I have a Malware infection, please help.

[Eskimio52]

I've read the 5 step sticky for how to best get this done as quickly as possible, but with some setbacks...

1. I cannot complete step one, because some of the malware has, incredibly, made my user name not the administrator. So I no longer have access to a plethora of things (one being control panel, another would be trying to find properties on My Computer, etc.) So since I do not have access to the add/remove applications window, I went ahead and deleted what I could find in the Program Files folder. I only had about 3-4, didn't keep track.

2. Pandascan is unavailable, so I don't know what to use to scan my computer. Need help with finding something else to scan my computer with...

3. I've installed both applications.

4. Funnily enough, I updated my computer mere hours before I was infected. So, i'm good in that respect.

5. Unfortunately, for some unknown reason, every time I try to run dss, it has to "unexpectedly close" before it finishes. So, I cannot see how we are going to get around this...

*Note Spyware Blaster doesn't seem to want to work, i've reinstalled it twice and it says that the program has been damaged and must be because of a bad hard drive (Which it isn't) or a virus (which it probably is).

I'm terribly sorry that this post is so uninformative, without any logs at all...
I'm very thankful that volunteers take their personal time to help those who don't have their knowledge.
Hope we can get through this together.

[Eskimio52]

Not sure if this helps, but I ran Hijackthis...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:26 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [adatexmj] rundll32.exe "C:\Program Files\adatexmj\wvsxwjen.dll",Init
O4 - HKLM\..\Run: [clchwpuj] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\clchwpuj.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfap.dll,startup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [sxcrgfaf] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sxcrgfaf.dll"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191793207781
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4389 bytes

Hope we can get this solved sooner than later (I can't play any games and I have hardly any administrative privileges anymore) Plus I have fake alert popups in a timely manner.

[Eskimio52]

It's been more than 72 hours and these viruses have been wreaking havoc on my computer. Come on guys, where are you...

Bump.

[Eskimio52]

Dear TSF,

I know i'm supposed to wait 72 hours after each bump, but I've waited over a week for so much as a hint that i've been recognized. (I'm not even sure if i'm posting in the right forums, to be honest.) My thread has over 100 views and any other thread with that many views has either been solved, is being solved, or is at least recognized by a moderator/volunteer. I'm not being testy, i'm saying that my computer performance is waning and my personal security has been at risk for over a week now and i'm anxious to get rid of all malware from my computer.

Here is what i've done so far:

Files:
Downloader Alphabet B Trojan is not deleteable. (C:\WINDOWS\mgrs.exe)
Costrat Trojan is also non-deleteable. (C:\WINDOWS\system32\xpdx.sys)

Registry:
I cannot find:
software\microsoft\windows\currentversion\run\smgr
software\microsoft\windows\currentversion\run\windows update loader
software\microsoft\windows\currentversion\adp
software\microsoft\windows\currentversion\run\spoolsv

Websites in Internet Explorer:
There are tons of websites that are "Agent EAD Trojan", "Agent Trojan", "Downloader Delf ARX Trojan", or "Peed INM Trojan".

Cookies systematically show up in the "Cookies" folder of the "Owner" "Documents and Settings" folder. I delete these whenever they show up.

With the help of my friend, I have manually deleted tons and tons of malware files throughout my Hard Drive and he has showed me how to access the registry through Start>Run>regedit (Registry Editor) and delete an immense amount of malicious registries wherever I found them.

Throughout this, I used "XoftSpySE" to track down the malicious material.

At this point, I am only looking for a way to delete the two aformentioned files (mgrs.exe & xpdx.sys) and to rid myself of the non-locateable websites-these websites load in Internet Explorer (I use Mozilla Firefox) and play sounds & videos and donwload programs behind the scenes (Internet Explorer never shows up on the Action Bar and only shows up in Windows Task Manager half the time.)-so that I may be malware free. Also, I have uninstalled Internet Explorer as far as I can.

