Hijack Log File - Clean but need help with something

[Zoraida]

Hey Guyz,

Can sumbody help me wid my hijack log? You dont need to be smart to help. Coz yu see i did everythin to fix my IE but nadda! Alryty. Thankz in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:57 PM, on 11/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Belkin\F5D9010\Belkinwcui.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\windows\System32\taskmgr.exe
C:\windows\System32\cmd.exe
C:\Documents and Settings\Administrator\My Documents\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pinoyglobal.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\windows\System32\vtr.dll (file missing)
O2 - BHO: (no name) - {AF4837DA-938C-4864-3BDA-A47284DFCC71} - C:\windows\System32\trust.dll (file missing)
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38399~1\Bar888.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Administrator\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Policies\Explorer\Run: [{683999EB-0958-1033-0625-030303180001}] "C:\Program Files\Common Files\{683999EB-0958-1033-0625-030303180001}\Update.exe" te-110-12-0000213
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{683999EB-0958-1033-0625-030303180001}] "C:\Program Files\Common Files\{683999EB-0958-1033-0625-030303180001}\Update.exe" te-110-12-0000213 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{683999EB-0958-1033-0625-030303180001}] "C:\Program Files\Common Files\{683999EB-0958-1033-0625-030303180001}\Update.exe" te-110-12-0000213 (User 'Default user')
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{46FE1157-1A44-4BC0-9232-FD8CFC3F1BCB}: NameServer = 168.95.192.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DF9C891-4F8A-42F7-8A61-2736BA3B1F88}: NameServer = 168.95.192.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E803A7C-9A3C-4AA7-8009-77E2D3BCD75B}: NameServer = 168.95.192.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{84841F10-EB73-4AA8-8C92-B79283CD7F2C}: NameServer = 168.95.192.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C4A1068-E112-4EB8-B281-14F13932B716}: NameServer = 168.95.192.1
O20 - AppInit_DLLs: C:\windows\System32\sulimo.dat
O20 - Winlogon Notify: byvus - C:\WINDOWS\System32\byvus.dll (file missing)
O20 - Winlogon Notify: gebbxvs - gebbxvs.dll (file missing)
O20 - Winlogon Notify: jkkkj - C:\WINDOWS\System32\jkkkj.dll (file missing)
O20 - Winlogon Notify: opnnnmm - opnnnmm.dll (file missing)
O20 - Winlogon Notify: urqrqon - urqrqon.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O20 - Winlogon Notify: __c00CBFC2 - C:\windows\System32\__c00CBFC2.dat (file missing)
O20 - Winlogon Notify: __c00CC10E - C:\windows\System32\__c00CC10E.dat (file missing)
O21 - SSODL: pBATNGIIPJBio - {683999EC-C293-3346-6EBC-1B987DB2CFC8} - C:\WINDOWS\System32\zk.dll (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: dlci_device - - C:\windows\System32\dlcicoms.exe
O23 - Service: DomainService - Unknown owner - C:\windows\System32\mpfsihwi.exe (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7677 bytes

[Pancake]

No quite sure what you are asking for so....

Please download the OTMoveIt by OldTimer

Save it to your desktop.

Please double-click OTMoveIt.exe to run it

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\windows\System32\sulimo.dat



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


========================

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\windows\System32\vtr.dll (file missing)
O2 - BHO: (no name) - {AF4837DA-938C-4864-3BDA-A47284DFCC71} - C:\windows\System32\trust.dll (file missing)
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38399~1\Bar888.dll (file missing)
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\windows\System32\sulimo.dat
O20 - Winlogon Notify: byvus - C:\WINDOWS\System32\byvus.dll (file missing)
O20 - Winlogon Notify: gebbxvs - gebbxvs.dll (file missing)
O20 - Winlogon Notify: jkkkj - C:\WINDOWS\System32\jkkkj.dll (file missing)
O20 - Winlogon Notify: opnnnmm - opnnnmm.dll (file missing)
O20 - Winlogon Notify: urqrqon - urqrqon.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O20 - Winlogon Notify: __c00CBFC2 - C:\windows\System32\__c00CBFC2.dat (file missing)
O20 - Winlogon Notify: __c00CC10E - C:\windows\System32\__c00CC10E.dat (file missing)
O21 - SSODL: pBATNGIIPJBio - {683999EC-C293-3346-6EBC-1B987DB2CFC8} - C:\WINDOWS\System32\zk.dll (file missing)
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\windows\System32\mpfsihwi.exe (file missing)

Post a new HJT log when done...

