Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008 And More


  • Please log in to reply
8 replies to this topic

#1 peteyg67

peteyg67

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Location:Ireland
  • Local time:12:23 AM

Posted 02 October 2008 - 07:29 AM

Please help.. i have recurring BSOD in result of this virus

Please help as i need this lappy for college :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:11, on 02/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Marie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/shockwave/download/tr...om/default.html
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\kyjdowtf.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM313e2b3d] Rundll32.exe "C:\WINDOWS\system32\lkcmeqqx.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://213.70.229.154/tsweb/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49FA5074-962D-4D17-8601-08034A7488D3}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: apesfr.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

Thanks guys

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 02 October 2008 - 04:03 PM

Hi

What is the EXACT wording on the blue screen ?

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 peteyg67

peteyg67
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Location:Ireland
  • Local time:12:23 AM

Posted 02 October 2008 - 05:53 PM

I will post the combo log

But i cannot run malware bytes as halfway thought the scan it enters the fake BSOD and the computer just keeps restarting itself. Yet when i hit the power button it reverts to the desktop screen then turns off :S

Quite strange going to run combo now.

#4 peteyg67

peteyg67
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Location:Ireland
  • Local time:12:23 AM

Posted 02 October 2008 - 06:06 PM

Update. Combo fix seems to have helped alot. The computers desktop is back to normal but some applications are still being blocked, my antivirus wont load at all =(

ComboFix 08-10-02.04 - Marie 2008-10-02 23:57:08.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT 1:00]
Running from: C:\Documents and Settings\Marie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Frank\Cookies\frank@peach.bskyb[1].txt
C:\Documents and Settings\Marie\Application Data\rhcr1cj0er1q
C:\WINDOWS\BM313e2b3d.txt
C:\WINDOWS\BM313e2b3d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apesfr.dll
C:\WINDOWS\system32\aqfxdb.dll
C:\WINDOWS\system32\blphcv1cj0er1q.scr
C:\WINDOWS\system32\ckafmv.dll
C:\WINDOWS\system32\coqttw.dll
C:\WINDOWS\system32\crhpelbm.dll
C:\WINDOWS\system32\djpbofhr.dll
C:\WINDOWS\system32\doacyhra.dll
C:\WINDOWS\system32\dtwzha.dll
C:\WINDOWS\system32\duvdtjmh.ini
C:\WINDOWS\system32\ebotfiaw.dll
C:\WINDOWS\system32\eroufjjt.dll
C:\WINDOWS\system32\ftwodjyk.ini
C:\WINDOWS\system32\geBrpMcY.dll
C:\WINDOWS\system32\ggrsqn.dll
C:\WINDOWS\system32\hfgtjwnh.dll
C:\WINDOWS\system32\hgGXrSmj.dll
C:\WINDOWS\system32\hgigamnl.dll
C:\WINDOWS\system32\hmjtdvud.dll
C:\WINDOWS\system32\iifghfEV.dll
C:\WINDOWS\system32\jxjcnaye.dll
C:\WINDOWS\system32\knaejbfi.dll
C:\WINDOWS\system32\kxyhgbpu.dll
C:\WINDOWS\system32\kyjdowtf.dll
C:\WINDOWS\system32\ljJcDtrs.dll
C:\WINDOWS\system32\lkcmeqqx.dll
C:\WINDOWS\system32\mcdgwo.dll
C:\WINDOWS\system32\mkonsl.dll
C:\WINDOWS\system32\nmwnlbrc.dll
C:\WINDOWS\system32\ntlxnmjx.dll
C:\WINDOWS\system32\phcv1cj0er1q.bmp
C:\WINDOWS\system32\qdxhljqr.dll
C:\WINDOWS\system32\qecqnixk.dll
C:\WINDOWS\system32\qfaopx.dll
C:\WINDOWS\system32\qxdfjipm.dll
C:\WINDOWS\system32\srtDcJjl.ini
C:\WINDOWS\system32\srtDcJjl.ini2
C:\WINDOWS\system32\ssqOgdBt.dll
C:\WINDOWS\system32\tdwptfum.dll
C:\WINDOWS\system32\tyrswsmy.dll
C:\WINDOWS\system32\wqonvtdd.dll
C:\WINDOWS\system32\yskxfkey.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.

