Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde?


  • This topic is locked This topic is locked
21 replies to this topic

#1 nyschamp

nyschamp

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 16 February 2009 - 04:37 PM

i am new to the site and i need some help finding out what to get rid of, thank you. (after using spybot, virtumonde and virtumonde.prx are the only things that remain)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:24 PM, on 2/16/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\twext.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {062c85c5-00b3-4293-bf23-7fc491ce8f42} - C:\WINDOWS\System32\jitilemi.dll
O2 - BHO: (no name) - {07EF87C0-D4C5-4EE5-9DFB-56F349106D76} - (no file)
O2 - BHO: (no name) - {0C2025B8-584F-474A-AA60-4ACC67E7C773} - (no file)
O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\netdde.dll (file missing)
O2 - BHO: (no name) - {196ACF63-E914-487B-BB35-790CD7E9D515} - (no file)
O2 - BHO: (no name) - {2911B446-D644-42A6-B986-2E20B2461390} - (no file)
O2 - BHO: (no name) - {2CF3B985-6749-43F7-8302-8DF72F798486} - (no file)
O2 - BHO: (no name) - {2E04DC9F-977B-4EFF-89D4-B45E94F82691} - (no file)
O2 - BHO: (no name) - {40460155-DFD5-4C99-BB83-67529A6C09CB} - (no file)
O2 - BHO: (no name) - {4eade888-a2b0-46e9-a36d-845a8fd57959} - (no file)
O2 - BHO: (no name) - {50F8BF94-BEB5-4715-A5D2-F9F509D4B6FA} - (no file)
O2 - BHO: (no name) - {51D65FB6-8372-4742-8CA0-261CC2F7EF0F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {58d72114-117f-7508-8444-9fc1582f9d45} - {54d9f285-1cf9-4448-8057-f71141127d85} - C:\WINDOWS\System32\jpaxew.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll (file missing)
O2 - BHO: (no name) - {634CF5B3-40B7-4132-AB67-2B9F9EEE41C6} - C:\WINDOWS\System32\ddCSjHWM.dll
O2 - BHO: (no name) - {6806294D-67BC-4474-AABA-DE9FE87B67AC} - (no file)
O2 - BHO: (no name) - {6F9E92B4-F0B9-4D7E-BE25-FE5BFBEC0085} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7657137E-B9AA-49DD-AE3D-EDE0F9471CBF} - (no file)
O2 - BHO: (no name) - {78749A33-3D32-4972-BCAD-2358DB44DC49} - (no file)
O2 - BHO: (no name) - {87AE522E-5A51-4559-B925-4CB3A501410A} - (no file)
O2 - BHO: (no name) - {998B0E1B-23E9-4FE4-B3B5-7D09768FC534} - (no file)
O2 - BHO: (no name) - {9BA40874-B065-48E5-9D97-029D28249D47} - (no file)
O2 - BHO: (no name) - {9c999e14-184b-410f-bb6e-826f35cbe4c8} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - C:\WINDOWS\adsldpby.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - C:\WINDOWS\adsldpbz.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - C:\WINDOWS\compstuib.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\compstuid.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - C:\WINDOWS\system32\compstuif.dll (file missing)
O2 - BHO: (no name) - {b526d14a-d675-48de-b275-c055f2a15f94} - (no file)
O2 - BHO: (no name) - {BBA45E92-E416-47D9-A4EE-9875E6FAF4B6} - (no file)
O2 - BHO: (no name) - {bd652582-778b-436c-9a5a-5fad3987e959} - (no file)
O2 - BHO: (no name) - {C0E41948-8B6F-45AB-B0CD-0845328661D6} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS\IECodecPlg.dll (file missing)
O2 - BHO: Great Offers Displayer - {CE05B815-6F98-4ADD-AEB7-60BB2D4264F1} - c:\WINDOWS\bh.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {dbec8c77-787d-4475-927d-2fb7353370cc} - (no file)
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\system32\adsldpbm.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F408FCF6-CBB9-4961-A551-D1B2DF4B6E2E} - (no file)
O2 - BHO: (no name) - {F58AA8B0-48AA-49E4-986F-A91F881BD13A} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Driv] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: ["noC] ="C:\windows\mrjj.exe
O4 - HKLM\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8465] command /c del "C:\WINDOWS\System32\hufowebi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5425] cmd /c del "C:\WINDOWS\System32\hufowebi.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: ,C:\WINDOWS\System32\razupopi.dll jpaxew.dll
O20 - Winlogon Notify: urqPjJAP - urqPjJAP.dll (file missing)
O20 - Winlogon Notify: __c0032301 - C:\WINDOWS\System32\__c0032301.dat
O22 - SharedTaskScheduler: st3 - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - (no file)
O22 - SharedTaskScheduler: Master Browseui - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - (no file)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 10266 bytes

