MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: a lot of pop ups. Need help!
June 26, 2019, 02:54:25 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 26, 2019, 02:54:25 PM

Login with username, password and session length
 
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 4 Go Down Print
Author Topic: a lot of pop ups. Need help!  (Read 9141 times)
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« on: February 19, 2009, 05:56:31 AM »

Here is a HJT log
Logfile of HijackThis v1.99.1
Scan saved at 00:54, on 2009-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\services.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Owner\Application Data\cogad\cogad.exe
C:\Documents and Settings\HP_Owner\reader_s.exe
C:\WINDOWS\services.exe
C:\Documents and Settings\HP_Owner\Application Data\Twain\Twain.exe
C:\Program Files\VnrPack\VnrPack24.exe
C:\WINDOWS\system32\winword.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\VRT5.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\IA\command.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\rwiq\rwiqm.exe
C:\PROGRA~1\COMMON~1\rwiq\rwiqa.exe
C:\Documents and Settings\HP_Owner\My Documents\DAVE'S\SHAREWARE\VIRUS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
 *
 * If you make changes to this file while the browser is running,
 * the changes will be overwritten when the browser exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
 */

user_pref("aim.internal.buddy.MaxBuddies", 500);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "billiardspro27");
user_pref("aim.session.screenname", "billiardspro27");
user_pref("billiardspro27.aim.session.autologin", false);
user_pref("billiardspro27.aim.session.connectionname", "AIM");
user_pref("billiardspro27.aim.session.firstsignon", false);
user_pref("billiardspro27.aim.session.password", "0");
user_pref("billiardspro27.aim.session.storepassword", false);
user_pref("browser.activation.checkedNNFlag", true);
use
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
 *
 * If you make changes to this file while the browser is running,
 * the changes will be overwritten when the browser exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
 */

user_pref("aim.internal.buddy.MaxBuddies", 500);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "billiardspro27");
user_pref("aim.session.screenname", "billiardspro27");
user_pref("billiardspro27.aim.session.autologin", false);
user_pref("billiardspro27.aim.session.connectionname", "AIM");
user_pref("billiardspro27.aim.session.firstsignon", false);
user_pref("billiardspro27.aim.session.password", "0");
user_pref("billiardspro27.aim.session.storepassword", false);
user_pref("browser.activation.checkedNNFlag", true);
use
O2 - BHO: CPV - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\WebShow\WebShow.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\mlJBQKEt.dll
O2 - BHO: (no name) - {72EA9355-6EEB-4877-AAF2-74D1D22C0464} - C:\WINDOWS\system32\fccyaBqn.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {4b382699-1b5c-ed88-b354-7ba446e2957a} - {a7592e64-4ab7-453b-88de-c5b1996283b4} - C:\WINDOWS\system32\ryxogt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Mjcore\Mjcore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [b4fe43bd] rundll32.exe "C:\WINDOWS\system32\srqwpkrl.dll",b
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\HP_Owner\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe
O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\HP_Owner\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [VnrPack24] "C:\Program Files\VnrPack\VnrPack24.exe"
O4 - HKCU\..\Run: [rwiq] C:\PROGRA~1\COMMON~1\rwiq\rwiqm.exe
O4 - Startup: winword.exe.lnk = C:\WINDOWS\system32\winword.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Safecracker\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v45/solitairerush/solitairerush.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42/tilecity/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Mystery P.I. - The Vegas Heist\Images\armhelper.ocx
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44/golfsol/golfsol.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ryxogt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mlJBQKEt - C:\WINDOWS\SYSTEM32\mlJBQKEt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: February 19, 2009, 10:18:20 PM »

Hi.Welcome to the forum


Run both these programs.


Please download Malwarebytes' Anti-Malware from one of these places:

 http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

 http://www.besttechie.net/tools/mbam-setup.exe



Double Click mbam-setup.exe to install the application.
If it will not run make a copy of the MBAM.exe and rename MBAM.exe to xxx.exe and run that.Keep the genuine MBAM.exe as we may need to run that later as is.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

PLEASE NOTE:
 If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


Once that Malwarebytes' Anti-Malware is done removing the malware and you have rebooted the computer, browse around and see if you are still having that problem.


