Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Holy Cow


  • Please log in to reply
7 replies to this topic

#1 ever_looking_up

ever_looking_up

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 03 July 2007 - 07:08 PM

so, right now there are a ton of things wrong with my computer. pop-ups out the wazoo, random program shutdowns, ridiculously slow operation, among other things. please let me know what i need to do to fix it. heres my log, good luck.

Logfile of HijackThis v1.99.1
Scan saved at 7:04:37 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1156890639\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\cfg32.exe
C:\windows\system32\mrdsregj.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\win320961-214192722007.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\kpitnmyg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 75.126.25.138 www.lookmaze.com
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1156890639\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{4C-C8-8A-A3-ZN}] C:\windows\system32\mrdsregj.exe SKY003
O4 - HKLM\..\Run: [win320961-214192722007] C:\WINDOWS\win320961-214192722007
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinsndt.exe SKY003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\apbxugyr.dll",realset
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\mrdsregj.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinsndt.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182712817250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173744052031
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\yhfokngk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 04 July 2007 - 01:01 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ever_looking_up :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First find and delete:
C:\Documents and Settings\David\Desktop\HijackThis.exe

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

========================

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

========================

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

========================

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


========================

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 05 July 2007 - 08:12 PM

welp, heres all that. what now?

Attached Files



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 06 July 2007 - 03:34 AM

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall Ofb11,then restart your pc.

=================================

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: ComboFix-Do.txt to your desktop.

File::
C:\WINDOWS\system32\reginix86b.exe
C:\WINDOWS\system32\reginix86b.dll
C:\WINDOWS\system32\reginib_olive.exe
C:\WINDOWS\reginib_olive.exe
C:\WINDOWS\system32\owinsndt.exe
C:\WINDOWS\win320961-214192722007.exe
C:\WINDOWS\xhelper.dll
C:\WINDOWS\system32\378M7WTk.exe
C:\WINDOWS\system32\reginia_olive.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\sys0341927261-212007.exe
C:\WINDOWS\system32\vdsreg.exe
C:\WINDOWS\p328d32.exe
C:\WINDOWS\system32\file.exe
C:\WINDOWS\system32\rtywem.dll
C:\syswwdc.exe
C:\WINDOWS\temparation.exe
C:\WINDOWS\system32\mrdsregj.exe
C:\WINDOWS\uni_eh43.exe
C:\WINDOWS\uninst1014.exe

Folder::
C:\DOCUME~1\Shelly\APPLIC~1\FunWebProducts
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{904D3358-5D5F-4AEE-BB03-0DCF0C0E6E88}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B45FC20D-6906-4E72-AA59-392CC61FDAA9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2AFCBD2-051E-77C3-1407-5BF07DC73D93}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mszsrn32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar"=-

Now drag then drop the ComboFix-Do.txt file onto ComboFix.exe as you see in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

*NOTE*
Please post all replies directly into this topic,NOT as attachments,thanks.

Edited by RichieUK, 06 July 2007 - 04:04 AM.

Posted Image
Posted Image

#5 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 07 July 2007 - 05:01 PM

sorry about that. heres the two logs. i looked all through my computer and couldnt find thazt program or anything with that name at all. not sure what that means but.. anywho, here you go.

Logfile of HijackThis v1.99.1
Scan saved at 4:58:58 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {1CD84862-54E4-4A67-85CA-233E3D0BCC18} - C:\Program Files\NetMeeting\holenu.dll
O2 - BHO: H - {21F6EE00-FEC3-4a0e-BA2E-F919CF11D87E} - rsssewe_.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll (file missing)
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182712817250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173744052031
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