BC AdBot (Login to Remove)

 


#2 nyschamp

nyschamp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 16 February 2009 - 08:49 PM

updated logfile\


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:17 PM, on 2/16/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\twext.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {062c85c5-00b3-4293-bf23-7fc491ce8f42} - C:\WINDOWS\System32\jitilemi.dll
O2 - BHO: (no name) - {07EF87C0-D4C5-4EE5-9DFB-56F349106D76} - (no file)
O2 - BHO: (no name) - {0C2025B8-584F-474A-AA60-4ACC67E7C773} - (no file)
O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\netdde.dll (file missing)
O2 - BHO: (no name) - {196ACF63-E914-487B-BB35-790CD7E9D515} - (no file)
O2 - BHO: (no name) - {2911B446-D644-42A6-B986-2E20B2461390} - (no file)
O2 - BHO: (no name) - {2AAE2B67-D1AA-47EE-85A9-51424B23F67E} - C:\WINDOWS\System32\ddCSjHWM.dll
O2 - BHO: (no name) - {2CF3B985-6749-43F7-8302-8DF72F798486} - (no file)
O2 - BHO: (no name) - {2E04DC9F-977B-4EFF-89D4-B45E94F82691} - (no file)
O2 - BHO: (no name) - {40460155-DFD5-4C99-BB83-67529A6C09CB} - (no file)
O2 - BHO: (no name) - {4eade888-a2b0-46e9-a36d-845a8fd57959} - (no file)
O2 - BHO: (no name) - {50F8BF94-BEB5-4715-A5D2-F9F509D4B6FA} - (no file)
O2 - BHO: (no name) - {51D65FB6-8372-4742-8CA0-261CC2F7EF0F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54d9f285-1cf9-4448-8057-f71141127d85} - (no file)
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll (file missing)
O2 - BHO: (no name) - {634CF5B3-40B7-4132-AB67-2B9F9EEE41C6} - (no file)
O2 - BHO: (no name) - {6806294D-67BC-4474-AABA-DE9FE87B67AC} - (no file)
O2 - BHO: (no name) - {6F9E92B4-F0B9-4D7E-BE25-FE5BFBEC0085} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7657137E-B9AA-49DD-AE3D-EDE0F9471CBF} - (no file)
O2 - BHO: (no name) - {78749A33-3D32-4972-BCAD-2358DB44DC49} - (no file)
O2 - BHO: (no name) - {87AE522E-5A51-4559-B925-4CB3A501410A} - (no file)
O2 - BHO: (no name) - {998B0E1B-23E9-4FE4-B3B5-7D09768FC534} - (no file)
O2 - BHO: (no name) - {9BA40874-B065-48E5-9D97-029D28249D47} - (no file)
O2 - BHO: (no name) - {9c999e14-184b-410f-bb6e-826f35cbe4c8} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - C:\WINDOWS\adsldpby.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - C:\WINDOWS\adsldpbz.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - C:\WINDOWS\compstuib.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\compstuid.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - C:\WINDOWS\system32\compstuif.dll (file missing)
O2 - BHO: (no name) - {b526d14a-d675-48de-b275-c055f2a15f94} - (no file)
O2 - BHO: (no name) - {BBA45E92-E416-47D9-A4EE-9875E6FAF4B6} - (no file)
O2 - BHO: (no name) - {bd652582-778b-436c-9a5a-5fad3987e959} - (no file)
O2 - BHO: (no name) - {C0E41948-8B6F-45AB-B0CD-0845328661D6} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS\IECodecPlg.dll (file missing)
O2 - BHO: Great Offers Displayer - {CE05B815-6F98-4ADD-AEB7-60BB2D4264F1} - c:\WINDOWS\bh.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {dbec8c77-787d-4475-927d-2fb7353370cc} - (no file)
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\system32\adsldpbm.dll (file missing)
O2 - BHO: {26913983-e89c-f1f9-9f04-596eac40f32e} - {e23f04ca-e695-40f9-9f1f-c98e38931962} - C:\WINDOWS\System32\ivzifl.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F408FCF6-CBB9-4961-A551-D1B2DF4B6E2E} - (no file)
O2 - BHO: (no name) - {F58AA8B0-48AA-49E4-986F-A91F881BD13A} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Driv] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: ["noC] ="C:\windows\mrjj.exe
O4 - HKLM\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s
O4 - HKLM\..\Run: [64d878ad] rundll32.exe "C:\WINDOWS\System32\kvmqtmdo.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8465] command /c del "C:\WINDOWS\System32\hufowebi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5425] cmd /c del "C:\WINDOWS\System32\hufowebi.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: ,C:\WINDOWS\System32\razupopi.dll ivzifl.dll
O20 - Winlogon Notify: urqPjJAP - urqPjJAP.dll (file missing)
O20 - Winlogon Notify: __c0032301 - C:\WINDOWS\System32\__c0032301.dat
O22 - SharedTaskScheduler: st3 - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - (no file)
O22 - SharedTaskScheduler: Master Browseui - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - (no file)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 10450 bytes