2008-10-02 12:48 . 2008-10-02 12:48 106,496 --a------ C:\WINDOWS\system32\pphcv1cj0er1q.exe
2008-10-01 20:42 . 2008-10-01 20:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-01 20:42 . 2008-10-01 20:42 <DIR> d-------- C:\Documents and Settings\Marie\Application Data\Malwarebytes
2008-10-01 20:42 . 2008-10-01 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-01 20:42 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-01 20:42 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-01 19:33 . 2008-10-01 19:33 <DIR> d-------- C:\Documents and Settings\Frank\Application Data\AVG7
2008-10-01 19:27 . 2008-10-01 19:27 <DIR> d-------- C:\Documents and Settings\Marie\Application Data\AVG7
2008-10-01 19:27 . 2008-10-01 19:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-10-01 19:27 . 2008-10-01 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-10-01 14:43 . 2008-10-01 14:43 <DIR> d-------- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-01 13:59 . 2008-10-01 13:59 268 --ah----- C:\sqmdata05.sqm
2008-10-01 13:31 . 2008-10-01 13:31 <DIR> d--hs---- C:\FOUND.005
2008-10-01 13:22 . 2008-10-01 13:22 185,856 --a------ C:\WINDOWS\system32\lphcv1cj0er1q.exe
2008-09-26 18:55 . 2008-09-26 18:55 268 --ah----- C:\sqmdata19.sqm
2008-09-26 18:55 . 2008-09-26 18:55 244 --ah----- C:\sqmnoopt19.sqm
2008-09-25 22:27 . 2008-09-25 22:27 268 --ah----- C:\sqmdata18.sqm
2008-09-25 22:27 . 2008-09-25 22:27 244 --ah----- C:\sqmnoopt18.sqm
2008-09-25 22:18 . 2008-09-25 22:18 268 --ah----- C:\sqmdata17.sqm
2008-09-25 22:18 . 2008-09-25 22:18 244 --ah----- C:\sqmnoopt17.sqm
2008-09-25 21:41 . 2008-09-27 22:55 1,109,726 ---hs---- C:\WINDOWS\system32\awjjaxch.ini
2008-09-24 21:52 . 2008-09-24 21:52 268 --ah----- C:\sqmdata16.sqm
2008-09-24 21:52 . 2008-09-24 21:52 244 --ah----- C:\sqmnoopt16.sqm
2008-09-24 21:35 . 2008-09-25 21:36 1,109,399 ---hs---- C:\WINDOWS\system32\buhaaokd.ini
2008-09-22 20:48 . 2008-09-22 20:48 268 --ah----- C:\sqmdata15.sqm
2008-09-22 20:48 . 2008-09-22 20:48 244 --ah----- C:\sqmnoopt15.sqm
2008-09-22 20:43 . 2008-09-24 21:33 1,038,516 ---hs---- C:\WINDOWS\system32\smygdysd.ini
2008-09-21 22:13 . 2008-09-21 22:13 268 --ah----- C:\sqmdata14.sqm
2008-09-21 22:13 . 2008-09-21 22:13 244 --ah----- C:\sqmnoopt14.sqm
2008-09-21 09:57 . 2008-09-21 11:07 979,725 ---hs---- C:\WINDOWS\system32\pYHPpqss.ini
2008-09-18 11:26 . 2008-09-18 11:26 268 --ah----- C:\sqmdata13.sqm
2008-09-18 11:26 . 2008-09-18 11:26 244 --ah----- C:\sqmnoopt13.sqm
2008-09-18 11:19 . 2008-09-18 11:19 979,725 ---hs---- C:\WINDOWS\system32\ISsYaccf.ini
2008-09-18 09:24 . 2008-09-18 09:24 268 --ah----- C:\sqmdata12.sqm
2008-09-18 09:24 . 2008-09-18 09:24 244 --ah----- C:\sqmnoopt12.sqm
2008-09-18 09:19 . 2008-09-18 11:14 979,725 ---hs---- C:\WINDOWS\system32\dLRuCJjl.ini
2008-09-17 01:15 . 2008-09-17 01:16 268 --ah----- C:\sqmdata11.sqm
2008-09-17 01:15 . 2008-09-17 01:16 244 --ah----- C:\sqmnoopt11.sqm
2008-09-16 12:29 . 2008-09-18 09:15 1,036,270 ---hs---- C:\WINDOWS\system32\vfrkanji.ini
2008-09-15 22:44 . 2008-09-15 22:44 268 --ah----- C:\sqmdata10.sqm