=====================================================================================

=====================================================================================


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

If it will not run  rename Combofix to xxx.exe and run that.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #2 on: February 19, 2009, 11:14:45 PM »

I'm way ahead of you Pancake my old buddy. I found that program in the forums earlier and just got a chance to run it now. Here is the log. Iit caught over 150 files that were infected. It's a great program. I just got online so I will know if it has corrected my problem here soon. I noticed another problem that I have. My computer shuts down after about 5 minutes of being logged in. I have to hurry before it takes me out again.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

2009-02-19 17:54:06
mbam-log-2009-02-19 (17-54-06).txt

Scan type: Quick Scan
Objects scanned: 80837
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 5
Registry Keys Infected: 54
Registry Values Infected: 19
Registry Data Items Infected: 12
Folders Infected: 6
Files Infected: 76

Memory Processes Infected:
C:\Documents and Settings\HP_Owner\Application Data\cogad\cogad.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Program Files\VnrPack\VnrPack24.exe (Adware.Agent) -> Unloaded process successfully.
C:\Documents and Settings\HP_Owner\Application Data\Twain\Twain.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\services.exe (Backdoor.ProRat) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\srqwpkrl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ryxogt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fccyaBqn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Common Files\rwiq\rwiqd\rwiqc.dll (Adware.TargetServer) -> Delete on reboot.
C:\WINDOWS\system32\mlJBQKEt.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7aa4dc06-e5f8-4d20-bb3d-a9559694ec86} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7aa4dc06-e5f8-4d20-bb3d-a9559694ec86} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a7592e64-4ab7-453b-88de-c5b1996283b4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7592e64-4ab7-453b-88de-c5b1996283b4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljbqket (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kqpzyjon (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kqpzyjon (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kqpzyjon (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kqpzyjon (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrPack (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seneka (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4fe43bd (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hddwnywe.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlpndbuu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hdliqnbq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnrpack24 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twain (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d4d52c73-5d87-47d4-820c-7ea2c83c98a9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4f88170-6c2d-46a5-b06c-931de5b8c984}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f90a4758-00e6-4460-b521-a45cd5557a16}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d4d52c73-5d87-47d4-820c-7ea2c83c98a9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e4f88170-6c2d-46a5-b06c-931de5b8c984}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f90a4758-00e6-4460-b521-a45cd5557a16}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{d4d52c73-5d87-47d4-820c-7ea2c83c98a9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e4f88170-6c2d-46a5-b06c-931de5b8c984}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f90a4758-00e6-4460-b521-a45cd5557a16}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{d4d52c73-5d87-47d4-820c-7ea2c83c98a9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e4f88170-6c2d-46a5-b06c-931de5b8c984}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f90a4758-00e6-4460-b521-a45cd5557a16}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> Quarantined and deleted successfully.

Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #3 on: February 19, 2009, 11:15:18 PM »

heres the rest of the log

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fccyaBqn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fccyaBqn.dllbox (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\c:\windows\system32\fccyabqn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nqBayccf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nqBayccf.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ryxogt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\srqwpkrl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lrkpwqrs.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\reader_s.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Program Files\Common Files\rwiq\rwiqd\rwiqc.dll (Adware.TargetServer) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\hddwnywe.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\xlpndbuu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\hdliqnbq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\WebShow\WebShow.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJBQKEt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\phxtdnoc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgg*yWPG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfDuRhH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfghgHb(2).dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oiizhh(2).dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMgeDst.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yejjwnxf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\kxelmnrl.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\__5.tmp (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\__2B.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\__34.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\__4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\msoaxcwenr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\cmdinst.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\owraesxnmc.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0AKLM5FP\155[1].net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\COMIVXMD\103[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\cogad\cogad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack\dicts.gz (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack\trgts.gz (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack\VnrPack24.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv721228550018.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv961228088626.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Application Data\Twain\Twain.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekafodjkwki.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekagittimov.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekajbitxtet.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekajqxfaoma.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekalrdklsrf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekapfqjrwqw.sys (Trojan.Agent) -> Delete on reboot.
 
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #4 on: February 19, 2009, 11:29:28 PM »

And the Combofix ??



You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.



Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.
















