWS\system32\wxrqko.dll
C:\WINDOWS\system32\xdfqgsqj.dll
C:\WINDOWS\system32\xpujzrsmbytxysk.exe
C:\WINDOWS\system32\yktvcnwj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Scholl\Application Data\macromedia\Flash Player\#SharedObjects\R7ZZXCLJ\www.broadcaster.com
C:\Documents and Settings\Scholl\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Scholl\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Temp\stmpv4
C:\Temp\stmpv4\bnwe7.log
C:\WINDOWS\BM83d9682d.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\1030
C:\WINDOWS\system32\cjluwatf.dll
C:\WINDOWS\system32\cREG
C:\WINDOWS\system32\csxldfvx.dll
C:\WINDOWS\system32\cutuqgdu.dll
C:\WINDOWS\system32\dvnxpyht.dll
C:\WINDOWS\system32\fmimvq.dll
C:\WINDOWS\system32\fwtywbpk.ini
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\gonndz.dll
C:\WINDOWS\system32\guefqmvo.dll
C:\WINDOWS\system32\hdnpek.dll
C:\WINDOWS\system32\hgGaaASk.dll
C:\WINDOWS\system32\hychvaje.dll
C:\WINDOWS\system32\hycsvpbl.dll
C:\WINDOWS\system32\jbevsnpq.dll
C:\WINDOWS\system32\kpbwytwf.dll
C:\WINDOWS\system32\krxlimsa.dll
C:\WINDOWS\system32\lexqxlld.dll
C:\WINDOWS\system32\lottjkyh.ini
C:\WINDOWS\system32\lqjhft.dll
C:\WINDOWS\system32\net
C:\WINDOWS\system32\niadremj.dll
C:\WINDOWS\system32\olixds01
C:\WINDOWS\system32\ovmqfeug.ini
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\pnlfbrfj.dll
C:\WINDOWS\system32\qaxyiwug.dll
C:\WINDOWS\system32\qcyrggkm.dll
C:\WINDOWS\system32\qxrieqry.dll
C:\WINDOWS\system32\rgsemhbe.dll
C:\WINDOWS\system32\rjhfsniy.dll
C:\WINDOWS\system32\rktbpgyp.dll
C:\WINDOWS\system32\rrwnw64p.exe
C:\WINDOWS\system32\rthpqlkh.ini
C:\WINDOWS\system32\sbgkxl.dll
C:\WINDOWS\system32\ssqNHxxV.dll
C:\WINDOWS\system32\tfig
C:\WINDOWS\system32\vilkso.dll
C:\WINDOWS\system32\VxxHNqss.ini
C:\WINDOWS\system32\VxxHNqss.ini2
C:\WINDOWS\system32\wNT
C:\WINDOWS\system32\wvUoNGYR.dll
C:\WINDOWS\system32\wxrqko.dll
C:\WINDOWS\system32\xdfqgsqj.dll
C:\WINDOWS\system32\xpkoydts.dll
C:\WINDOWS\system32\xpujzrsmbytxysk.exe
C:\WINDOWS\system32\xvfdlxsc.ini
C:\WINDOWS\system32\yefldova.dll
C:\WINDOWS\system32\yktvcnwj.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-22 22:51 . 2008-07-22 22:51 <DIR> d-------- C:\Combo-Fix
2008-07-22 22:25 . 2008-07-22 22:25 2,656,034 --a------ C:\ComboFix.exe
2008-07-12 14:52 . 2008-07-12 14:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 14:51 . 2008-07-12 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 14:48 . 2008-07-12 14:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 12:14 . 2008-07-12 12:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-10 23:35 . 2008-07-10 23:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 23:35 . 2008-07-11 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 20:22 . 2008-07-11 11:40 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 12:37 . 2008-07-10 12:37 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-10 12:20 . 2008-07-10 12:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-10 01:26 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 03:46 --------- d-----w C:\Program Files\PeerGuardian2
2008-07-12 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-10 06:25 --------- d-----w C:\Documents and Settings\Scholl\Application Data\Move Networks
2008-07-09 03:46 --------- d-----w C:\Documents and Settings\Scholl\Application Data\dvdcss
2008-06-17 20:20 --------- d-----w C:\Documents and Settings\Scholl\Application Data\OpenOffice.org2
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2003-11-12 02:51 87,608 ----a-w C:\Documents and Settings\Scholl\Application Data\inst.exe
2003-11-12 02:51 47,360 ----a-w C:\Documents and Settings\Scholl\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-10_13.13.30.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-10-28 01:14:18 448,128 ------w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys
- 2007-02-16 02:10:34 8,738 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
+ 2008-07-11 03:19:52 8,972 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
- 2007-02-16 02:10:27 86,327 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
+ 2008-07-11 03:22:08 86,327 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
- 2007-02-16 02:10:34 2,112 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-07-11 03:22:08 2,722 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
- 2004-08-04 12:00:00 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2004-10-28 01:21:01 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2004-08-04 12:00:00 176,512 -c--a-w C:\WINDOWS\system32\dllcache\rdbss.sys
+ 2004-10-28 01:13:58 174,592 -c--a-w C:\WINDOWS\system32\dllcache\rdbss.sys
+ 2008-04-29 16:19:50 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
+ 2008-04-29 16:19:54 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
- 2004-08-04 12:00:00 451,456 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
+ 2004-10-28 01:14:18 448,128 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
+ 2008-04-29 16:20:00 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2004-08-04 12:00:00 176,512 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
+ 2004-10-28 01:13:58 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
- 2004-08-04 12:00:00 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2004-10-28 01:21:01 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM83d9682d"="C:\WINDOWS\system32\yefldova.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 19:25 219136]