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:50 AM

Posted 17 February 2009 - 02:54 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually this doesn't suprise me at all...
Your Windows is outdated! The only service pack you have installed is Service Pack 1. It should be Service Pack 3 already. Any reason why it's oudated?
DO NOT UPDATE NOW! Because updating your Windows when it's so severly infected may cause a lot of problems.

And, on top....

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Extra step... I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Don't expect miracles here - because I have a bad feeling since I see malware related leftovers from 2 years ago as well. So, you can already imagine how long this computer is infected. Malware damages a lot, so I really hope you're lucky and a format and reinstall won't be needed here. But keep in mind that this may be the only option left if you want a clean "undamaged" computer again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 nyschamp

nyschamp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 21 February 2009 - 02:25 AM

sorry for the delay and thank you for your help,

HERE IS THE Avira REPORT----------

Avira AntiVir Personal
Report file date: Friday, February 20, 2009 23:47

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: GITA-UG3OC511ZL

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 22:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 22:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 22:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 16:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/11/2008 20:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 21:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 15:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 21:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 21:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 21:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 21:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 21:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, February 20, 2009 23:47

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'IntelMEM.exe' - '1' Module(s) have been scanned
Scan process 'locator.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
33 processes with 33 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '58' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\(Amiel)\Incomplete\T-3545427-mad world.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '49d28998.qua'!


End of the scan: Saturday, February 21, 2009 01:31
Used time: 1:43:36 Hour(s)

The scan has been done completely.

13846 Scanning directories
320207 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
320205 Files not concerned
3407 Archives were scanned
1 Warnings
1 Notes


