Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have Viralbust But I Am Not Sure


  • This topic is locked This topic is locked
9 replies to this topic

#1 AFei

AFei

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 05 July 2007 - 12:34 PM

I think I have Viral bust in my computer but don't know where. I get these critical system warnings or fatal errors like those grey window errors that says what viruses I have and asking to try a product. I also have some shortcut desktop icons. Ones security troubleshoot and ones live saftey center. When I delete them, they just come back. In theTHere are also yellow triangle with an exclamation mark in them and they just blink. When I click on them they just go away. I also have popups of IE that says security update, protection center, or the url: savetheinformation.com. They come up unlimitedly, and are hard to close, unless you do task manager and then find the ie file under processes. When you close them they just comback! I have used adware 2007, Spybot Search and destroy, AVG Anti-Spyware, and ewido spyware.

Sometimes firefox would stop and turn black.


I have run the comb fix, and the ie popups are gone still having problems with the grey box and the yellow balloon.


Logfile of HijackThis v1.99.1
Scan saved at 10:21:25 AM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\My Downloads\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\Documents and Settings\Carissa\Desktop\stinger.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ijezwnjv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\My Downloads\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

Edited by AFei, 05 July 2007 - 05:32 PM.


BC AdBot (Login to Remove)

 


#2 AFei

AFei
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 05 July 2007 - 02:10 PM

Here the log for combofix:

"Carissa" - 2007-07-05 11:56:29 - ComboFix 07-07-06 - Service Pack 2
Command switches used :: C:\Documents and Settings\Carissa\Desktop\combo fix.txt


((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 )))))))))))))))))))))))))))))))


