Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Viruses


  • Please log in to reply
1 reply to this topic

#1 DorsaFL

DorsaFL

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 01 January 2009 - 01:42 PM

Hey guys. I'm new to this fourm. I followed everything on the Prep guide so if I made a mistake I'm sorry and I will be sure to correct it.


DDS (Version 1.1.0) - NTFSx86
Run by Danny at 13:32:39.15 on Thu 01/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.107 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RGFubnk\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Danny\Application Data\gadcom\gadcom.exe
C:\Documents and Settings\Danny\Application Data\Twain\Twain.exe
C:\Documents and Settings\Danny\Application Data\SpeedRunner\SpeedRunner.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Danny\Application Data\Microsoft\Windows\kgjiiee.exe
C:\PROGRA~1\COMMON~1\wozq\wozqm.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Danny\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Danny\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\wozq\wozqa.exe
C:\WINDOWS\system32\mncpmgr.exe
C:\F36.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Danny\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {aadba703-2b61-7619-c044-4b0d490cc481}: {184cc094-d0b4-440c-9167-16b2307abdaa} - c:\windows\system32\jckvky.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkljihG.dll
BHO: {d77e81b8-28da-48cb-8587-83fb3ac275dc} - c:\windows\system32\urqoPHYP.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [gadcom] "c:\documents and settings\danny\application data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
uRun: [Twain] c:\documents and settings\danny\application data\twain\Twain.exe
uRun: [SpeedRunner] c:\documents and settings\danny\application data\speedrunner\SpeedRunner.exe
uRun: [SfKg6wIP] c:\documents and settings\danny\application data\microsoft\windows\kgjiiee.exe
uRun: [wozq] c:\progra~1\common~1\wozq\wozqm.exe
uRun: [AntispywareBot] c:\program files\antispywarebot\AntispywareBot.exe -boot
uRun: [Microsoft Network DHCP Manager] mncpmgr.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [Microsoft Network DHCP Manager] mncpmgr.exe
mRunServices: [Microsoft Network DHCP Manager] mncpmgr.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: jkkljihG - jkkljihG.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: jckvky.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkljihG.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqoPHYP

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danny\applic~1\mozilla\firefox\profiles\8edq8qp8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\components\srff.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-10-4 177776]
R2 cmdService;Command Service;c:\windows\rgfubnk\command.exe [2008-12-15 293888]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Network Monitor;Network Monitor;c:\program files\network monitor\netmon.exe service []
S1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-10-4 83568]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20071217.003\naveng.sys [2007-12-18 81232]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20071217.003\navex15.sys [2007-12-18 865904]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-11-15 169200]
S4 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-11-15 1756912]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-3-7 24652]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-01-01 13:18 1,323,637 ---sh--- C:\S55.exe
2009-01-01 13:18 454,656 ---sh--- C:\F55.exe
2009-01-01 13:17 1,323,637 ---sh--- C:\S36.exe
2009-01-01 13:17 454,656 ---sh--- C:\F36.exe
2009-01-01 13:16 454,656 ---sh--- C:\F46.exe
2009-01-01 12:47 <DIR> --d----- c:\docume~1\danny\applic~1\AntispywareBot
2009-01-01 12:46 <DIR> --d----- c:\program files\AntispywareBot
2009-01-01 12:42 72,704 a------- c:\windows\system32\vjisagpx.dll
2009-01-01 12:42 1,756,354 ---sh--- c:\windows\system32\xpgasijv.ini
2009-01-01 12:39 129,024 a------- c:\windows\system32\jckvky.dll
2009-01-01 12:39 129,024 a------- c:\windows\system32\ffkmepqi.dll
2008-12-31 01:56 129,024 a------- c:\windows\system32\lwdvhv.dll
2008-12-31 01:56 129,024 a------- c:\windows\system32\cngyqnqk.dll
2008-12-31 01:50 1,756,354 ---sh--- c:\windows\system32\lndmhxye.ini
2008-12-31 01:50 72,704 -------- c:\windows\system32\eyxhmdnl.dll
2008-12-29 22:54 129,024 a------- c:\windows\system32\gavqzu.dll
2008-12-29 22:54 129,024 a------- c:\windows\system32\rkqptlyq.dll
2008-12-29 22:48 1,756,354 ---sh--- c:\windows\system32\miagsxnt.ini
2008-12-29 22:48 72,704 -------- c:\windows\system32\tnxsgaim.dll
2008-12-28 22:51 129,024 a------- c:\windows\system32\vnwahy.dll
2008-12-28 22:51 129,024 a------- c:\windows\system32\dlqlosrd.dll
2008-12-28 22:42 1,756,347 ---sh--- c:\windows\system32\hnrltlep.ini
2008-12-28 22:42 72,704 -------- c:\windows\system32\peltlrnh.dll
2008-12-27 22:48 129,024 a------- c:\windows\system32\mrsbrv.dll
2008-12-27 22:48 129,024 a------- c:\windows\system32\mittrycx.dll
2008-12-27 22:42 1,755,117 ---sh--- c:\windows\system32\hgqsgkfv.ini
2008-12-27 22:42 72,704 -------- c:\windows\system32\vfkgsqgh.dll
2008-12-27 00:45 129,024 a------- c:\windows\system32\ankqbd.dll
2008-12-27 00:45 129,024 a------- c:\windows\system32\ukxylrle.dll
2008-12-27 00:45 1,745,930 ---sh--- c:\windows\system32\cbepteni.ini
2008-12-27 00:45 72,704 -------- c:\windows\system32\inetpebc.dll
2008-12-25 21:48 1,745,930 ---sh--- c:\windows\system32\ynwihmwh.ini
2008-12-25 21:48 72,704 -------- c:\windows\system32\hwmhiwny.dll
2008-12-25 21:45 129,024 a------- c:\windows\system32\lltzzv.dll
2008-12-25 21:45 129,024 a------- c:\windows\system32\kdgnmqvf.dll
2008-12-24 21:45 129,024 a------- c:\windows\system32\xxhcwc.dll
2008-12-24 21:45 129,024 a------- c:\windows\system32\ywxyttvj.dll
2008-12-24 21:42 1,661,209 ---sh--- c:\windows\system32\jihputln.ini
2008-12-24 21:42 72,704 -------- c:\windows\system32\nltuphij.dll
2008-12-23 23:18 1,661,209 ---sh--- c:\windows\system32\bnfhrhmi.ini
2008-12-23 23:18 72,704 -------- c:\windows\system32\imhrhfnb.dll
2008-12-23 23:15 129,024 a------- c:\windows\system32\nuljcg.dll
2008-12-23 23:15 129,024 a------- c:\windows\system32\fhtymrbe.dll
2008-12-22 21:42 129,024 a------- c:\windows\system32\fbbwtk.dll