HERE IS THE LOG---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:34 AM, on 2/21/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\twext.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {062c85c5-00b3-4293-bf23-7fc491ce8f42} - C:\WINDOWS\System32\jitilemi.dll (file missing)
O2 - BHO: (no name) - {07EF87C0-D4C5-4EE5-9DFB-56F349106D76} - (no file)
O2 - BHO: (no name) - {0C2025B8-584F-474A-AA60-4ACC67E7C773} - (no file)
O2 - BHO: (no name) - {196ACF63-E914-487B-BB35-790CD7E9D515} - (no file)
O2 - BHO: (no name) - {2911B446-D644-42A6-B986-2E20B2461390} - (no file)
O2 - BHO: (no name) - {2AAE2B67-D1AA-47EE-85A9-51424B23F67E} - (no file)
O2 - BHO: (no name) - {2CF3B985-6749-43F7-8302-8DF72F798486} - (no file)
O2 - BHO: (no name) - {2E04DC9F-977B-4EFF-89D4-B45E94F82691} - (no file)
O2 - BHO: {0e9b8d2b-a058-0789-6884-3325900d60b3} - {3b06d009-5233-4886-9870-850ab2d8b9e0} - C:\WINDOWS\System32\cuyyxi.dll
O2 - BHO: (no name) - {40460155-DFD5-4C99-BB83-67529A6C09CB} - (no file)
O2 - BHO: (no name) - {4264619E-5371-46D9-A0B9-44D9D11F2C2F} - (no file)
O2 - BHO: (no name) - {4eade888-a2b0-46e9-a36d-845a8fd57959} - (no file)
O2 - BHO: (no name) - {50F8BF94-BEB5-4715-A5D2-F9F509D4B6FA} - (no file)
O2 - BHO: (no name) - {51D65FB6-8372-4742-8CA0-261CC2F7EF0F} - (no file)
O2 - BHO: (no name) - {54d9f285-1cf9-4448-8057-f71141127d85} - (no file)
O2 - BHO: (no name) - {634CF5B3-40B7-4132-AB67-2B9F9EEE41C6} - (no file)
O2 - BHO: (no name) - {6806294D-67BC-4474-AABA-DE9FE87B67AC} - (no file)
O2 - BHO: (no name) - {6F9E92B4-F0B9-4D7E-BE25-FE5BFBEC0085} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7657137E-B9AA-49DD-AE3D-EDE0F9471CBF} - (no file)
O2 - BHO: (no name) - {78749A33-3D32-4972-BCAD-2358DB44DC49} - (no file)
O2 - BHO: (no name) - {7FFC08D4-56D3-4C65-AD51-12EFD02220C8} - (no file)
O2 - BHO: (no name) - {815DFC23-EA2F-443C-9090-6358D1C0457A} - (no file)
O2 - BHO: (no name) - {87AE522E-5A51-4559-B925-4CB3A501410A} - (no file)
O2 - BHO: (no name) - {9284EFBE-F205-4715-8A31-0B178C0DAC74} - C:\WINDOWS\System32\ddCSjHWM.dll
O2 - BHO: (no name) - {998B0E1B-23E9-4FE4-B3B5-7D09768FC534} - (no file)
O2 - BHO: (no name) - {9BA40874-B065-48E5-9D97-029D28249D47} - (no file)
O2 - BHO: (no name) - {9c999e14-184b-410f-bb6e-826f35cbe4c8} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - C:\WINDOWS\adsldpbz.dll (file missing)
O2 - BHO: (no name) - {b526d14a-d675-48de-b275-c055f2a15f94} - (no file)
O2 - BHO: (no name) - {BBA45E92-E416-47D9-A4EE-9875E6FAF4B6} - (no file)
O2 - BHO: (no name) - {bd652582-778b-436c-9a5a-5fad3987e959} - (no file)
O2 - BHO: (no name) - {C0E41948-8B6F-45AB-B0CD-0845328661D6} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {CCBA184B-F797-4311-AB1C-21A6BCE7D0F0} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {dbec8c77-787d-4475-927d-2fb7353370cc} - (no file)
O2 - BHO: (no name) - {e23f04ca-e695-40f9-9f1f-c98e38931962} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F408FCF6-CBB9-4961-A551-D1B2DF4B6E2E} - (no file)
O2 - BHO: (no name) - {F58AA8B0-48AA-49E4-986F-A91F881BD13A} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Driv] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: ["noC] ="C:\windows\mrjj.exe
O4 - HKLM\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: ,C:\WINDOWS\System32\razupopi.dll ldhseo.dll cuyyxi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: urqPjJAP - urqPjJAP.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9769 bytes