[Zoraida]

Hi,

Thank you for your reply. I have the result now and it says:

File/Folder C:\windows\System32\sulimo.dat not found.

Created on 11/26/2007 17:04:08

Thanks

[Pancake]

OK.Will you post a new HJT log please..

You may also have a lot of dead entries in the registry that may need to come out.To do this.....

Please download Combofix from HERE or HERE


Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

[Zoraida]

Hi,

Thanks again for your reply. Here's my log.txt from combofix.exe. My Internet Explorer still not working though. You can also read my questions here about IE @ this link (if im not causing too much trouble) My IE 6 is broken, virus or something?

I just need my IE very badly. I have another problem thou. When I startd this combo fix thing. My sfc /scannow wont work. It keeps on saying Files that are required for Windows to run properly must be copied to the DLL cache and my System Restore won't work. When I open it. It only shows blank page. Should I worry about this? What happened to my laptop?

Thanks very much!



ComboFix 07-11-19.4 - Administrator 2007-11-26 19:04:00.1 - NTFSx86
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS - system32: deleted 65568 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3.tmp
C:\B.tmp
C:\Documents and Settings\Administrator\Application Data\DOBE~1
C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free
C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\Install.dat
C:\Documents and Settings\Administrator\err.log
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\{38399~1
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive5.dll
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\stem~1
C:\Program Files\Ultimate Cleaner
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\windows\Casino.ico
C:\windows\cookies.ini
C:\windows\emdat.tm
C:\windows\emdat.tmp
C:\windows\Free Online Dating.ico
C:\windows\Spyware Remover.ico
C:\windows\system32\8_exception.nls
C:\windows\system32\dlh9jkd1q8.exe
C:\windows\system32\dsuiexq.dll
C:\windows\system32\kr_done1
C:\windows\system32\m7
C:\windows\system32\m7\disrven2.exe
C:\windows\system32\msnav32.ax
C:\windows\system32\pac.txt
C:\windows\system32\q21
C:\windows\system32\shdocvs.dll
C:\windows\system32\smpi1
C:\windows\system32\smpi1\lpc22.exe
C:\windows\system32\svcp.csv
C:\windows\system32\vMW02a
C:\windows\system32\vx.tll
C:\windows\system32\w1
C:\windows\system32\windev-peers.ini
C:\windows\system32\winpfz32.sys
C:\windows\system32\winsub.xml
C:\windows\system32\zxdnt3d.cfg
C:\windows\ymbols~1
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_ICF
-------\LEGACY_WINDEV-5CA3-7436
-------\Client IP-IPX
-------\DomainService
-------\ICF
-------\windev-5ca3-7436