2007-07-05 11:47 <DIR> d-------- C:\DOCUME~1\Carissa\APPLIC~1\Ventrilo
2007-07-05 10:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 10:37 <DIR> d-------- C:\Program Files\Paint.NET
2007-07-05 10:14 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-05 10:14 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-07-05 10:14 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-07-05 10:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-07-05 10:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-07-05 10:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-07-05 10:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-07-05 10:14 <DIR> d-------- C:\Program Files\Sygate
2007-07-05 09:49 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-05 09:15 356,416 --a------ C:\WINDOWS\system32\yphaypjq.exe
2007-07-05 09:15 319,488 --a------ C:\WINDOWS\system32\ijezwnjv.dll
2007-07-05 09:01 356,416 --a------ C:\WINDOWS\system32\avftywdn.exe
2007-07-05 09:01 319,488 --a------ C:\WINDOWS\system32\eqtradex.dll
2007-07-05 08:53 356,416 --a------ C:\WINDOWS\system32\yvlynybp.exe
2007-07-05 08:53 319,488 --a------ C:\WINDOWS\system32\zdityzwb.dll
2007-07-05 08:50 356,416 --a------ C:\WINDOWS\system32\jdrfnoyw.exe
2007-07-05 08:50 319,488 --a------ C:\WINDOWS\system32\zvcmqogv.dll
2007-07-05 08:50 315,456 --a------ C:\WINDOWS\system32\pxxtfuso.dll
2007-07-05 08:50 315,456 --a------ C:\WINDOWS\system32\epclviug.dll
2007-07-05 08:30 356,416 --a------ C:\WINDOWS\system32\telhumqi.exe
2007-07-05 08:30 319,488 --a------ C:\WINDOWS\system32\yijzpree.dll
2007-07-05 00:04 356,416 --a------ C:\WINDOWS\system32\qubbhfix.exe
2007-07-05 00:04 319,488 --a------ C:\WINDOWS\system32\zjftrdtk.dll
2007-07-05 00:02 356,416 --a------ C:\WINDOWS\system32\ukudbidd.exe
2007-07-05 00:02 319,488 --a------ C:\WINDOWS\system32\cviilzzm.dll
2007-07-04 18:42 356,416 --a------ C:\WINDOWS\system32\unbsptwb.exe
2007-07-04 18:42 319,488 --a------ C:\WINDOWS\system32\ujhovbzf.dll
2007-07-04 18:29 356,416 --a------ C:\WINDOWS\system32\hnhjgbbd.exe
2007-07-04 18:29 319,488 --a------ C:\WINDOWS\system32\fgmmqmvl.dll
2007-07-04 18:24 356,416 --a------ C:\WINDOWS\system32\bokfhomm.exe
2007-07-04 18:24 319,488 --a------ C:\WINDOWS\system32\biqlqjnz.dll
2007-07-04 18:01 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-04 17:45 <DIR> d-------- C:\DOCUME~1\CALVIN~1\APPLIC~1\Leadertech
2007-07-04 17:41 356,416 --a------ C:\WINDOWS\system32\ryvmyvss.exe
2007-07-04 17:41 319,488 --a------ C:\WINDOWS\system32\wzsgeeqi.dll
2007-07-04 13:37 356,416 --a------ C:\WINDOWS\system32\ksdkpalp.exe
2007-07-04 13:37 319,488 --a------ C:\WINDOWS\system32\xuibufah.dll
2007-07-04 13:12 356,416 --a------ C:\WINDOWS\system32\yutvsqqi.exe
2007-07-04 13:12 319,488 --a------ C:\WINDOWS\system32\fovttzsw.dll
2007-07-04 13:10 315,456 --a------ C:\WINDOWS\system32\roxgfnqw.dll
2007-07-04 13:01 <DIR> d-------- C:\DOCUME~1\CALVIN~1\.housecall6.6
2007-07-04 12:42 356,416 --a------ C:\WINDOWS\system32\cyuopljq.exe
2007-07-04 12:42 319,488 --a------ C:\WINDOWS\system32\kxixfmhl.dll
2007-07-04 11:56 356,416 --a------ C:\WINDOWS\system32\nnqbljev.exe
2007-07-04 11:56 319,488 --a------ C:\WINDOWS\system32\nyaxiixg.dll
2007-07-04 11:50 356,416 --a------ C:\WINDOWS\system32\hkagjxvv.exe
2007-07-04 11:50 319,488 --a------ C:\WINDOWS\system32\aewmgasy.dll
2007-07-04 11:43 356,416 --a------ C:\WINDOWS\system32\odcsolqy.exe
2007-07-04 11:43 319,488 --a------ C:\WINDOWS\system32\egpayvlv.dll
2007-07-04 11:41 356,416 --a------ C:\WINDOWS\system32\hhaegtrh.exe
2007-07-04 11:41 319,488 --a------ C:\WINDOWS\system32\nkftdkfo.dll
2007-07-03 22:45 356,416 --a------ C:\WINDOWS\system32\qyxwnjrl.exe
2007-07-03 22:45 319,488 --a------ C:\WINDOWS\system32\fsccjuly.dll
