Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo attack on IE and Firefox


  • This topic is locked This topic is locked
16 replies to this topic

#1 tjhayesj

tjhayesj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 10 December 2008 - 02:18 PM

i'm on my office computer and do not have administrator title (although i don't have access limitations) which deters some malware removers from working.
i have a vundo variant of sorts that seems beyond my removing experience. i never quite get all of it and it re-spawns of course.
i have removed any apparent processes that were running successfully, but that didn't solve everything.
i worked on the registry numerous times but never get it all cleaned up.
i'm looking for someone with brilliance to solve this without me having to call our tech contractor who is creepy and expensive (did i mention creepy).

thanks in advance

(i have a sysrestore, erunt, ccleaner, atf cleaner etc...)

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:22 AM

Posted 11 December 2008 - 11:31 AM

Hello! :thumbsup:
My name is Sam and I will be helping you.

No promises, but I'll give it a shot and see what can be done for you.



In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download random's system information tool (RSIT) and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 tjhayesj

tjhayesj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 11 December 2008 - 04:42 PM

rsit won't run because i'm not "admin" (although i have full access on the comp) here is my hijackthis log... hope thats a start, if you want i can take a screen shot of my processes and services etc.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:58 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AutoCAD 2002\acad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213359004359
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Historic.local
O17 - HKLM\Software\..\Telephony: DomainName = Historic.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Historic.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Historic.local
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5635 bytes

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:22 AM

Posted 12 December 2008 - 09:37 AM

Hmmmm....I'm not sure if I'll be to help much if I can't see what's going on in your computer.
Unfortunately a Hijackthis log is for the most part, useless in this case.

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please copy and paste both logs into your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 tjhayesj

tjhayesj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 12 December 2008 - 10:16 AM

i couldn't get a second log to show up (i clicked yes, but nothing... maybe i'm stupid) but i did get the first log:

DDS (Version 1.0.1) - NTFSx86
Run by thayes at 10:16:37.53 on Fri 12/12/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1532 [GMT -5:00]

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\Documents and Settings\thayes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb
uDefault_Page_URL = hxxp://companyweb
mDefault_Page_URL = hxxp://companyweb
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Synchronization Manager] c:\windows\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
uPolicies-explorer: <NO NAME> =
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thayes\applic~1\mozilla\firefox\profiles\7q3499yk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [2008-5-19 540184]

=============== Created Last 30 ================

2008-12-11 09:54 389,120 a------- c:\windows\system32\CF28783.exe
2008-12-11 09:54 389,120 a------- c:\windows\system32\cmd.execf
2008-12-11 09:36 1,564,845 ---sh--- c:\windows\system32\emomubon.ini
2008-12-10 13:59 <DIR> --d----- c:\documents and settings\thayes\.SunDownloadManager
2008-12-10 13:33 <DIR> --d----- c:\windows\ERUNT
2008-12-10 13:30 <DIR> --d----- C:\SDFix
2008-12-10 12:29 <DIR> --d----- c:\program files\WinAce
2008-12-10 12:25 <DIR> --d----- C:\VundoFix Backups
2008-12-10 10:46 <DIR> --d----- c:\program files\Trend Micro
2008-12-10 10:33 <DIR> --d----- c:\program files\CCleaner
2008-12-10 08:48 1,491,974 ---sh--- c:\windows\system32\ovipozar.ini
2008-11-21 14:50 <DIR> --d----- C:\spoolerlogs
2008-11-21 08:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-21 08:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-21 08:54 <DIR> --d----- c:\docume~1\thayes\applic~1\SUPERAntiSpyware.com
2008-11-21 08:50 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-21 08:32 63 a------- c:\windows\av_affiliate.ini
2008-11-21 08:32 63 a------- c:\windows\as_affiliate.ini
2008-11-21 08:19 528,784 a------- c:\windows\system32\PerfStringBackup.INI
2008-11-20 17:00 1,632,512 ---sh--- c:\windows\system32\qgkueiov.ini
2008-11-20 16:54 <DIR> --dsh--- c:\windows\IA