2008-12-22 21:42 129,024 a------- c:\windows\system32\dvwpwash.dll
2008-12-22 21:36 1,661,209 ---sh--- c:\windows\system32\ekiyyjrh.ini
2008-12-22 21:36 72,704 -------- c:\windows\system32\hrjyyike.dll
2008-12-22 20:31 129,024 a------- c:\windows\system32\qdguqxhe.dll
2008-12-22 20:31 129,024 a------- c:\windows\system32\irogss.dll
2008-12-21 19:37 129,024 a------- c:\windows\system32\iemcpr.dll
2008-12-21 19:37 129,024 a------- c:\windows\system32\crqxrxuq.dll
2008-12-21 08:47 1,661,209 ---sh--- c:\windows\system32\yjseqern.ini
2008-12-21 08:47 72,704 a------- c:\windows\system32\nreqesjy.dll
2008-12-21 00:02 129,024 a------- c:\windows\system32\hvekrp.dll
2008-12-21 00:02 129,024 a------- c:\windows\system32\gimrgxtn.dll
2008-12-20 01:43 <DIR> --d----- c:\program files\common files\wozq
2008-12-20 01:43 127,578 a------- c:\windows\system32\tsuninst.exe
2008-12-20 01:43 <DIR> --d----- c:\windows\wozq
2008-12-19 23:35 129,024 a------- c:\windows\system32\ohlscs.dll
2008-12-19 23:35 129,024 a------- c:\windows\system32\funhewnf.dll
2008-12-18 15:00 129,024 a------- c:\windows\system32\gndxla.dll
2008-12-18 15:00 129,024 a------- c:\windows\system32\otmoksax.dll
2008-12-18 14:57 1,665,243 ---sh--- c:\windows\system32\hdemhknd.ini
2008-12-18 14:57 72,704 a------- c:\windows\system32\dnkhmedh.dll
2008-12-16 21:50 129,024 a------- c:\windows\system32\jazgsm.dll
2008-12-16 21:50 129,024 a------- c:\windows\system32\vfnftfvh.dll
2008-12-16 21:44 1,647,996 ---sh--- c:\windows\system32\bmycxqrg.ini
2008-12-15 22:08 687,592 a------- c:\windows\system32\atmtd.dll._
2008-12-15 22:08 687,592 a------- c:\windows\system32\atmtd.dll
2008-12-15 22:08 1,989 a------- c:\windows\uninstall_nmon.vbs
2008-12-15 22:08 <DIR> --d----- c:\program files\Network Monitor
2008-12-15 22:08 <DIR> --dsh--- c:\windows\RGFubnk
2008-12-15 22:08 <DIR> --d----- c:\program files\InetGet2
2008-12-15 22:02 <DIR> --d----- c:\docume~1\danny\applic~1\SpeedRunner
2008-12-15 21:57 <DIR> --d----- c:\docume~1\danny\applic~1\Twain
2008-12-15 21:52 <DIR> --d----- c:\program files\Webtools
2008-12-15 21:50 1,647,997 ---sh--- c:\windows\system32\mfvvbupj.ini
2008-12-15 21:48 <DIR> --d----- c:\program files\Mjcore
2008-12-15 21:44 129,024 a------- c:\windows\system32\fagrio.dll
2008-12-15 21:44 129,024 a------- c:\windows\system32\vsxlxbst.dll
2008-12-14 21:43 1,647,997 ---sh--- c:\windows\system32\islewojk.ini
2008-12-14 21:43 129,024 a------- c:\windows\system32\cnbtfe.dll
2008-12-14 21:43 129,024 a------- c:\windows\system32\avdtpdyk.dll
2008-12-14 21:42 673,507 a--sh--- c:\windows\system32\PYHPoqru.ini2
2008-12-14 21:42 673,507 a--sh--- c:\windows\system32\PYHPoqru.ini
2008-12-14 21:42 302,592 a------- c:\windows\system32\urqoPHYP.dll
2008-12-14 21:41 <DIR> --d----- c:\docume~1\danny\applic~1\gadcom
2008-12-14 21:37 66,560 a------- c:\windows\system32\opnklKee.dll
2008-12-14 21:37 34,816 a------- c:\windows\system32\jkkljihG.dll
2008-12-14 21:37 22,016 a------- c:\windows\system32\~.exe

==================== Find3M ====================

2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:18 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2005-08-02 16:46 187,904 a--shr-- c:\windows\rgfubnk\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\rgfubnk\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\rgfubnk\l3IRvB4.vbs
2007-06-13 05:23 1,323,637 ---shr-- c:\windows\system32\mncpmgr.exe

============= FINISH: 13:34:36.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:30 PM

Posted 02 January 2009 - 01:06 PM

Hello DorsaFL and welcome to BleepingComputer,

Please stay away from RegistryMechanic, unless you know very well what you're doing and fixing.

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users