((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-26 17:35 <DIR> d-------- C:\Deckard
2007-11-25 09:39 11,961,329 --------- C:\AVG7QT.DAT
2007-11-24 16:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 15:31 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2007-11-24 14:39 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-11-23 20:53 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-11-23 20:49 12,160 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-11-23 20:40 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-11-23 20:39 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-11-23 20:26 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-11-23 20:19 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2007-11-23 20:17 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-11-23 20:13 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-11-23 20:08 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2007-11-23 19:28 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2007-11-23 13:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 11:45 <DIR> d-------- C:\Program Files\CCleaner
2007-11-23 11:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-23 08:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-15 15:52 5,026 --a------ C:\WINDOWS\system32\Config.MPF
2007-11-15 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-15 15:47 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-11-15 15:44 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-15 15:44 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-15 15:44 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-15 15:44 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-15 15:44 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-15 15:44 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-15 15:43 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-15 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 23:43 --------- d-----w C:\Program Files\Google
2007-11-23 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 21:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CoreFTP
2007-11-15 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-15 22:00 --------- d-----w C:\Program Files\ZipCentral
2007-11-15 18:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-15 18:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 21:53 16,384 ----a-w C:\windows\xlavra2.exe
2007-09-28 18:05 --------- d-----w C:\Program Files\BufferZone
2007-09-28 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\BufferZone
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\rterel.html
2007-06-03 04:09 1,584,183 --sha-w C:\windows\system32\jkkkj.bak2
2007-06-03 08:29 1,615,487 --sha-w C:\windows\system32\jkkkj.ini2
2007-05-14 23:18 1,468,505 --sha-w C:\windows\system32\suvyb.bak1
2007-05-14 22:18 1,466,801 --sha-w C:\windows\system32\suvyb.bak2
2007-05-15 03:19 1,468,237 --sha-w C:\windows\system32\suvyb.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF4837DA-938C-4864-3BDA-A47284DFCC71}]
C:\windows\System32\trust.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCICATS"="C:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-02-24 13:30]
"MSConfig"="C:\Documents and Settings\Administrator\Desktop\msconfig.exe" [2007-10-13 15:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-02 15:53]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-11-25 09:43]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-25 09:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
"DisableLockWorkstation"= 1 (0x1)
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pBATNGIIPJBio"= {683999EC-C293-3346-6EBC-1B987DB2CFC8} - C:\WINDOWS\System32\zk.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byvus]
C:\WINDOWS\System32\byvus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbxvs]
gebbxvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkj]
C:\WINDOWS\System32\jkkkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmm]
opnnnmm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqon]
urqrqon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00CBFC2]
C:\windows\System32\__c00CBFC2.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00CC10E]
C:\windows\System32\__c00CC10E.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.lnk
backup=C:\windows\pss\.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^oespyldb.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\oespyldb.exe
backup=C:\windows\pss\oespyldb.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^system.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
backup=C:\windows\pss\system.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\windows\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 11:28 684032 --a------ C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-03-01 09:37 2321600 -ra------ C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\windows\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChikkaDefault]
2007-05-31 22:14 36864 --a------ C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2003-02-26 15:25 180316 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dcsm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcimon.exe]
2006-02-14 01:26 430080 --a------ C:\Program Files\Dell AIO Printer 946\dlcimon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlmMgr]
C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe restart=1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
2007-03-19 14:04 49152 -ra------ C:\WINDOWS\Domino.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D9010]
2006-03-14 15:52 1585152 --a------ C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe C:\windows\System32\mmiexiuf.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule6]
C:\Program Files\ISM\ISMModule6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
C:\Program Files\ISM2\ISMPack6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 18:05 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j6221538]
rundll32 C:\windows\System32\j6221538.dll sook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Key]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\20F.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\Documents and Settings\Administrator\Desktop\msconfig(2).exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QT4HPOT]
2003-01-30 19:53 106496 --a------ C:\Program Files\HPQ\One-Touch\OneTouch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qwertybot.exe]
C:\WINDOWS\System32\qwertybot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\windows\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe C:\windows\System32\nboyvqqw.dll,sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe C:\windows\System32\ivpedian.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
C:\WINDOWS\System32\spoolsvv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 02:43 83608 --a------ C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-04-18 18:57 610304 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-04-18 19:03 110592 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\System32\testtestt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sytvtvk]
C:\Program Files\??stem\?pool32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskdir]
C:\WINDOWS\System32\taskdir.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdokbye.dll]
C:\WINDOWS\System32\rundll32.exe C:\Documents and Settings\Administrator\Local Settings\Application Data\wdokbye.dll,bpzgoi

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]
rundll32.exe C:\WINDOWS\System32\kvuiurln.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMedia]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6414002.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdate]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6415535.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpgrade]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6414824.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Witr]
C:\DOCUME~1\ADMINI~1\MYDOCU~1\RACLE~1\spool32.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{99-99-9E-EB-ZN}]
C:\windows\system32\nqdsregs.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aswUpdSv"=2 (0x2)