==================== Find3M ====================

2008-12-11 09:36 85,658 a--sh--- c:\windows\system32\nobumome.dll
2008-12-11 09:36 92,429 a--sh--- c:\windows\system32\kusoyaji.dll
2008-12-11 08:36 91,393 a--sh--- c:\windows\system32\diyohobe.dll
2008-12-11 08:36 62,043 a--sh--- c:\windows\system32\sujefube.dll
2008-12-10 08:48 87,273 a--sh--- c:\windows\system32\razopivo.dll
2008-12-10 08:48 94,514 -------- c:\windows\system32\majujewe.dll
2008-11-20 09:55 325,632 a------- c:\windows\system32\_zhsotjqrqmpffcsne.dll
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys

============= FINISH: 10:16:49.90 ===============

Edited by tjhayesj, 12 December 2008 - 10:28 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:22 AM

Posted 12 December 2008 - 04:30 PM

Let's see what we can do with this next tool.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\emomubon.ini
    c:\windows\system32\ovipozar.ini
    c:\windows\system32\qgkueiov.ini
    c:\windows\system32\nobumome.dll
    c:\windows\system32\kusoyaji.dll
    c:\windows\system32\diyohobe.dll
    c:\windows\system32\sujefube.dll
    c:\windows\system32\razopivo.dll
    c:\windows\system32\majujewe.dll
    c:\windows\system32\_zhsotjqrqmpffcsne.dll
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


And then post a new log from DDS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 tjhayesj

tjhayesj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 15 December 2008 - 08:30 AM

========== FILES ==========
c:\windows\system32\emomubon.ini moved successfully.
c:\windows\system32\ovipozar.ini moved successfully.
c:\windows\system32\qgkueiov.ini moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\nobumome.dll
c:\windows\system32\nobumome.dll NOT unregistered.
c:\windows\system32\nobumome.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kusoyaji.dll
c:\windows\system32\kusoyaji.dll NOT unregistered.
c:\windows\system32\kusoyaji.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\diyohobe.dll
c:\windows\system32\diyohobe.dll NOT unregistered.
c:\windows\system32\diyohobe.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\sujefube.dll
c:\windows\system32\sujefube.dll NOT unregistered.
c:\windows\system32\sujefube.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\razopivo.dll
c:\windows\system32\razopivo.dll NOT unregistered.
c:\windows\system32\razopivo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\majujewe.dll
c:\windows\system32\majujewe.dll NOT unregistered.
c:\windows\system32\majujewe.dll moved successfully.
c:\windows\system32\_zhsotjqrqmpffcsne.dll unregistered successfully.
c:\windows\system32\_zhsotjqrqmpffcsne.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\ExchangePerflog_8484fa31bd95b1004910dfdb.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\~DF97B2.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12152008_083141

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:22 AM

Posted 15 December 2008 - 08:56 AM

And then post a new log from DDS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 tjhayesj

tjhayesj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 15 December 2008 - 11:19 AM

right, sorry:


DDS (Version 1.0.1) - NTFSx86
Run by thayes at 11:21:15.15 on Mon 12/15/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1530 [GMT -5:00]

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AutoCAD 2002\acad.exe
C:\Program Files\Common Files\Autodesk Shared\AcHelp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\Documents and Settings\thayes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb
uDefault_Page_URL = hxxp://companyweb
mDefault_Page_URL = hxxp://companyweb
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [CPM26e9fd92] Rundll32.exe "c:\windows\system32\majujewe.dll",a
mRun: [nwiz] nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Synchronization Manager] c:\windows\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
uPolicies-explorer: <NO NAME> =
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thayes\applic~1\mozilla\firefox\profiles\7q3499yk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [2008-5-19 540184]

=============== Created Last 30 ================

2008-12-15 08:31 <DIR> --d----- C:\_OTMoveIt
2008-12-11 09:54 389,120 a------- c:\windows\system32\CF28783.exe
2008-12-11 09:54 389,120 a------- c:\windows\system32\cmd.execf
2008-12-10 13:59 <DIR> --d----- c:\documents and settings\thayes\.SunDownloadManager
2008-12-10 13:33 <DIR> --d----- c:\windows\ERUNT
2008-12-10 13:30 <DIR> --d----- C:\SDFix
2008-12-10 12:29 <DIR> --d----- c:\program files\WinAce
2008-12-10 12:25 <DIR> --d----- C:\VundoFix Backups
2008-12-10 10:46 <DIR> --d----- c:\program files\Trend Micro
2008-12-10 10:33 <DIR> --d----- c:\program files\CCleaner
2008-11-21 14:50 <DIR> --d----- C:\spoolerlogs
2008-11-21 08:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-21 08:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-21 08:54 <DIR> --d----- c:\docume~1\thayes\applic~1\SUPERAntiSpyware.com
2008-11-21 08:50 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-21 08:32 63 a------- c:\windows\av_affiliate.ini
2008-11-21 08:32 63 a------- c:\windows\as_affiliate.ini
2008-11-21 08:19 528,784 a------- c:\windows\system32\PerfStringBackup.INI
2008-11-20 16:54 <DIR> --dsh--- c:\windows\IA