2008-09-15 22:44 . 2008-09-15 22:44 244 --ah----- C:\sqmnoopt10.sqm
2008-09-15 21:41 . 2008-09-15 21:41 268 --ah----- C:\sqmdata09.sqm
2008-09-15 21:41 . 2008-09-15 21:41 244 --ah----- C:\sqmnoopt09.sqm
2008-09-15 21:38 . 2008-09-15 21:38 <DIR> d-------- C:\Documents and Settings\Marie\Application Data\Talkback
2008-09-15 21:37 . 2008-09-15 21:37 354 --a------ C:\33.bat
2008-09-15 21:23 . 2008-09-15 21:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-15 17:57 . 2008-09-15 17:57 268 --ah----- C:\sqmdata08.sqm
2008-09-15 17:57 . 2008-09-15 17:57 244 --ah----- C:\sqmnoopt08.sqm
2008-09-14 17:29 . 2008-09-14 17:29 268 --ah----- C:\sqmdata07.sqm
2008-09-14 17:29 . 2008-09-14 17:29 244 --ah----- C:\sqmnoopt07.sqm
2008-09-11 23:21 . 2008-09-11 23:21 268 --ah----- C:\sqmdata06.sqm
2008-09-11 23:21 . 2008-09-11 23:21 244 --ah----- C:\sqmnoopt06.sqm
2008-09-08 09:03 . 2008-10-01 13:59 244 --ah----- C:\sqmnoopt05.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 00:46 --------- d-----w C:\Documents and Settings\Marie\Application Data\CyberLink
2008-08-02 23:04 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-02 23:03 --------- d-----w C:\Program Files\Windows Live
2008-08-02 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-30 09:42 45,056 ----a-w C:\WINDOWS\NCUNINST.EXe
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"eRecoveryService"="C:\Windows\System32\Check.exe" [2005-03-23 245760]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-01 416256]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 C:\WINDOWS\AGRSMMSG.exe]
"SiSPower"="SiSPower.dll" [2005-02-25 C:\WINDOWS\system32\SiSPower.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-10-01 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-09-30 884840]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=apesfr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\System32\\SPOOLSV.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 32768]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 362944]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 17149]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys [ ]
S3 int15.sys;int15.sys;C:\Program Files\acer\eRecovery\int15.sys [2005-01-13 69632]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe -auto
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{a6ed9568-13eb-4a3e-b5b0-5b1e6ac388d1} - C:\WINDOWS\system32\apesfr.dll
BHO-{ECFC75D2-87B5-409F-BFDF-9593110F9407} - C:\WINDOWS\system32\ljJcDtrs.dll
HKLM-Run-320d18a1 - C:\WINDOWS\system32\kyjdowtf.dll
HKLM-Run-BM313e2b3d - C:\WINDOWS\system32\lkcmeqqx.dll
Notify-awtqpOfe - awtqpOfe.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Marie\Application Data\Mozilla\Firefox\Profiles\k38y6k6b.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 00:01:28
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\ACER\EMANAGER\ANBMSERV.EXE
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRAM FILES\IPOD\BIN\IPODSERVICE.EXE
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-03 0:03:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-02 23:03:02