One more thing, my user account is, apparently, not considered an administrator. For example, I try to access the control panel through right clicking the desktop and clicking on Properties, it gives me an error stating that I am not an administrator and cannot do that action. Also, Control Panel does not show up on my Start Menu. Another problem with not being an administrator is that my Windows Firewall is shut off somehow and I cannot access the Windows Security Center to turn it back on. There may be other things here and there that I am unable to do due to this, but I have either forgotten what they are, or have not encountered them.

Any and all help pertaining to the files, the registries, the websites and the non-Administrative problems are welcome by any and all means.

(If anything I have said is incorrect, please tell me. I was doing this while being distracted.)

Eskimio52

[tetonbob]

Hello, and Welcome to TSF.

Not every view of your thread is someone who can reply. Some may be other members searching for answers. Only staff are allowed to reply to threads in this forum. There are hundreds of folks like you, many with infection problems, all wanting replies, and only a handful of volunteers who do the replying. Sorry to say, but sometimes it's luck of the draw.

You have a rootkit infection, which makes it hard to detect, and sometimes harder to remove. Sometimes, a machine never fully recovers from this type of infection that has had time to fester unchecked on an unprotected machine. Sometimes, it's best to back up valued documents and photos, and format and reinstall.

If you wish to try to clean it, I'll try to help, but there's no guarantees it will run as well as it did prior to this infection.

Part of your machine's problem is, there is no AntiVirus protection installed. We'll address that during the course of this fix.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
   
   
2. Disconnect from the internet....pull the plug!
   
3. Go to -> Run -> paste in the following single line command & click OK
   
   

   "%userprofile%\desktop\combofix.exe" /killall

   
   
   
   
4. Follow the prompts. Type "1" and press Enter to begin the scan.
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Re-establish an internet connection.
   
   
8. 
   I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.
   
   Install this FREE AntiVirus program, update it, and run a full system scan.
   
   Avira PersonalEdition Classic
   
   Here is a tutorial on it's setup and use:
   
   http://www.techsupportforum.com/cont...ticles/64.html
   
   Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
   
   ---------------------------------------------------------------------------------------------
   
9. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
   
   ---------------------------------------------------------------------------------------------

[Eskimio52]

TetonBob,

I'm discouraged to hear that what was infecting my computer was VERY malicous and may have caused lasting effects on my computer. But the fact that I have help with doing the best we can to fix my computer is enough to make me not worry to much about lasting performance (I'll be replacing this computer soon enough).

The reason I had no AntiVirus protection, was because I had had a problem with Windows and had needed to reinstall it. And doing a manual reinstall, i'd had some things left out. I realized a bit too late that I was also missing any kind of AntiVirus software (though I didn't have any to install in the first place). I am downloading and plan on installing that program you recommended to me (Avira PersonalEdition Classic) and thank you for saving me time and effort in locating a good (yet free) AntiVirus Protection Program.

I completed all the steps you required, and here is what you want.

Eskimio52

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25, on 2007-12-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\f8f153b4ab59d8d1adcfb2f6a3d5416c\update\update.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowhead.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Vufkdlqd\qifwfknm.dll (file missing)
O2 - BHO: (no name) - {20135C69-FCBA-45D7-8887-3084933D4956} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\xbtwjhjb\chxejwjt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {51ae0ab2-77a6-aa3b-43e4-3936bc8342ba} - {ab2438cb-6393-4e34-b3aa-6a772ba0ea15} - C:\WINDOWS\system32\onrribps.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\tuvustq.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v4.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [d0b56c6f] rundll32.exe "C:\WINDOWS\system32\uqytbjmt.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareProMFC] C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191793207781
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O20 - Winlogon Notify: tuvustq - C:\WINDOWS\SYSTEM32\tuvustq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - cmd.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

--
End of file - 3936 bytes

(It won't let me attach catchme.zip, it gives me the error "Upload Errors
catchme.zip:
Attachment in Progress. Can be deleted here." and I don't know what to do to fix that.
The contents of catchme.zip are:
ctl_w32.sys, geeba.dll, tuvustq.dll, xpdx.sys and xpdx.sys.1)

[tetonbob]

I've not asked for anything like catchme.zip

Did ComboFix get interrupted?