==================== Find3M ====================

2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 11:21:28.59 ===============

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:22 AM

Posted 15 December 2008 - 02:48 PM

That looks pretty good. Please post a new hijackthis log.
How are things running on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 tjhayesj

tjhayesj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 15 December 2008 - 04:12 PM

The only noticeable problem i still have is that firefox gets rerouted when i click on links (example: searched google for bleeping computer and clicked on its website and it redirected me to advertisement search page) but if i go back and try again it will work ok... and it seems to be mostly on search result links...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:21 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AutoCAD 2002\acad.exe
C:\Program Files\Common Files\Autodesk Shared\AcHelp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CPM26e9fd92] Rundll32.exe "c:\windows\system32\majujewe.dll",a
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213359004359
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Historic.local
O17 - HKLM\Software\..\Telephony: DomainName = Historic.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Historic.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Historic.local
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5888 bytes

#12 tjhayesj

tjhayesj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 15 December 2008 - 05:02 PM

:thumbsup: i just got blitzed with IE pop-ups and download prompts for "virusremover2008" and C:\Program Files\Mozilla Firefox folder just opened (i might have caused it inadvertently trying to close all the pop-ups)

i'm going to post a new dds script so you can see if anything new popped up since earlier today


DDS (Version 1.0.1) - NTFSx86
Run by thayes at 17:04:43.90 on Mon 12/15/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.76 [GMT -5:00]

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AutoCAD 2002\acad.exe
C:\Program Files\Common Files\Autodesk Shared\AcHelp.exe
svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\prunnet.exe
C:\DOCUME~1\thayes\LOCALS~1\Temp\stf2C0.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mshta.exe
C:\Documents and Settings\thayes\Application Data\Twain\Twain.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\Documents and Settings\thayes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb
uDefault_Page_URL = hxxp://companyweb
mDefault_Page_URL = hxxp://companyweb
BHO: {4ECE634F-073A-4A0D-8C5B-69996D4B2FDD} - c:\docume~1\thayes\locals~1\temp\fccaYOGW.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [CPM26e9fd92] Rundll32.exe "c:\windows\system32\majujewe.dll",a
uRun: [MSServer] rundll32.exe c:\docume~1\thayes\locals~1\temp\urqPjKAS.dll,#1
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [cmds] rundll32.exe c:\docume~1\thayes\locals~1\temp\fccaYOGW.dll,c
uRun: [MS Juan] rundll32 "c:\docume~1\thayes\locals~1\temp\upqbiv.dll",run
uRun: [gadcom] "c:\documents and settings\thayes\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [Twain] c:\documents and settings\thayes\application data\twain\Twain.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Synchronization Manager] c:\windows\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [25dace0e] rundll32.exe "c:\windows\system32\agfuqnuu.dll",b
uPolicies-explorer: <NO NAME> =
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thayes\applic~1\mozilla\firefox\profiles\7q3499yk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [2008-5-19 540184]