« Last Edit: February 19, 2009, 11:34:29 PM by Pancake » Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #5 on: February 19, 2009, 11:44:03 PM »

here's the new HJT log. I'm getting 15 minutes between rebooting not 5. I was able to restore to an earlier date so I will see if that fixes my reboot problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:47 PM, on 2/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\winword.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\HP_Owner\reader_s.exe
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\TEMP\VRT1D.tmp
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\vghd\VirtuaGirl_Downloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
 *
 * If you make changes to this file while the browser is running,
 * the changes will be overwritten when the browser exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
 */

user_pref("aim.internal.buddy.MaxBuddies", 500);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "billiardspro27");
user_pref("aim.session.screenname", "billiardspro27");
user_pref("billiardspro27.aim.session.autologin", false);
user_pref("billiardspro27.aim.session.connectionname", "AIM");
user_pref("billiardspro27.aim.session.firstsignon", false);
user_pref("billiardspro27.aim.session.password", "0");
user_pref("billiardspro27.aim.session.storepassword", false);
user_pref("browser.activation.checkedNNFlag", true);
use
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
 *
 * If you make changes to this file while the browser is running,
 * the changes will be overwritten when the browser exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
 */

user_pref("aim.internal.buddy.MaxBuddies", 500);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "billiardspro27");
user_pref("aim.session.screenname", "billiardspro27");
user_pref("billiardspro27.aim.session.autologin", false);
user_pref("billiardspro27.aim.session.connectionname", "AIM");
user_pref("billiardspro27.aim.session.firstsignon", false);
user_pref("billiardspro27.aim.session.password", "0");
user_pref("billiardspro27.aim.session.storepassword", false);
user_pref("browser.activation.checkedNNFlag", true);
use
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfysijv.exe] C:\WINDOWS\jrfysijv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe
O4 - Startup: winword.exe.lnk = C:\WINDOWS\system32\winword.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\War Chess\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v45/solitairerush/solitairerush.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42/tilecity/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Mystery P.I. - The Vegas Heist\Images\armhelper.ocx
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44/golfsol/golfsol.cab
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: February 19, 2009, 11:49:29 PM »

Still need the Combofix ?
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #7 on: February 20, 2009, 12:06:07 AM »

Still on and no reboot after 30 minutes. Here is a new log from malewarebytes

Malwarebytes' Anti-Malware 1.34
Database version: 1780
Windows 5.1.2600 Service Pack 2

2/19/2009 7:05:06 PM
mbam-log-2009-02-19 (19-04-34).txt

Scan type: Quick Scan
Objects scanned: 82197
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 6
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 30

Memory Processes Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Owner\reader_s.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\CcEvtSvc.exe (Trojan.MyDoom) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc (Trojan.MyDoom) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrfysijv.exe (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d4d52c73-5d87-47d4-820c-7ea2c83c98a9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4f88170-6c2d-46a5-b06c-931de5b8c984}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f90a4758-00e6-4460-b521-a45cd5557a16}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d4d52c73-5d87-47d4-820c-7ea2c83c98a9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e4f88170-6c2d-46a5-b06c-931de5b8c984}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f90a4758-00e6-4460-b521-a45cd5557a16}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{d4d52c73-5d87-47d4-820c-7ea2c83c98a9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e4f88170-6c2d-46a5-b06c-931de5b8c984}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f90a4758-00e6-4460-b521-a45cd5557a16}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.118,85.255.112.205 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fccyaBqn.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nqBayccf.ini (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\HP_Owner\reader_s.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\jrfysijv.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\winsinstall.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\waorexcsmn.tmp (Virus.Virut) -> No action taken.
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\QISKCMNF\152[1].net (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekafodjkwki.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekajbitxtet.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekajqxfaoma.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\senekauwpknsqr.sys (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator.DIAMONDMINE\reader_s.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\CcEvtSvc.exe (Trojan.MyDoom) -> No action taken.
C:\WINDOWS\system32\drivers\seneka(2).sys (Trojan.Agent) -> No action taken.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: February 20, 2009, 12:40:19 AM »

Reboot the computer and the run Combofix..
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #9 on: February 20, 2009, 02:16:16 AM »

It won't run combofix. It starts and then it just shuts it down. I even changed the name and it still won't run it. I logged off and went into safe mode to run it and it started to run but then rebooted and I never got a log file. I will keep trying to get it to run and see what I can come up with. I have no more pop ups and it doesn't seem to reboot on me anymore but I think I still have something on here. I see what looks like a spreadsheet appear after logging in but only for a split second then it disappears.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #10 on: February 20, 2009, 02:35:28 AM »

See if this will run.It will give me a better look at your files..