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:50 AM

Posted 21 February 2009 - 03:08 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 nyschamp

nyschamp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 23 February 2009 - 06:56 PM

after trying to run combofix, its says "application is unexpected at this time" when it started to scan.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:50 AM

Posted 23 February 2009 - 07:16 PM

Hi,

Did you disable your Antivirus as I asked in my previous post?
If that doesn't make a change either, try Combofix from Windows safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 nyschamp

nyschamp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 27 February 2009 - 10:51 PM

i tried running it in safe mode, but the same error occurs

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:50 AM

Posted 28 February 2009 - 04:10 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 nyschamp

nyschamp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 01 March 2009 - 10:57 AM

*MBAM REPORT---------


Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 1

2009-03-01 10:42:50
mbam-log-2009-03-01 (10-42-50).txt

Scan type: Quick Scan
Objects scanned: 203887
Time elapsed: 10 hour(s), 35 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3b06d009-5233-4886-9870-850ab2d8b9e0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3b06d009-5233-4886-9870-850ab2d8b9e0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{062c85c5-00b3-4293-bf23-7fc491ce8f42} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{062c85c5-00b3-4293-bf23-7fc491ce8f42} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{50da37bb-7083-4fa7-80cf-de4cdb634166} (Adware.WebDir) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yepawevelo (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\System32\cuyyxi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\robuteza.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kopurege.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kusitozo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bufezika.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gigivada.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mirikiri.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yizimife.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yofabutu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ttepvioc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\WL278T67\upd105320[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gita\Local Settings\Temporary Internet Files\Content.IE5\3643RHG1\SystemGuard2009[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gita\Local Settings\Temporary Internet Files\Content.IE5\3643RHG1\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gita\Local Settings\Temporary Internet Files\Content.IE5\EH8FAXI5\SystemGuard2009[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gita\Local Settings\Temporary Internet Files\Content.IE5\UXTMBYP8\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\4JD7UINL\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\IH4Z0N0T\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.