"David" - 2007-07-05 20:03:05 - ComboFix 07-07-06 - Service Pack 2

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 78606 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tdceecej.dll
C:\WINDOWS\system32\brknhenl.exe
C:\WINDOWS\system32\cydhsddu.exe
C:\WINDOWS\system32\hdedavhb.exe
C:\WINDOWS\system32\kpitnmyg.exe
C:\WINDOWS\system32\ncnwvfbj.exe
C:\WINDOWS\system32\tmmnaqta.exe
C:\WINDOWS\system32\vuwbbhct.exe
C:\WINDOWS\system32\ygoiltup.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bold.log
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\David\APPLIC~1.\racle~1
C:\DOCUME~1\David\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\David\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\David\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\David\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\David\APPLIC~1\Install.dat
C:\DOCUME~1\David\Desktop\internet.lnk
C:\Documents and Settings\David.\err.log
C:\Program Files\Common Files\appatc~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\NetMeeting\holenu43855.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\temp\tn3
C:\WINDOWS\144.exe
C:\WINDOWS\asks~1
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\itpb_11.exe
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\mcroso~1
C:\WINDOWS\monterreyn_olive.exe
C:\WINDOWS\scurit~1
C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\ipv6monr.dll
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\monterreym_olive.exe
C:\WINDOWS\system32\monterreyn_olive.exe
C:\WINDOWS\system32\monterreyo_olive.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nso12k.sys
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o05PrEz
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\rsssewe_.dll
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wtscc.exe
C:\WINDOWS\system32\wtsisvcc.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\xmlhelper.dll
C:\WINDOWS\xmlhelper2.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_DRIVER
-------\core
-------\DomainService
-------\Driver


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-05 20:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 19:44 <DIR> d-------- C:\VundoFix Backups
2007-07-05 18:05 97,280 --a------ C:\WINDOWS\system32\reginix86b.exe
2007-07-05 18:05 152,064 --a------ C:\WINDOWS\system32\reginix86b.dll
2007-07-05 18:04 97,280 --a------ C:\WINDOWS\system32\reginib_olive.exe
2007-07-05 18:04 97,280 --a------ C:\WINDOWS\reginib_olive.exe
2007-07-04 17:34 37,924 --a------ C:\WINDOWS\system32\msvcrtdm.dll
2007-07-04 16:48 192,593 --a------ C:\WINDOWS\system32\owinsndt.exe
2007-07-03 16:41 192,512 --a------ C:\WINDOWS\win320961-214192722007.exe
2007-07-03 16:19 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-02 18:48 97,280 --a-s---- C:\WINDOWS\system32\reginia_sc.exe
2007-07-02 18:42 22,592 --a------ C:\WINDOWS\system32\378M7WTk.exe
2007-07-01 19:08 97,280 --a------ C:\WINDOWS\system32\reginia_olive.exe
2007-06-29 16:53 16,006 --a------ C:\WINDOWS\system32\vedxg4am1et2.exe
2007-06-29 15:28 192,512 --a------ C:\WINDOWS\sys0341927261-212007.exe
2007-06-27 22:47 191,005 --a------ C:\WINDOWS\system32\vdsreg.exe
2007-06-26 18:11 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-26 18:01 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2007-06-26 17:59 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-06-26 17:59 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-06-21 15:04 192,512 --a------ C:\WINDOWS\p328d32.exe
2007-06-20 17:36 18,432 --a------ C:\WINDOWS\system32\file.exe
2007-06-20 03:47 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-06-20 03:46 1 --a------ C:\WINDOWS\system32\ps.dat
2007-06-20 03:46 <DIR> d-------- C:\Program Files\Ofb11
2007-06-20 03:45 44,513 --a------ C:\WINDOWS\system32\rtywem.dll
2007-06-20 03:45 14,390 --a------ C:\syswwdc.exe
2007-06-19 14:27 7,680 --ah----- C:\WINDOWS\temparation.exe
2007-06-18 11:41 190,995 --a------ C:\WINDOWS\system32\mrdsregj.exe
2007-06-17 21:56 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-06-17 21:55 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-15 14:43 53,248 --a------ C:\WINDOWS\uni_eh43.exe
2007-06-15 14:42 53,248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-15 01:39 <DIR> d-------- C:\Temp
2007-06-12 10:35 <DIR> d-------- C:\DOCUME~1\Shelly\APPLIC~1\FunWebProducts
2007-06-10 19:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-06-10 08:54 <DIR> d-------- C:\Program Files\iPod
2007-06-10 01:15 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-10 01:15 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-10 01:15 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-06-10 01:15 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-06-10 01:15 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-06-10 01:15 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-06-10 01:15 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-06-10 01:15 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-06-10 01:15 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-06-10 01:15 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-10 01:15 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-06-10 01:15 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-10 01:15 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-10 01:15 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-10 01:15 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-10 01:15 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-06-10 01:15 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-10 01:15 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-06-10 01:15 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-10 01:10 <DIR> d-------- C:\Program Files\RedLightCenter
2007-06-09 12:45 <DIR> d-------- C:\Program Files\AIM6
2007-06-08 16:04 <DIR> d-------- C:\Program Files\MySpace
2007-06-08 16:04 <DIR> d-------- C:\DOCUME~1\Shelly\APPLIC~1\MySpace