2007-07-03 21:27 356,416 --a------ C:\WINDOWS\system32\vkvnlgce.exe
2007-07-03 21:27 319,488 --a------ C:\WINDOWS\system32\qnuyzxgu.dll
2007-07-03 16:05 356,416 --a------ C:\WINDOWS\system32\innnwnew.exe
2007-07-03 16:05 319,488 --a------ C:\WINDOWS\system32\sharzuwo.dll
2007-07-03 15:56 3,108 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-03 15:51 356,416 --a------ C:\WINDOWS\system32\mvgphgdb.exe
2007-07-03 15:51 319,488 --a------ C:\WINDOWS\system32\bczxwrlz.dll
2007-07-03 15:46 356,416 --a------ C:\WINDOWS\system32\fodxroei.exe
2007-07-03 15:46 319,488 --a------ C:\WINDOWS\system32\sgpzxuis.dll
2007-07-03 15:46 315,456 --a------ C:\WINDOWS\system32\yjwjlarv.dll
2007-07-03 15:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-03 15:42 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-03 15:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-03 15:39 356,416 --a------ C:\WINDOWS\system32\tnbigqhg.exe
2007-07-03 15:39 319,488 --a------ C:\WINDOWS\system32\ihmptanm.dll
2007-07-03 15:17 356,416 --a------ C:\WINDOWS\system32\dknlhauy.exe
2007-07-03 15:17 319,488 --a------ C:\WINDOWS\system32\jtfcmzgk.dll
2007-07-03 15:17 315,456 --a------ C:\WINDOWS\system32\ntjbqfsh.dll
2007-07-03 15:17 315,456 --a------ C:\WINDOWS\system32\ctpylsue.dll
2007-07-03 09:59 356,416 --a------ C:\WINDOWS\system32\tsmmommd.exe
2007-07-03 09:59 319,488 --a------ C:\WINDOWS\system32\lwhmffwg.dll
2007-07-02 23:38 319,488 --a------ C:\WINDOWS\system32\drxxufnl.dll
2007-07-02 23:31 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-02 23:27 <DIR> d-------- C:\DOCUME~1\Carissa\APPLIC~1\MalwareBot
2007-07-02 23:21 <DIR> d-------- C:\DOCUME~1\Carissa\DoctorWeb
2007-07-02 22:58 <DIR> d-------- C:\DOCUME~1\Carissa\APPLIC~1\Xfire
2007-07-02 16:40 356,416 --a------ C:\WINDOWS\system32\vvaquudn.exe
2007-07-02 16:15 356,416 --a------ C:\WINDOWS\system32\bevglydg.exe
2007-07-02 16:15 315,456 --a------ C:\WINDOWS\system32\ocgomrhf.dll
2007-07-02 14:45 356,416 --a------ C:\WINDOWS\system32\nykrnjap.exe
2007-07-02 14:45 315,456 --a------ C:\WINDOWS\system32\legttpxf.dll
2007-07-02 14:45 315,456 --a------ C:\WINDOWS\system32\fmmoedqi.dll
2007-07-02 14:42 356,416 --a------ C:\WINDOWS\system32\plcisonf.exe
2007-07-02 13:26 356,416 --a------ C:\WINDOWS\system32\hslsykks.exe
2007-07-02 12:25 356,416 --a------ C:\WINDOWS\system32\nyvolawy.exe
2007-07-02 12:21 <DIR> d-------- C:\WINDOWS\CSC
2007-07-02 12:02 <DIR> d-------- C:\DOCUME~1\Carissa\APPLIC~1\Flickr
2007-07-02 10:11 356,416 --a------ C:\WINDOWS\system32\aqtvejfx.exe
2007-07-02 08:49 356,416 --a------ C:\WINDOWS\system32\jwemfwgs.exe
2007-07-02 08:49 319,488 --a------ C:\Program Files\Hammer.dll
2007-07-02 08:49 315,456 --a------ C:\WINDOWS\system32\xybxedny.dll
2007-07-02 08:49 315,456 --a------ C:\WINDOWS\system32\ubyrvjul.dll
2007-07-02 08:49 315,456 --a------ C:\WINDOWS\system32\jdveupcr.dll
2007-07-02 08:49 315,456 --a------ C:\WINDOWS\system32\gftwtwce.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 16:49:07 1,871 ----a-w C:\WINDOWS\mozver.dat
2007-07-05 01:04:25 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-03 04:08:04 -------- d-----w C:\Program Files\Norton Internet Security
2007-07-02 17:03:08 -------- d-----w C:\Program Files\Online Services
2007-07-02 17:02:44 -------- d-----w C:\Program Files\Windows NT
2007-07-01 22:43:58 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-18 16:40:55 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 15:05:09 -------- d-----w C:\Program Files\Yahoo!
2007-06-10 04:14:06 -------- d-----w C:\Program Files\RADVideo
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 23:30:39 -------- d-----w C:\Program Files\Symantec