=============== Created Last 30 ================

2008-12-15 17:02 <DIR> --d----- c:\docume~1\thayes\applic~1\Twain
2008-12-15 16:57 129,024 a------- c:\windows\system32\smbqertj.dll
2008-12-15 16:57 1,646,212 ---sh--- c:\windows\system32\uunqufga.ini
2008-12-15 16:57 72,704 a------- c:\windows\system32\agfuqnuu.dll
2008-12-15 16:57 <DIR> --d----- c:\program files\Webtools
2008-12-15 16:52 <DIR> --d----- c:\program files\Mjcore
2008-12-15 16:51 <DIR> --d----- c:\docume~1\thayes\applic~1\gadcom
2008-12-15 16:51 94,272 a------- c:\windows\system32\prunnet.exe
2008-12-15 08:31 <DIR> --d----- C:\_OTMoveIt
2008-12-11 09:54 389,120 a------- c:\windows\system32\CF28783.exe
2008-12-11 09:54 389,120 a------- c:\windows\system32\cmd.execf
2008-12-10 13:59 <DIR> --d----- c:\documents and settings\thayes\.SunDownloadManager
2008-12-10 13:33 <DIR> --d----- c:\windows\ERUNT
2008-12-10 13:30 <DIR> --d----- C:\SDFix
2008-12-10 12:29 <DIR> --d----- c:\program files\WinAce
2008-12-10 12:25 <DIR> --d----- C:\VundoFix Backups
2008-12-10 10:46 <DIR> --d----- c:\program files\Trend Micro
2008-12-10 10:33 <DIR> --d----- c:\program files\CCleaner
2008-11-21 14:50 <DIR> --d----- C:\spoolerlogs
2008-11-21 08:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-21 08:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-21 08:54 <DIR> --d----- c:\docume~1\thayes\applic~1\SUPERAntiSpyware.com
2008-11-21 08:50 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-21 08:32 63 a------- c:\windows\av_affiliate.ini
2008-11-21 08:32 63 a------- c:\windows\as_affiliate.ini
2008-11-21 08:19 528,784 a------- c:\windows\system32\PerfStringBackup.INI
2008-11-20 16:54 <DIR> --dsh--- c:\windows\IA

==================== Find3M ====================

2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 17:05:03.20 ===============

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:22 AM

Posted 16 December 2008 - 10:00 AM

You just picked up a bunch of new stuff.
Copy this text into OTMoveIt just like you did before.

:files
c:\docume~1\thayes\applic~1\Twain
c:\windows\system32\smbqertj.dll
c:\windows\system32\uunqufga.ini
c:\windows\system32\agfuqnuu.dll
c:\program files\Webtools
c:\program files\Mjcore
c:\docume~1\thayes\applic~1\gadcom
c:\windows\system32\prunnet.exe

:Commands
[EmptyTemp]
[Reboot]



Now let's try to run Combofix if we can.


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 tjhayesj

tjhayesj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 16 December 2008 - 11:36 AM

ok... combofix won't run unfortunately, i can even extract it, but it hates that my name isn't admin, i tried taking off all windows blocks and running it in safemode and still got an installation FAIL alert.

i'm going to post my otmoveit log and my new dds for you:

========== FILES ==========
c:\docume~1\thayes\applic~1\Twain moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\smbqertj.dll
c:\windows\system32\smbqertj.dll NOT unregistered.
c:\windows\system32\smbqertj.dll moved successfully.
c:\windows\system32\uunqufga.ini moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\agfuqnuu.dll
c:\windows\system32\agfuqnuu.dll NOT unregistered.
c:\windows\system32\agfuqnuu.dll moved successfully.
File/Folder c:\program files\Webtools not found.
c:\program files\Mjcore moved successfully.
File/Folder c:\docume~1\thayes\applic~1\gadcom not found.
File/Folder c:\windows\system32\prunnet.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\AcrC127.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\csrssc.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\ExchangePerflog_8484fa31bd95b1004910dfdb.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\fccaYOGW.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\nnnoPIxv.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\winloggn.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\~DF33D6.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\~DFC4A6.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\thayes\LOCALS~1\Temp\~WRF0000.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12162008_111016

Files moved on Reboot...
File C:\DOCUME~1\thayes\LOCALS~1\Temp\AcrC127.tmp not found!
C:\DOCUME~1\thayes\LOCALS~1\Temp\csrssc.exe moved successfully.
C:\DOCUME~1\thayes\LOCALS~1\Temp\ExchangePerflog_8484fa31bd95b1004910dfdb.dat moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\thayes\LOCALS~1\Temp\fccaYOGW.dll
C:\DOCUME~1\thayes\LOCALS~1\Temp\fccaYOGW.dll NOT unregistered.
C:\DOCUME~1\thayes\LOCALS~1\Temp\fccaYOGW.dll moved successfully.
File C:\DOCUME~1\thayes\LOCALS~1\Temp\nnnoPIxv.dll not found!
C:\DOCUME~1\thayes\LOCALS~1\Temp\winloggn.exe moved successfully.
File C:\DOCUME~1\thayes\LOCALS~1\Temp\~DF33D6.tmp not found!
File C:\DOCUME~1\thayes\LOCALS~1\Temp\~DFC4A6.tmp not found!
File C:\DOCUME~1\thayes\LOCALS~1\Temp\~WRF0000.tmp not found!
File move failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_001_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_002_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_003_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\Cache\_CACHE_MAP_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\urlclassifier3.sqlite scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\thayes\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q3499yk.default\XUL.mfl scheduled to be moved on reboot.