Download DDS and save it to your desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
or here:
http://www.forospyware.com/sUBs/dds

Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.

Copy/Paste the contents of 'DDS.txt' in your next reply.
These other two logs ...
* attach.txt
* ark.txt
... should be zipped/archived before attaching to the reply as well
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #11 on: February 20, 2009, 03:17:58 AM »

Here is the DDS log. It wont let me add a zip file of the attach.txt What do I do?


DDS (Ver_09-02-01.01) - NTFSx86 
Run by HP_Owner at 22:07:50.85 on 2009-02-19
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1535.981 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Works\wkswp.exe
c:\Program Files\Microsoft Works\MSWorks.exe
c:\Program Files\Microsoft Works\wkgdcach.exe
C:\Documents and Settings\HP_Owner\My Documents\DAVE'S\SHAREWARE\VIRUS\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [reader_s] c:\documents and settings\hp_owner\reader_s.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [services] c:\windows\services.exe
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
dRun: [services] c:\windows\services.exe
dRun: [vxvaooxt.exe] c:\windows\vxvaooxt.exe
dRun: [vxvzgbui.exe] c:\windows\vxvzgbui.exe
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\deskto~1.lnk - c:\program files\vghd\vghd.exe
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\winwor~1.lnk - c:\windows\system32\winword.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\war chess\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} - hxxp://www.worldwinner.com/games/v45/solitairerush/solitairerush.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - hxxp://www.worldwinner.com/games/v41/freecell/freecell.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v49/luxor/luxor.cab
DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mystery p.i. - the vegas heist\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnlk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\y9mqw15m.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 NVHelper;NVHelper;c:\windows\system32\drivers\nvHelper.sys [2004-10-7 111689]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\nvtunep.sys [2006-2-4 21634]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\nvtvsnd.sys [2006-2-4 25330]
S2 CcEvtSvc;CcEvtSvc;c:\windows\system32\ccevtsvc.exe -k netsvcs --> c:\windows\system32\CcEvtSvc.exe -k netsvcs [?]
S3 Dual Mode;Dual Mode Video Capture;c:\windows\system32\drivers\CoachVc.sys [2006-4-26 44928]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2007-11-12 1548380]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2006-8-1 91841]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\drivers\pc22nd5.sys [2004-10-6 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\drivers\pc22unic.sys [2004-10-6 69744]