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 22:34:37 110,592 ----a-w C:\WINDOWS\system32\imm32.dll
2007-07-03 04:14:05 -------- d-----w C:\Program Files\Viewpoint
2007-06-26 23:04:37 22,780 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-26 23:03:49 -------- d-----w C:\Program Files\Messenger
2007-06-10 13:54:47 -------- d-----w C:\Program Files\iTunes
2007-06-10 06:10:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-01 17:04:52 -------- d-----w C:\Program Files\Google
2007-06-01 05:32:24 -------- d--h--w C:\DOCUME~1\David\APPLIC~1\Move Networks
2007-06-01 05:30:45 -------- d-----w C:\Program Files\DivX
2007-06-01 05:29:37 -------- d-----w C:\Program Files\DFX
2007-05-07 23:01:35 -------- d-----w C:\Program Files\QuickTime
2007-04-19 15:30:00 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-04-19 15:29:57 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CD84862-54E4-4A67-85CA-233E3D0BCC18}]
2007-04-06 14:27 139264 --a------ C:\Program Files\NetMeeting\holenu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21F6EE00-FEC3-4a0e-BA2E-F919CF11D87E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}]
2007-06-20 03:47 192512 --a------ C:\PROGRA~1\Ofb11\Ofb11.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ED7D3DE-6DBE-4516-8712-436325722327}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-03 16:19 126976 --a------ C:\WINDOWS\xhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{904D3358-5D5F-4AEE-BB03-0DCF0C0E6E88}]
C:\WINDOWS\system32\ssttq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B45FC20D-6906-4E72-AA59-392CC61FDAA9}]
2007-07-05 19:31 152064 --a------ C:\WINDOWS\system32\reginix86b.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2AFCBD2-051E-77C3-1407-5BF07DC73D93}]
2006-08-31 09:39 126976 --a------ C:\WINDOWS\system32\kocaclb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1156890639\ee\AOLSoftware.exe" [2006-04-20 12:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 14:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"My Web Search Bar"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL" []
"EarthLink Installer"=" /C" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 12:10]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mszsrn32]
C:\WINDOWS\system32\mszsrn32.dll