Pre-Run: 18,181,701,632 bytes free
Post-Run: 18,091,573,248 bytes free

228 --- E O F --- 2008-09-15 02:03:24

Thanks so much :thumbsup:

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 03 October 2008 - 02:21 PM

HI

Can you run the MBAM scan mow please & post the log ...

Also when you Run the Malwarebytes Anti-Malware from the icon on your desktop, select the Logs tab & see if you can see any logs ? ... post the contents of any you see (even though MBAM didn't complete it may have created a log)

Also please post a new hijackthis log ...

There is quite a lot more malware to remove (as shown in the Combofix log) but please do this first :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 peteyg67

peteyg67
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Location:Ireland
  • Local time:12:23 AM

Posted 03 October 2008 - 02:56 PM

Seems Like.. and my other laptop is just after getting infected aswell =( After over a year of been clean. Some nasty stuff out there

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

03/10/2008 00:08:16
mbam-log-2008-10-03 (00-08-16).txt

Scan type: Quick Scan
Objects scanned: 49250
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcr1cj0er1q (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Frank\Local Settings\Temporary Internet Files\Content.IE5\CLKH50J3\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcv1cj0er1q.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcv1cj0er1q.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Frank\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Frank\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marie\results.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Frank\Local Settings\Temp\.tt1.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

03/10/2008 00:27:41
mbam-log-2008-10-03 (00-27-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 85156
Time elapsed: 17 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004047.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004048.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004049.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004050.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004053.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004054.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004069.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004072.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004074.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004076.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004082.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004084.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP4\A0004085.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\apesfr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\aqfxdb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ckafmv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\coqttw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\djpbofhr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\doacyhra.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dtwzha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ebotfiaw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ggrsqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hmjtdvud.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kxyhgbpu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kyjdowtf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJcDtrs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mcdgwo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mkonsl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nmwnlbrc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qdxhljqr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qfaopx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tdwptfum.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wqonvtdd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yskxfkey.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

Highjack this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:09, on 03/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Marie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/shockwave/download/tr...om/default.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://213.70.229.154/tsweb/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49FA5074-962D-4D17-8601-08034A7488D3}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: apesfr.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6441 bytes

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 03 October 2008 - 04:03 PM

Hi

The second MBAM log is actually clean ... the files found were already out of harms way & we would delete them in our final clean-up :thumbsup:

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\pphcv1cj0er1q.exe
C:\WINDOWS\system32\lphcv1cj0er1q.exe
C:\WINDOWS\system32\awjjaxch.ini
C:\WINDOWS\system32\buhaaokd.ini
C:\WINDOWS\system32\smygdysd.ini
C:\WINDOWS\system32\pYHPpqss.ini
C:\WINDOWS\system32\ISsYaccf.ini
C:\WINDOWS\system32\dLRuCJjl.ini
C:\WINDOWS\system32\vfrkanji.ini
C:\33.bat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Are you still getting a blue screen ?

Is your problem resolved ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 peteyg67

peteyg67
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Location:Ireland
  • Local time:12:23 AM

Posted 03 October 2008 - 05:51 PM

Ill list my current problems now:

On startup login screen is switched to classic, no welcome screen or easy switch user even though its activated in cpl

When the laptop boots to the desktop i get seveal error's saying missing DLL reinstallling may fix this issue.
The main one im concerned about is AVG. It seems to be blocking them.

Im getting window installe lauchs and they wont go away 1 is called photogalllery :S

and i also cant access add or remove programs unless in safe mode.

BSOD Has gone and also internet popups

Thanks so much so far :thumbsup:

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 04 October 2008 - 11:53 AM

HI

OK ... you say you get several missing DLL errors on startup ... Please list ALL of them :thumbsup:

Then carry out the instructions in my last post & post the new Combofix log AND a new hijackthis log

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users