=============== Created Last 30 ================

2009-02-19 20:54   162,724   a-------   c:\windows\system32\19.tmp
2009-02-19 20:54   9,216   a-------   c:\windows\system32\D.tmp
2009-02-19 20:54   88,065   a-------   c:\windows\system32\B.tmp
2009-02-19 20:54   208   a-------   c:\windows\system32\5.tmp
2009-02-19 20:51   3,584   a-------   c:\windows\vxvzgbui.exe
2009-02-19 20:49   162,724   a-------   c:\windows\system32\E.tmp
2009-02-19 20:49   9,216   a-------   c:\windows\system32\A.tmp
2009-02-19 20:49   88,065   a-------   c:\windows\system32\8.tmp
2009-02-19 20:49   208   a-------   c:\windows\system32\3.tmp
2009-02-19 19:11   3,584   a-------   c:\windows\vxvaooxt.exe
2009-02-19 19:09   164,804   a-------   c:\windows\system32\7.tmp
2009-02-19 19:09   47,104   a-------   c:\windows\system32\reader_s.exe
2009-02-19 19:09   30,208   a-------   c:\documents and settings\hp_owner\reader_s.exe
2009-02-19 19:09   9,216   a-------   c:\windows\system32\6.tmp
2009-02-19 19:09   105,542   a-------   c:\windows\system32\CcEvtSvc.exe
2009-02-19 19:09   43,009   a-------   c:\windows\services.exe
2009-02-19 19:09   88,065   a-------   c:\windows\system32\4.tmp
2009-02-19 19:09   208   a-------   c:\windows\system32\2.tmp
2009-02-19 18:48   15,504   a-------   c:\windows\system32\drivers\mbam.sys
2009-02-19 18:48   38,496   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 18:48   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-02-19 18:36   162,724   a-------   c:\windows\system32\1C.tmp
2009-02-19 18:36   9,216   a-------   c:\windows\system32\1A.tmp
2009-02-19 18:35   88,065   a-------   c:\windows\system32\16.tmp
2009-02-19 18:33   162,724   a-------   c:\windows\system32\18.tmp
2009-02-19 18:33   9,216   a-------   c:\windows\system32\17.tmp
2009-02-19 18:33   88,065   a-------   c:\windows\system32\14.tmp
2009-02-19 18:30   <DIR>   --d-----   c:\program files\GameHouse
2009-02-19 18:30   <DIR>   --d-----   c:\program files\Battleship - Fleet Command
2009-02-19 18:30   <DIR>   --d-----   c:\program files\Battleship
2009-02-19 18:27   162,724   a-------   c:\windows\system32\11.tmp
2009-02-19 18:12   244   a---h---   C:\sqmnoopt01.sqm
2009-02-19 18:12   232   a---h---   C:\sqmdata01.sqm
2009-02-19 18:06   244   a---h---   C:\sqmnoopt00.sqm
2009-02-19 18:06   232   a---h---   C:\sqmdata00.sqm
2009-02-19 17:55   61,440   a-------   c:\windows\system32\drivers\etgxpp.sys
2009-02-19 17:46   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\Malwarebytes
2009-02-19 17:46   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 01:20   163,748   a-------   c:\windows\system32\13.tmp
2009-02-19 01:20   7,168   a-------   c:\windows\system32\10.tmp
2009-02-19 01:16   281   a--sh---   C:\boot.ini.cf
2009-02-19 01:02   163,748   a-------   c:\windows\system32\12.tmp
2009-02-19 00:04   <DIR>   --d-----   c:\windows\rwiq
2009-02-19 00:04   <DIR>   --d-----   c:\program files\common files\rwiq
2009-02-18 23:53   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\Twain
2009-02-18 23:51   137,376   a-------   c:\windows\system32\drivers\ethniyxw.sys
2009-02-18 23:48   <DIR>   --d-----   c:\program files\WebShow
2009-02-18 23:27   0   a-------   c:\windows\system32\47.tmp
2009-02-18 23:24   6   a-------   c:\windows\_id.dat
2009-02-18 23:24   128   a-------   c:\windows\adobe.bat
2009-02-18 23:24   164,132   a-------   c:\windows\system32\41.tmp
2009-02-18 23:24   7,168   a-------   c:\windows\system32\3D.tmp
2009-02-18 23:24   168   a-------   c:\windows\system32\3B.tmp
2009-02-18 23:23   47,616   a-------   c:\windows\system32\ljJBsRHX.dll
2009-02-18 23:15   74,752   a-------   c:\windows\system32\srqwpkrl.dll
2009-02-18 23:14   124,416   a-------   c:\windows\system32\ryxogt.dll
2009-02-18 23:14   1,104   a-------   c:\windows\kqpzyjon
2009-02-18 23:14   25,088   a-------   c:\windows\system32\drivers\kxelmnrl.sys
2009-02-18 22:43   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\DAEMON Tools Lite
2009-02-18 17:20   <DIR>   --d-----   c:\program files\Safecracker
2009-02-16 19:26   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\Chessmaster Challenge
2009-02-05 01:35   <DIR>   --d-----   c:\program files\Betrapped
2009-02-04 00:59   <DIR>   --d-----   c:\program files\Brain Booster
2009-02-04 00:28   <DIR>   --d-----   c:\program files\Capitalism II
2009-02-03 22:03   <DIR>   --d-----   c:\program files\Kudos Rock Legend
2009-02-03 02:23   <DIR>   --d-----   c:\program files\temp
2009-02-03 02:23   <DIR>   --d-----   c:\windows\system32\Plugins
2009-02-03 02:23   <DIR>   --d-----   c:\windows\system32\ocr
2009-02-03 02:23   <DIR>   --d-----   c:\windows\system32\Data
2009-02-03 02:23   <DIR>   --d-----   c:\program files\WarChess.exe
2009-02-03 02:13   <DIR>   --d-----   c:\program files\Games
2009-02-02 18:56   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\Friday's games
2009-02-02 01:07   <DIR>   --d-----   c:\program files\ReflexiveArcade
2009-02-01 21:42   <DIR>   --d-----   c:\program files\Risk
2009-02-01 20:46   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\iWin
2009-02-01 20:30   107,888   a-------   c:\windows\system32\CmdLineExt.dll
2009-02-01 17:33   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\GamesCafe
2009-02-01 17:33   4,096   a-------   c:\windows\d3dx.dat
2009-02-01 17:33   <DIR>   --d-----   c:\program files\CLUE Classic
2009-01-31 23:45   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Trymedia
2009-01-31 16:51   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\SpinTop Games
2009-01-31 16:50   <DIR>   --d-----   c:\docume~1\hp_owner\applic~1\SpinTop