Contents of the 'Scheduled Tasks' folder
2007-07-02 11:34:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-05 05:00:00 C:\WINDOWS\tasks\At1.job
2007-07-05 14:00:40 C:\WINDOWS\tasks\At10.job
2007-07-05 15:00:00 C:\WINDOWS\tasks\At11.job
2007-07-05 16:00:00 C:\WINDOWS\tasks\At12.job
2007-07-05 17:00:00 C:\WINDOWS\tasks\At13.job
2007-07-05 18:00:00 C:\WINDOWS\tasks\At14.job
2007-07-05 19:00:00 C:\WINDOWS\tasks\At15.job
2007-07-05 20:00:00 C:\WINDOWS\tasks\At16.job
2007-07-05 21:00:00 C:\WINDOWS\tasks\At17.job
2007-07-05 22:00:00 C:\WINDOWS\tasks\At18.job
2007-07-05 23:00:00 C:\WINDOWS\tasks\At19.job
2007-07-05 06:00:00 C:\WINDOWS\tasks\At2.job
2007-07-06 00:00:48 C:\WINDOWS\tasks\At20.job
2007-07-06 01:00:00 C:\WINDOWS\tasks\At21.job
2007-07-05 02:00:00 C:\WINDOWS\tasks\At22.job
2007-07-05 03:00:00 C:\WINDOWS\tasks\At23.job
2007-07-05 04:00:00 C:\WINDOWS\tasks\At24.job
2007-07-05 05:00:30 C:\WINDOWS\tasks\At25.job
2007-07-05 06:00:30 C:\WINDOWS\tasks\At26.job
2007-07-05 07:00:30 C:\WINDOWS\tasks\At27.job
2007-07-05 08:00:30 C:\WINDOWS\tasks\At28.job
2007-07-05 09:00:30 C:\WINDOWS\tasks\At29.job
2007-07-05 07:00:00 C:\WINDOWS\tasks\At3.job
2007-07-05 10:00:30 C:\WINDOWS\tasks\At30.job
2007-07-05 11:00:30 C:\WINDOWS\tasks\At31.job
2007-07-05 12:00:30 C:\WINDOWS\tasks\At32.job
2007-07-05 13:00:30 C:\WINDOWS\tasks\At33.job
2007-07-05 14:01:11 C:\WINDOWS\tasks\At34.job
2007-07-05 15:00:30 C:\WINDOWS\tasks\At35.job
2007-07-05 16:00:30 C:\WINDOWS\tasks\At36.job
2007-07-05 17:00:30 C:\WINDOWS\tasks\At37.job
2007-07-05 18:00:31 C:\WINDOWS\tasks\At38.job
2007-07-05 19:00:30 C:\WINDOWS\tasks\At39.job
2007-07-05 08:00:00 C:\WINDOWS\tasks\At4.job
2007-07-05 20:00:30 C:\WINDOWS\tasks\At40.job
2007-07-05 21:00:30 C:\WINDOWS\tasks\At41.job
2007-07-05 22:01:04 C:\WINDOWS\tasks\At42.job
2007-07-05 23:00:30 C:\WINDOWS\tasks\At43.job
2007-07-06 00:03:48 C:\WINDOWS\tasks\At44.job
2007-07-06 01:00:30 C:\WINDOWS\tasks\At45.job
2007-07-05 02:00:30 C:\WINDOWS\tasks\At46.job
2007-07-05 03:00:30 C:\WINDOWS\tasks\At47.job
2007-07-05 04:00:30 C:\WINDOWS\tasks\At48.job
2007-07-05 09:00:00 C:\WINDOWS\tasks\At5.job
2007-07-05 10:00:00 C:\WINDOWS\tasks\At6.job
2007-07-05 11:00:00 C:\WINDOWS\tasks\At7.job
2007-07-05 12:00:00 C:\WINDOWS\tasks\At8.job
2007-07-05 13:00:00 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 20:06:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-05 20:08:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-05 20:07

--- E O F ---

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 07 July 2007 - 05:31 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\reginix86b.exe
C:\WINDOWS\system32\reginix86b.dll
C:\WINDOWS\system32\reginib_olive.exe
C:\WINDOWS\reginib_olive.exe
C:\WINDOWS\system32\reginia_sc.exe
C:\WINDOWS\system32\msvcrtdm.dll
C:\WINDOWS\system32\owinsndt.exe
C:\WINDOWS\win320961-214192722007.exe
C:\WINDOWS\xhelper.dll
C:\WINDOWS\system32\378M7WTk.exe
C:\WINDOWS\system32\reginia_olive.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\sys0341927261-212007.exe
C:\WINDOWS\system32\vdsreg.exe
C:\WINDOWS\p328d32.exe
C:\WINDOWS\system32\file.exe
C:\WINDOWS\system32\rtywem.dll
C:\syswwdc.exe
C:\WINDOWS\temparation.exe
C:\WINDOWS\system32\mrdsregj.exe
C:\WINDOWS\uni_eh43.exe
C:\WINDOWS\uninst1014.exe
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Folders to delete:
C:\Program Files\Ofb11
C:\Program Files\Viewpoint
C:\DOCUME~1\Shelly\APPLIC~1\FunWebProducts

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 10 July 2007 - 06:22 PM

alright here are those 2. things seem to be running alot smoother. pop ups are pretty much gone. computer running pretty normally. but ill let you have the final say on when its done

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vohhupad

*******************

Script file located at: \??\C:\Program Files\lmmvyftp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\reginix86b.exe not found!
Deletion of file C:\WINDOWS\system32\reginix86b.exe failed!

Could not process line:
C:\WINDOWS\system32\reginix86b.exe
Status: 0xc0000034



File C:\WINDOWS\system32\reginix86b.dll not found!
Deletion of file C:\WINDOWS\system32\reginix86b.dll failed!

Could not process line:
C:\WINDOWS\system32\reginix86b.dll
Status: 0xc0000034



File C:\WINDOWS\system32\reginib_olive.exe not found!
Deletion of file C:\WINDOWS\system32\reginib_olive.exe failed!