R1 ATMhelpr;ATMhelpr;C:\windows\System32\drivers\ATMhelpr.sys
R3 ALiIRDA;ALi Infrared Device Driver;C:\windows\System32\DRIVERS\aliirda.sys
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\windows\System32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\windows\System32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\windows\System32\Drivers\DKbFltr.SYS
R3 StreamSurge;StreamSurge Driver (miniport);C:\windows\System32\DRIVERS\ss.sys
S2 ohbusb;Open Host Controller Miniport USB Driver;\??\C:\windows\System32\drivers\ohbusb.sys
S3 dlci_device;dlci_device;C:\windows\System32\dlcicoms.exe -service
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\windows\System32\DRIVERS\FA312nd5.sys
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;C:\windows\System32\DRIVERS\Express.sys
S3 vmfilter303;vmfilter303;C:\windows\System32\drivers\vmfilter303.sys
S3 ZSMC303;A4 TECH PC Camera H;C:\windows\System32\Drivers\usbVM303.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 19:47:01 C:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-25 08:00:00 C:\windows\Tasks\At1.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-23 17:00:25 C:\windows\Tasks\At10.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-25 18:00:00 C:\windows\Tasks\At11.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-25 19:00:02 C:\windows\Tasks\At12.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-25 20:00:00 C:\windows\Tasks\At13.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-25 21:00:00 C:\windows\Tasks\At14.job"
"2007-11-25 22:00:03 C:\windows\Tasks\At15.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-24 23:00:00 C:\windows\Tasks\At16.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-27 00:00:00 C:\windows\Tasks\At17.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-27 01:00:00 C:\windows\Tasks\At18.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-27 02:00:00 C:\windows\Tasks\At19.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-10 09:00:00 C:\windows\Tasks\At2.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-27 03:00:01 C:\windows\Tasks\At20.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-26 04:00:00 C:\windows\Tasks\At21.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-25 05:00:00 C:\windows\Tasks\At22.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-25 06:00:00 C:\windows\Tasks\At23.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-25 07:00:00 C:\windows\Tasks\At24.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-10 10:00:00 C:\windows\Tasks\At3.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-10-31 11:00:00 C:\windows\Tasks\At4.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-10-12 11:00:00 C:\windows\Tasks\At5.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-09-26 12:00:00 C:\windows\Tasks\At6.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-16 14:00:00 C:\windows\Tasks\At7.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-16 15:00:02 C:\windows\Tasks\At8.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-11-17 16:00:00 C:\windows\Tasks\At9.job"
- C:\WINDOWS\System32\Cb0bc8E7.exe
"2007-10-15 07:00:02 C:\windows\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-15 23:43:44 C:\windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-11-15 23:43:43 C:\windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 19:09:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 19:11:29 - machine was rebooted
.
--- E O F ---

[Pancake]

This is in one heck of a mess.Its a wonder it could even bootup.It will take a few runs to clean it all out...

-----------------------
I will need to now that we can get Service Pack 2 later after we have you all clean so please save and run the download.It will copy the results to your clipboard. Will you copy and paste them back here please.

http://go.microsoft.com/fwlink/?linkid=52012




Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\Program Files\Common Files\rterel.html
C:\windows\xlavra2.exe
C:\windows\System32\trust.dll
C:\WINDOWS\System32\byvus.dll
C:\WINDOWS\System32\gebbxvs.dll
C:\WINDOWS\System32\jkkkj.dll
C:\WINDOWS\System32\opnnnmm.dll
C:\WINDOWS\System32\urqrqon.dll
C:\windows\System32\__c00CBFC2.dat
C:\windows\System32\__c00CC10E.dat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\20F.tmp
C:\WINDOWS\System32\qwertybot.exe
C:\windows\tsitra1000106.exe
C:\windows\System32\ivpedian.dll
C:\WINDOWS\System32\testtestt.exe
C:\WINDOWS\System32\taskdir.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\wdokbye.dll
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\kvuiurln.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6414002.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6415535.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6414824.exe
C:\windows\system32\nqdsregs.exe
C:\WINDOWS\System32\Cb0bc8E7.exe

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

[Zoraida]

Hi,
I accidentally aborted it and the Combofix is now missing. Should I reinstall the ComboFix.exe again and run it thx!

[Pancake]

If you no longer have ComboFix then yes,download it again.And dont forget also that microsoft link...

[Zoraida]

Ok thanks.