==================== Find3M  ====================

2009-02-19 18:38   152,904   a-------   c:\windows\system32\vghd.scr
2009-02-18 23:26   182,912   a-------   c:\windows\system32\drivers\ndis.sys
2009-01-18 23:00   410,984   a-------   c:\windows\system32\deploytk.dll
2008-12-06 18:03   929,929   a--sh---   c:\windows\system32\bHghgfhk.ini2
2008-12-06 14:09   865,809   a--sh---   c:\windows\system32\wxxGNXbc.ini2
2008-05-07 22:44   87,608   a-------   c:\docume~1\hp_owner\applic~1\inst.exe
2008-05-07 22:44   47,360   a-------   c:\docume~1\hp_owner\applic~1\pcouffin.sys
2008-01-08 20:39   56,912   a-------   c:\documents and settings\hp_owner\g2mdlhlpx.exe
2005-06-26 17:32   616,448   a--shr--   c:\windows\system32\cygwin1.dll
2005-06-22 00:37   45,568   a--shr--   c:\windows\system32\cygz.dll
2006-05-03 04:06   163,328   a--shr--   c:\windows\system32\flvDX.dll
2007-02-21 05:47   31,232   a--shr--   c:\windows\system32\msfDX.dll

============= FINISH: 22:08:27.50 ===============
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #12 on: February 20, 2009, 03:38:45 AM »

After this let me know how things are and also see if Combofix will run..There will be more files to remove on the next run.




  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.

Code:
Files to delete:
c:\windows\services.exe
c:\windows\system32\reader_s.exe
c:\windows\vxvaooxt.exe
 c:\windows\vxvzgbui.exe
 c:\windows\system32\ljJBsRHX.dll
c:\windows\system32\srqwpkrl.dll
c:\windows\system32\ryxogt.dll
 c:\windows\kqpzyjon
 c:\windows\system32\drivers\kxelmnrl.sys
C:\sqmnoopt01.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
  C:\sqmdata00.sqm


  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a shutdown. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.
« Last Edit: February 20, 2009, 03:41:34 AM by Pancake » Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #13 on: February 20, 2009, 04:32:28 AM »

Here is a combofix log finally

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #14 on: February 20, 2009, 04:44:40 AM »

Ok.Great...No we can finish the cleanup and get rid of the rest of the malware.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote



File::
C:\WINDOWS\vxvzgbui.exe
C:\WINDOWS\vxvaooxt.exe
C:\WINDOWS\system32\ljJBsRHX.dll
C:\WINDOWS\system32\srqwpkrl.dll
C:\WINDOWS\system32\drivers\kxelmnrl.sys
C:\WINDOWS\system32\ryxogt.dll

Driver::
kxelmnrl
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"services"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"reader_s"=-
"services"=-
"vxvaooxt.exe"=-
"vxvzgbui.exe"=-


 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


« Last Edit: February 20, 2009, 04:47:58 AM by Pancake » Logged

An Australian Member of

EDDY
Pages: [1] 2 3 4 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 09, 2019, 07:12:12 AM