Could not process line:
C:\WINDOWS\system32\reginib_olive.exe
Status: 0xc0000034



File C:\WINDOWS\reginib_olive.exe not found!
Deletion of file C:\WINDOWS\reginib_olive.exe failed!

Could not process line:
C:\WINDOWS\reginib_olive.exe
Status: 0xc0000034

File C:\WINDOWS\system32\reginia_sc.exe deleted successfully.
File C:\WINDOWS\system32\msvcrtdm.dll deleted successfully.


File C:\WINDOWS\system32\owinsndt.exe not found!
Deletion of file C:\WINDOWS\system32\owinsndt.exe failed!

Could not process line:
C:\WINDOWS\system32\owinsndt.exe
Status: 0xc0000034



File C:\WINDOWS\win320961-214192722007.exe not found!
Deletion of file C:\WINDOWS\win320961-214192722007.exe failed!

Could not process line:
C:\WINDOWS\win320961-214192722007.exe
Status: 0xc0000034



File C:\WINDOWS\xhelper.dll not found!
Deletion of file C:\WINDOWS\xhelper.dll failed!

Could not process line:
C:\WINDOWS\xhelper.dll
Status: 0xc0000034



File C:\WINDOWS\system32\378M7WTk.exe not found!
Deletion of file C:\WINDOWS\system32\378M7WTk.exe failed!

Could not process line:
C:\WINDOWS\system32\378M7WTk.exe
Status: 0xc0000034



File C:\WINDOWS\system32\reginia_olive.exe not found!
Deletion of file C:\WINDOWS\system32\reginia_olive.exe failed!

Could not process line:
C:\WINDOWS\system32\reginia_olive.exe
Status: 0xc0000034



File C:\WINDOWS\system32\vedxg4am1et2.exe not found!
Deletion of file C:\WINDOWS\system32\vedxg4am1et2.exe failed!

Could not process line:
C:\WINDOWS\system32\vedxg4am1et2.exe
Status: 0xc0000034



File C:\WINDOWS\sys0341927261-212007.exe not found!
Deletion of file C:\WINDOWS\sys0341927261-212007.exe failed!

Could not process line:
C:\WINDOWS\sys0341927261-212007.exe
Status: 0xc0000034



File C:\WINDOWS\system32\vdsreg.exe not found!
Deletion of file C:\WINDOWS\system32\vdsreg.exe failed!

Could not process line:
C:\WINDOWS\system32\vdsreg.exe
Status: 0xc0000034



File C:\WINDOWS\p328d32.exe not found!
Deletion of file C:\WINDOWS\p328d32.exe failed!

Could not process line:
C:\WINDOWS\p328d32.exe
Status: 0xc0000034



File C:\WINDOWS\system32\file.exe not found!
Deletion of file C:\WINDOWS\system32\file.exe failed!

Could not process line:
C:\WINDOWS\system32\file.exe
Status: 0xc0000034



File C:\WINDOWS\system32\rtywem.dll not found!
Deletion of file C:\WINDOWS\system32\rtywem.dll failed!

Could not process line:
C:\WINDOWS\system32\rtywem.dll
Status: 0xc0000034



File C:\syswwdc.exe not found!
Deletion of file C:\syswwdc.exe failed!

Could not process line:
C:\syswwdc.exe
Status: 0xc0000034



File C:\WINDOWS\temparation.exe not found!
Deletion of file C:\WINDOWS\temparation.exe failed!

Could not process line:
C:\WINDOWS\temparation.exe
Status: 0xc0000034



File C:\WINDOWS\system32\mrdsregj.exe not found!
Deletion of file C:\WINDOWS\system32\mrdsregj.exe failed!

Could not process line:
C:\WINDOWS\system32\mrdsregj.exe
Status: 0xc0000034



File C:\WINDOWS\uni_eh43.exe not found!
Deletion of file C:\WINDOWS\uni_eh43.exe failed!

Could not process line:
C:\WINDOWS\uni_eh43.exe
Status: 0xc0000034



File C:\WINDOWS\uninst1014.exe not found!
Deletion of file C:\WINDOWS\uninst1014.exe failed!