2007-06-03 23:30:38 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-03 23:30:38 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-31 05:30:03 872 ----a-w C:\DOCUME~1\Carissa\APPLIC~1\wklnhst.dat
2007-05-22 14:05:52 -------- d-----w C:\Program Files\Sytexis Software
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:10:42 -------- d-----w C:\Program Files\Common Files\TI Shared
2007-05-16 08:10:34 -------- d-----w C:\Program Files\Common Files\Vernier Software
2007-05-09 14:00:48 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-11-28 23:39:48 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-23 20:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}]
2007-05-23 12:13 140912 --a------ c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-07-04 12:42 319488 --a------ C:\WINDOWS\system32\kxixfmhl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
2006-08-24 18:07 208896 --a------ C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aewmgasy]
aewmgasy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bczxwrlz]
bczxwrlz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\biqlqjnz]
biqlqjnz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cnztuefh]
cnztuefh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cviilzzm]
cviilzzm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drxxufnl]
drxxufnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\egpayvlv]
egpayvlv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eqtradex]
eqtradex.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fgmmqmvl]
fgmmqmvl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fovttzsw]
fovttzsw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsccjuly]
fsccjuly.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ihmptanm]
ihmptanm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ijezwnjv]
ijezwnjv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ikumgoou]
ikumgoou.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jtfcmzgk]
jtfcmzgk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kxixfmhl]
kxixfmhl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lwhmffwg]
lwhmffwg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nkftdkfo]
nkftdkfo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nyaxiixg]
nyaxiixg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\orutignb]
orutignb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ougpiukj]
ougpiukj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qnuyzxgu]
qnuyzxgu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sgpzxuis]
sgpzxuis.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sharzuwo]
sharzuwo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ujhovbzf]
ujhovbzf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vderfqey]
vderfqey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzc32]
winzzc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzsgeeqi]
wzsgeeqi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xuibufah]
xuibufah.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yijzpree]
yijzpree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zdityzwb]
zdityzwb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zjftrdtk]
zjftrdtk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zvcmqogv]
zvcmqogv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-07-03 06:27:16 C:\WINDOWS\tasks\MalwareBot Scheduled Scan.job
2007-06-30 03:00:01 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Carissa.job
2006-11-20 19:48:45 C:\WINDOWS\tasks\Warranty Reminder 11 month.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 11:59:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-05 12:00:17
C:\ComboFix-quarantined-files.txt ... 2007-07-05 12:00
C:\ComboFix2.txt ... 2007-07-05 11:03