C:\Documents and Settings\Scholl\Start Menu\Programs\Startup\
Deewoo.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\pcntstdm.exe.vir [2008-07-11 10:57:16 192586]
DW_Start.lnk - C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir [2008-07-11 10:45:52 49171]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^Scholl^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Documents and Settings\Scholl\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"RasMan"=2 (0x2)
"Irmon"=2 (0x2)
"FastUserSwitchingCompatibility"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=C:\Program Files\Valve\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
"PRONoMgrWired"=C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=

S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 21:12]
S3 SUSCOM;Susteen Serial port driver;C:\WINDOWS\system32\DRIVERS\SUSCOM.SYS [2005-07-04 12:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cf3306b-45da-11dc-8e91-00061bdc75a0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 01:04:05 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-05 13:38:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 23:17:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-22 23:26:29 - machine was rebooted [Scholl]
ComboFix-quarantined-files.txt 2008-07-23 04:26:22
ComboFix2.txt 2008-07-20 19:48:34
ComboFix3.txt 2008-07-11 16:30:18
ComboFix4.txt 2008-07-10 18:14:34

Pre-Run: 3,440,377,856 bytes free
Post-Run: 3,436,236,800 bytes free

230 --- E O F --- 2008-07-11 16:41:14











----------------------------------------------------------------------------------------------------

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47, on 2008-07-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BM83d9682d] Rundll32.exe "C:\WINDOWS\system32\yefldova.dll",s
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\pcntstdm.exe.vir
O4 - Startup: DW_Start.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir
O8 - Extra context menu item: &Search - ?p=ZJfox000(2)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O24 - Desktop Component 0: (no name) - http://a401.ac-images.myspacecdn.com/image...822ffdaef80.jpg

--
End of file - 3838 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 23 July 2008 - 08:32 AM

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [BM83d9682d] Rundll32.exe "C:\WINDOWS\system32\yefldova.dll",s
O8 - Extra context menu item: &Search - ?p=ZJfox000(2)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\yefldova.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM83d9682d
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




NEXT


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator



Please post the following logs in your next reply..

1. OTMoveIt2
2. Malwarebytes'
3. Deckard System Scanner (both main.txt and extra.txt)
4. Tell me about your computer behaviour...



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 06 August 2008 - 08:29 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users