Could not process line:
C:\WINDOWS\uninst1014.exe
Status: 0xc0000034

File C:\WINDOWS\tasks\At1.job deleted successfully.
File C:\WINDOWS\tasks\At10.job deleted successfully.
File C:\WINDOWS\tasks\At11.job deleted successfully.
File C:\WINDOWS\tasks\At12.job deleted successfully.
File C:\WINDOWS\tasks\At13.job deleted successfully.
File C:\WINDOWS\tasks\At14.job deleted successfully.
File C:\WINDOWS\tasks\At15.job deleted successfully.
File C:\WINDOWS\tasks\At16.job deleted successfully.
File C:\WINDOWS\tasks\At17.job deleted successfully.
File C:\WINDOWS\tasks\At18.job deleted successfully.
File C:\WINDOWS\tasks\At19.job deleted successfully.
File C:\WINDOWS\tasks\At2.job deleted successfully.
File C:\WINDOWS\tasks\At20.job deleted successfully.
File C:\WINDOWS\tasks\At21.job deleted successfully.
File C:\WINDOWS\tasks\At22.job deleted successfully.
File C:\WINDOWS\tasks\At23.job deleted successfully.
File C:\WINDOWS\tasks\At24.job deleted successfully.
File C:\WINDOWS\tasks\At25.job deleted successfully.
File C:\WINDOWS\tasks\At26.job deleted successfully.
File C:\WINDOWS\tasks\At27.job deleted successfully.
File C:\WINDOWS\tasks\At28.job deleted successfully.
File C:\WINDOWS\tasks\At29.job deleted successfully.
File C:\WINDOWS\tasks\At3.job deleted successfully.
File C:\WINDOWS\tasks\At30.job deleted successfully.
File C:\WINDOWS\tasks\At31.job deleted successfully.
File C:\WINDOWS\tasks\At32.job deleted successfully.
File C:\WINDOWS\tasks\At33.job deleted successfully.
File C:\WINDOWS\tasks\At34.job deleted successfully.
File C:\WINDOWS\tasks\At35.job deleted successfully.
File C:\WINDOWS\tasks\At36.job deleted successfully.
File C:\WINDOWS\tasks\At37.job deleted successfully.
File C:\WINDOWS\tasks\At38.job deleted successfully.
File C:\WINDOWS\tasks\At39.job deleted successfully.
File C:\WINDOWS\tasks\At4.job deleted successfully.
File C:\WINDOWS\tasks\At40.job deleted successfully.
File C:\WINDOWS\tasks\At41.job deleted successfully.
File C:\WINDOWS\tasks\At42.job deleted successfully.
File C:\WINDOWS\tasks\At43.job deleted successfully.
File C:\WINDOWS\tasks\At44.job deleted successfully.
File C:\WINDOWS\tasks\At45.job deleted successfully.
File C:\WINDOWS\tasks\At46.job deleted successfully.
File C:\WINDOWS\tasks\At47.job deleted successfully.
File C:\WINDOWS\tasks\At48.job deleted successfully.
File C:\WINDOWS\tasks\At5.job deleted successfully.
File C:\WINDOWS\tasks\At6.job deleted successfully.
File C:\WINDOWS\tasks\At7.job deleted successfully.
File C:\WINDOWS\tasks\At8.job deleted successfully.
File C:\WINDOWS\tasks\At9.job deleted successfully.
Folder C:\Program Files\Ofb11 deleted successfully.


Folder C:\Program Files\Viewpoint not found!
Deletion of folder C:\Program Files\Viewpoint failed!

Could not process line:
C:\Program Files\Viewpoint
Status: 0xc0000034



Folder C:\DOCUME~1\Shelly\APPLIC~1\FunWebProducts not found!
Deletion of folder C:\DOCUME~1\Shelly\APPLIC~1\FunWebProducts failed!

Could not process line:
C:\DOCUME~1\Shelly\APPLIC~1\FunWebProducts
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 6:20:36 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CD84862-54E4-4A67-85CA-233E3D0BCC18} - C:\Program Files\NetMeeting\holenu.dll
O2 - BHO: H - {21F6EE00-FEC3-4a0e-BA2E-F919CF11D87E} - rsssewe_.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: (no name) - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll (file missing)
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182712817250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173744052031
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 10 July 2007 - 06:36 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: H - {21F6EE00-FEC3-4a0e-BA2E-F919CF11D87E} - rsssewe_.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: (no name) - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file)
O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll (file missing)
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Exit Hijackthis.

Find and delete if present:
C:\Program Files\RXToolBar

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users