--- E O F ---

#3 AFei

AFei
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 05 July 2007 - 05:50 PM

ello? I still have popups and the same ones.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:32 PM

Posted 06 July 2007 - 03:38 PM

Hello,

First of all, before fixing anything!, Open notepad and copy and paste next present in the codebox in it:

@echo off
rem http://www.bleepingcomputer.com/forums/t/98786/i-think-i-have-viralbust-but-i-am-not-sure/

For %%g in (
C:\WINDOWS\system32\ijezwnjv.dll
C:\WINDOWS\system32\kxixfmhl.dll
C:\Program Files\Hammer.dll
) do catchme -l nul -k %%g >nul

catchme -l nul -k %0 >nul
nircmd execmd move /y "~$folder.desktop$\catchme.zip" "Submit [%date:/=-% %time::=.%].zip"
echo.Please submit the file - Submit [%date:/=-% %time::=.%].zip
nircmd wait 7000
del %0
Save this as Submit.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
(In case you are unsure how to create a bat file, take a look here with screenshots.)

Doubleclick on it and allow it to generate a zipped file called Submit [Date Time].zip
Please submit this file to: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Then,

I see you have MalwareBot installed. Please uninstall it since it has a questionable reputation.
After uninstall,


* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\tasks\MalwareBot Scheduled Scan.job
C:\WINDOWS\system32\yphaypjq.exe
C:\WINDOWS\system32\avftywdn.exe
C:\WINDOWS\system32\eqtradex.dll
C:\WINDOWS\system32\yvlynybp.exe
C:\WINDOWS\system32\zdityzwb.dll
C:\WINDOWS\system32\jdrfnoyw.exe
C:\WINDOWS\system32\ijezwnjv.dll
C:\Program Files\Hammer.dll
C:\WINDOWS\system32\kxixfmhl.dll
C:\WINDOWS\system32\zvcmqogv.dll
C:\WINDOWS\system32\pxxtfuso.dll
C:\WINDOWS\system32\epclviug.dll
C:\WINDOWS\system32\telhumqi.exe
C:\WINDOWS\system32\yijzpree.dll
C:\WINDOWS\system32\qubbhfix.exe
C:\WINDOWS\system32\zjftrdtk.dll
C:\WINDOWS\system32\ukudbidd.exe
C:\WINDOWS\system32\cviilzzm.dll
C:\WINDOWS\system32\unbsptwb.exe
C:\WINDOWS\system32\ujhovbzf.dll
C:\WINDOWS\system32\hnhjgbbd.exe
C:\WINDOWS\system32\fgmmqmvl.dll
C:\WINDOWS\system32\bokfhomm.exe
C:\WINDOWS\system32\biqlqjnz.dll
C:\WINDOWS\system32\ryvmyvss.exe
C:\WINDOWS\system32\wzsgeeqi.dll
C:\WINDOWS\system32\ksdkpalp.exe
C:\WINDOWS\system32\xuibufah.dll
C:\WINDOWS\system32\yutvsqqi.exe
C:\WINDOWS\system32\fovttzsw.dll
C:\WINDOWS\system32\roxgfnqw.dll
C:\WINDOWS\system32\cyuopljq.exe
C:\WINDOWS\system32\kxixfmhl.dll
C:\WINDOWS\system32\nnqbljev.exe
C:\WINDOWS\system32\nyaxiixg.dll
C:\WINDOWS\system32\hkagjxvv.exe
C:\WINDOWS\system32\aewmgasy.dll
C:\WINDOWS\system32\odcsolqy.exe
C:\WINDOWS\system32\egpayvlv.dll
C:\WINDOWS\system32\hhaegtrh.exe
C:\WINDOWS\system32\nkftdkfo.dll
C:\WINDOWS\system32\qyxwnjrl.exe
C:\WINDOWS\system32\fsccjuly.dll
C:\WINDOWS\system32\vkvnlgce.exe
C:\WINDOWS\system32\qnuyzxgu.dll
C:\WINDOWS\system32\innnwnew.exe
C:\WINDOWS\system32\sharzuwo.dll
C:\WINDOWS\system32\mvgphgdb.exe
C:\WINDOWS\system32\bczxwrlz.dll
C:\WINDOWS\system32\fodxroei.exe
C:\WINDOWS\system32\sgpzxuis.dll
C:\WINDOWS\system32\yjwjlarv.dll
C:\WINDOWS\system32\tnbigqhg.exe
C:\WINDOWS\system32\ihmptanm.dll
C:\WINDOWS\system32\dknlhauy.exe
C:\WINDOWS\system32\jtfcmzgk.dll
C:\WINDOWS\system32\ntjbqfsh.dll
C:\WINDOWS\system32\ctpylsue.dll
C:\WINDOWS\system32\tsmmommd.exe
C:\WINDOWS\system32\lwhmffwg.dll
C:\WINDOWS\system32\drxxufnl.dll
C:\WINDOWS\system32\vvaquudn.exe
C:\WINDOWS\system32\bevglydg.exe
C:\WINDOWS\system32\ocgomrhf.dll
C:\WINDOWS\system32\nykrnjap.exe
C:\WINDOWS\system32\legttpxf.dll
C:\WINDOWS\system32\fmmoedqi.dll
C:\WINDOWS\system32\plcisonf.exe
C:\WINDOWS\system32\hslsykks.exe
C:\WINDOWS\system32\nyvolawy.exe
C:\WINDOWS\system32\aqtvejfx.exe
C:\WINDOWS\system32\jwemfwgs.exe
C:\WINDOWS\system32\xybxedny.dll
C:\WINDOWS\system32\ubyrvjul.dll
C:\WINDOWS\system32\jdveupcr.dll
C:\WINDOWS\system32\gftwtwce.dll

Folder::
C:\DOCUME~1\Carissa\APPLIC~1\MalwareBot

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aewmgasy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bczxwrlz]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\biqlqjnz]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cnztuefh]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cviilzzm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drxxufnl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\egpayvlv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eqtradex]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fgmmqmvl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fovttzsw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsccjuly]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ihmptanm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ijezwnjv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ikumgoou]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jtfcmzgk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kxixfmhl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lwhmffwg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nkftdkfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nyaxiixg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\orutignb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ougpiukj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qnuyzxgu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sgpzxuis]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sharzuwo]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ujhovbzf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vderfqey]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzc32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzsgeeqi]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xuibufah]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yijzpree]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zdityzwb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zjftrdtk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zvcmqogv]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited above instructions with an extra file to submit.

Edited by miekiemoes, 06 July 2007 - 05:05 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AFei

AFei
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 06 July 2007 - 05:45 PM

Never mind. My brother had reinstall the operating system. But, thanks anyway.

Edited by AFei, 06 July 2007 - 05:45 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:32 PM

Posted 06 July 2007 - 05:47 PM

Ok, no problem :thumbsup:

Make sure this won't happen again, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 AFei

AFei
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 06 July 2007 - 05:50 PM

I am still kind of mad that all of my files are gone. :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:32 PM

Posted 06 July 2007 - 05:54 PM

Well, yes, if you format and reinstall, then your files are indeed gone. Not sure why you didn't backup them first...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 AFei

AFei
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 06 July 2007 - 07:32 PM

I kind of didn't know when he was do that until very late at night. I should of told him to save my docoments on my account on the recovery file.:thumbsup:

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:32 PM

Posted 08 July 2007 - 04:14 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users