and the dds:


DDS (Version 1.0.1) - NTFSx86
Run by thayes at 11:38:18.70 on Tue 12/16/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1600 [GMT -5:00]

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\DOCUME~1\thayes\LOCALS~1\Temp\winloggn.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\thayes\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\Documents and Settings\thayes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb
uDefault_Page_URL = hxxp://companyweb
mDefault_Page_URL = hxxp://companyweb
BHO: {E61635CE-0656-42E6-BF6E-3CD1114C273B} - c:\docume~1\thayes\locals~1\temp\fccaYOGW.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [CPM26e9fd92] Rundll32.exe "c:\windows\system32\majujewe.dll",a
uRun: [Twain] c:\documents and settings\thayes\application data\twain\Twain.exe
uRun: [xsgds4fgffght] c:\docume~1\thayes\locals~1\temp\winloggn.exe
uRun: [cmds] rundll32.exe c:\docume~1\thayes\locals~1\temp\fccaYOGW.dll,c
uRun: [MSServer] rundll32.exe c:\docume~1\thayes\locals~1\temp\rqRkkIbA.dll,#1
uRun: [Jnskdfmf9eldfd] c:\docume~1\thayes\locals~1\temp\csrssc.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Synchronization Manager] c:\windows\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [25dace0e] rundll32.exe "c:\windows\system32\agfuqnuu.dll",b
uPolicies-explorer: <NO NAME> =
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thayes\applic~1\mozilla\firefox\profiles\7q3499yk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [2008-5-19 540184]

=============== Created Last 30 ================

2008-12-16 11:32 389,120 a------- c:\windows\system32\CF16896.exe
2008-12-16 11:30 389,120 a------- c:\windows\system32\CF16560.exe
2008-12-16 11:25 389,120 a------- c:\windows\system32\CF15466.exe
2008-12-16 11:24 389,120 a------- c:\windows\system32\CF15361.exe
2008-12-16 11:24 389,120 a------- c:\windows\system32\CF15319.exe
2008-12-16 11:21 389,120 a------- c:\windows\system32\CF14796.exe
2008-12-16 11:18 389,120 a------- c:\windows\system32\CF14081.exe
2008-12-16 11:18 389,120 a------- c:\windows\system32\cmd.execf
2008-12-16 11:17 389,120 a------- c:\windows\system32\CF14003.exe
2008-12-15 17:06 15,000 -------- c:\windows\system32\rsekd83jde.dll
2008-12-15 08:31 <DIR> --d----- C:\_OTMoveIt
2008-12-11 09:54 389,120 a------- c:\windows\system32\CF28783.exe
2008-12-10 13:59 <DIR> --d----- c:\documents and settings\thayes\.SunDownloadManager
2008-12-10 13:33 <DIR> --d----- c:\windows\ERUNT
2008-12-10 13:30 <DIR> --d----- C:\SDFix
2008-12-10 12:29 <DIR> --d----- c:\program files\WinAce
2008-12-10 12:25 <DIR> --d----- C:\VundoFix Backups
2008-12-10 10:46 <DIR> --d----- c:\program files\Trend Micro
2008-12-10 10:33 <DIR> --d----- c:\program files\CCleaner
2008-11-21 14:50 <DIR> --d----- C:\spoolerlogs
2008-11-21 08:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-21 08:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-21 08:54 <DIR> --d----- c:\docume~1\thayes\applic~1\SUPERAntiSpyware.com
2008-11-21 08:50 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-21 08:32 63 a------- c:\windows\av_affiliate.ini
2008-11-21 08:32 63 a------- c:\windows\as_affiliate.ini
2008-11-21 08:19 528,784 a------- c:\windows\system32\PerfStringBackup.INI
2008-11-20 16:54 <DIR> --dsh--- c:\windows\IA

==================== Find3M ====================

2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 11:38:32.59 ===============

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:22 AM

Posted 16 December 2008 - 06:50 PM

Try one more thing for me. Rename combofix.exe to cf.exe and try running it again.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Have you tried Malwarebytes yet?


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users