*HijackThis log-----------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57, on 2009-03-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {07EF87C0-D4C5-4EE5-9DFB-56F349106D76} - (no file)
O2 - BHO: (no name) - {0C2025B8-584F-474A-AA60-4ACC67E7C773} - (no file)
O2 - BHO: (no name) - {196ACF63-E914-487B-BB35-790CD7E9D515} - (no file)
O2 - BHO: (no name) - {2911B446-D644-42A6-B986-2E20B2461390} - (no file)
O2 - BHO: (no name) - {2AAE2B67-D1AA-47EE-85A9-51424B23F67E} - (no file)
O2 - BHO: (no name) - {2CF3B985-6749-43F7-8302-8DF72F798486} - (no file)
O2 - BHO: (no name) - {2E04DC9F-977B-4EFF-89D4-B45E94F82691} - (no file)
O2 - BHO: (no name) - {40460155-DFD5-4C99-BB83-67529A6C09CB} - (no file)
O2 - BHO: (no name) - {4264619E-5371-46D9-A0B9-44D9D11F2C2F} - (no file)
O2 - BHO: (no name) - {4eade888-a2b0-46e9-a36d-845a8fd57959} - (no file)
O2 - BHO: (no name) - {50F8BF94-BEB5-4715-A5D2-F9F509D4B6FA} - (no file)
O2 - BHO: (no name) - {51D65FB6-8372-4742-8CA0-261CC2F7EF0F} - (no file)
O2 - BHO: (no name) - {54311C93-5063-4F78-9165-7A19FB712B0C} - C:\WINDOWS\System32\ddCSjHWM.dll (file missing)
O2 - BHO: (no name) - {54d9f285-1cf9-4448-8057-f71141127d85} - (no file)
O2 - BHO: (no name) - {634CF5B3-40B7-4132-AB67-2B9F9EEE41C6} - (no file)
O2 - BHO: (no name) - {6806294D-67BC-4474-AABA-DE9FE87B67AC} - (no file)
O2 - BHO: (no name) - {6F9E92B4-F0B9-4D7E-BE25-FE5BFBEC0085} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7657137E-B9AA-49DD-AE3D-EDE0F9471CBF} - (no file)
O2 - BHO: (no name) - {78749A33-3D32-4972-BCAD-2358DB44DC49} - (no file)
O2 - BHO: (no name) - {7FFC08D4-56D3-4C65-AD51-12EFD02220C8} - (no file)
O2 - BHO: (no name) - {815DFC23-EA2F-443C-9090-6358D1C0457A} - (no file)
O2 - BHO: (no name) - {87AE522E-5A51-4559-B925-4CB3A501410A} - (no file)
O2 - BHO: (no name) - {998B0E1B-23E9-4FE4-B3B5-7D09768FC534} - (no file)
O2 - BHO: (no name) - {9BA40874-B065-48E5-9D97-029D28249D47} - (no file)
O2 - BHO: (no name) - {9c999e14-184b-410f-bb6e-826f35cbe4c8} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - C:\WINDOWS\adsldpbz.dll (file missing)
O2 - BHO: (no name) - {b526d14a-d675-48de-b275-c055f2a15f94} - (no file)
O2 - BHO: (no name) - {BBA45E92-E416-47D9-A4EE-9875E6FAF4B6} - (no file)
O2 - BHO: (no name) - {bd652582-778b-436c-9a5a-5fad3987e959} - (no file)
O2 - BHO: (no name) - {C0E41948-8B6F-45AB-B0CD-0845328661D6} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {CCBA184B-F797-4311-AB1C-21A6BCE7D0F0} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {dbec8c77-787d-4475-927d-2fb7353370cc} - (no file)
O2 - BHO: (no name) - {e23f04ca-e695-40f9-9f1f-c98e38931962} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F408FCF6-CBB9-4961-A551-D1B2DF4B6E2E} - (no file)
O2 - BHO: (no name) - {F58AA8B0-48AA-49E4-986F-A91F881BD13A} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Driv] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: ["noC] ="C:\windows\mrjj.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} (CheckFileStatus.UserControl1) - https://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: urqPjJAP - urqPjJAP.dll (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8682 bytes

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:50 AM

Posted 01 March 2009 - 11:11 AM

Hi,

You uninstalled your Antivirus again? Why?
Please explain...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 nyschamp

nyschamp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 01 March 2009 - 11:53 AM

i thought 2 other Antivirus programs were good enough, should i keep all of them or just install avira( i have spybot and superantispyware)

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:50 AM

Posted 01 March 2009 - 11:58 AM

Spybot and SuperAntispyware are Antispyware and no Antivirus.
That's why you should keep Avira.

So please reinstall it again.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {07EF87C0-D4C5-4EE5-9DFB-56F349106D76} - (no file)
O2 - BHO: (no name) - {0C2025B8-584F-474A-AA60-4ACC67E7C773} - (no file)
O2 - BHO: (no name) - {196ACF63-E914-487B-BB35-790CD7E9D515} - (no file)
O2 - BHO: (no name) - {2911B446-D644-42A6-B986-2E20B2461390} - (no file)
O2 - BHO: (no name) - {2AAE2B67-D1AA-47EE-85A9-51424B23F67E} - (no file)
O2 - BHO: (no name) - {2CF3B985-6749-43F7-8302-8DF72F798486} - (no file)
O2 - BHO: (no name) - {2E04DC9F-977B-4EFF-89D4-B45E94F82691} - (no file)
O2 - BHO: (no name) - {40460155-DFD5-4C99-BB83-67529A6C09CB} - (no file)
O2 - BHO: (no name) - {4264619E-5371-46D9-A0B9-44D9D11F2C2F} - (no file)
O2 - BHO: (no name) - {4eade888-a2b0-46e9-a36d-845a8fd57959} - (no file)
O2 - BHO: (no name) - {50F8BF94-BEB5-4715-A5D2-F9F509D4B6FA} - (no file)
O2 - BHO: (no name) - {51D65FB6-8372-4742-8CA0-261CC2F7EF0F} - (no file)
O2 - BHO: (no name) - {54311C93-5063-4F78-9165-7A19FB712B0C} - C:\WINDOWS\System32\ddCSjHWM.dll (file missing)
O2 - BHO: (no name) - {54d9f285-1cf9-4448-8057-f71141127d85} - (no file)
O2 - BHO: (no name) - {634CF5B3-40B7-4132-AB67-2B9F9EEE41C6} - (no file)
O2 - BHO: (no name) - {6806294D-67BC-4474-AABA-DE9FE87B67AC} - (no file)
O2 - BHO: (no name) - {6F9E92B4-F0B9-4D7E-BE25-FE5BFBEC0085} - (no file)
O2 - BHO: (no name) - {7657137E-B9AA-49DD-AE3D-EDE0F9471CBF} - (no file)
O2 - BHO: (no name) - {78749A33-3D32-4972-BCAD-2358DB44DC49} - (no file)
O2 - BHO: (no name) - {7FFC08D4-56D3-4C65-AD51-12EFD02220C8} - (no file)
O2 - BHO: (no name) - {815DFC23-EA2F-443C-9090-6358D1C0457A} - (no file)
O2 - BHO: (no name) - {87AE522E-5A51-4559-B925-4CB3A501410A} - (no file)
O2 - BHO: (no name) - {998B0E1B-23E9-4FE4-B3B5-7D09768FC534} - (no file)
O2 - BHO: (no name) - {9BA40874-B065-48E5-9D97-029D28249D47} - (no file)
O2 - BHO: (no name) - {9c999e14-184b-410f-bb6e-826f35cbe4c8} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - C:\WINDOWS\adsldpbz.dll (file missing)
O2 - BHO: (no name) - {b526d14a-d675-48de-b275-c055f2a15f94} - (no file)
O2 - BHO: (no name) - {BBA45E92-E416-47D9-A4EE-9875E6FAF4B6} - (no file)
O2 - BHO: (no name) - {bd652582-778b-436c-9a5a-5fad3987e959} - (no file)
O2 - BHO: (no name) - {C0E41948-8B6F-45AB-B0CD-0845328661D6} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {CCBA184B-F797-4311-AB1C-21A6BCE7D0F0} - (no file)
O2 - BHO: (no name) - {dbec8c77-787d-4475-927d-2fb7353370cc} - (no file)
O2 - BHO: (no name) - {e23f04ca-e695-40f9-9f1f-c98e38931962} - (no file)
O2 - BHO: (no name) - {F408FCF6-CBB9-4961-A551-D1B2DF4B6E2E} - (no file)
O2 - BHO: (no name) - {F58AA8B0-48AA-49E4-986F-A91F881BD13A} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O4 - HKLM\..\Run: [Driv] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O4 - HKLM\..\Run: ["noC] ="C:\windows\mrjj.exe
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKUS\S-1-5-19\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yepawevelo] Rundll32.exe "C:\WINDOWS\System32\wezorewe.dll",s (User 'NETWORK SERVICE')
O20 - Winlogon Notify: urqPjJAP - urqPjJAP.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then REBOOT!

After reboot, post a new HijackThislog in your next reply.


Also, please let me know how it comes that you didn't install SP2 or SP3 yet, also didn't install IE7 yet.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 nyschamp

nyschamp
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 01 March 2009 - 12:32 PM

hijackthis log---------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30, on 2009-03-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: ["noC] ="C:\windows\mrjj.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} (CheckFileStatus.UserControl1) - https://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 5971 bytes

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:50 AM

Posted 01 March 2009 - 12:35 PM

Hi,

This looks OK again. Just one entry where HijackThis had problems with fixing it since the "displayname" has an extra quote in it.
So to fix it...

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""noC"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users