Did it restart the machine?

There should have been a log produced, C:\ComboFix.txt

I wanted to see a new HijackThis log after you installed and ran the AntiVirus.

Please try to follow my instructions closely.

For now, answer the questions about ComboFix.

[Eskimio52]

TetonBob,

Unfortunately, for some reason, Avira PersonalEdition Classic won't install correctly. I've tried each download site Avira recommended, including itself, and only two websites actually let me run the installer. Though, once it was done listing what it had installed, it informed me that something had changed and gave me only one option-to quit the installer. Maybe you can help me out?

((ComboFix ran and finished. Here is the log:))

ComboFix 07-12-02.3 - Owner 2007-12-02 17:21:03.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\bepsvora.dll
C:\Documents and Settings\All Users\Application Data.\jmryxwxe.dll
C:\Documents and Settings\All Users\Application Data.\qpehuxqr.dll
C:\Documents and Settings\All Users\Application Data.\ujozanit.dll
C:\Documents and Settings\All Users\Application Data.\yjipmdkj.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Owner\Application Data\trant.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.tmp
C:\WINDOWS\system32\cymvwqsd.dll
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\runtime2.sy_
C:\WINDOWS\system32\drvfapr.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\hwanpwep.exe
C:\WINDOWS\system32\loccqdtt.ini
C:\WINDOWS\system32\onrribps.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\scoeomlw.exe
C:\WINDOWS\system32\sdwntayg.dll
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\tmjbtyqu.ini
C:\WINDOWS\system32\ttdqccol.dll
C:\WINDOWS\system32\tuvustq.dll
C:\WINDOWS\system32\uqytbjmt.dll
C:\WINDOWS\system32\vgfddwtv
C:\WINDOWS\system32\vgfddwtv\bg1.gif
C:\WINDOWS\system32\vgfddwtv\bgtop.gif
C:\WINDOWS\system32\vgfddwtv\bottom1.gif
C:\WINDOWS\system32\vgfddwtv\essentials.gif
C:\WINDOWS\system32\vgfddwtv\icon1.ico
C:\WINDOWS\system32\vgfddwtv\install1.gif
C:\WINDOWS\system32\vgfddwtv\left1.gif
C:\WINDOWS\system32\vgfddwtv\li.gif
C:\WINDOWS\system32\vgfddwtv\logo.gif
C:\WINDOWS\system32\vgfddwtv\main.htm
C:\WINDOWS\system32\vgfddwtv\mainframe.htm
C:\WINDOWS\system32\vgfddwtv\reinstall1.gif
C:\WINDOWS\system32\vgfddwtv\right1.gif
C:\WINDOWS\system32\vgfddwtv\s1.htm
C:\WINDOWS\system32\vgfddwtv\s2.htm
C:\WINDOWS\system32\vgfddwtv\s3.htm
C:\WINDOWS\system32\vgfddwtv\SMTop1.gif
C:\WINDOWS\system32\vgfddwtv\SMTop2.gif
C:\WINDOWS\system32\vgfddwtv\SMTop3.gif
C:\WINDOWS\system32\vgfddwtv\SMTop4.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_off.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_on.gif
C:\WINDOWS\system32\vgfddwtv\softleft_off.gif
C:\WINDOWS\system32\vgfddwtv\softleft_on.gif
C:\WINDOWS\system32\vgfddwtv\top1.gif
C:\WINDOWS\system32\vgfddwtv\top2.gif
C:\WINDOWS\system32\vgfddwtv\turnoff1.gif
C:\WINDOWS\system32\vgfddwtv\turnon1.gif
C:\WINDOWS\system32\vgfddwtv\vgfddwtv1.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv2.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv3.exe
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\yiewkuvn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\runtime


-------\LEGACY_CTL_W32
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\ctl_w32
-------\runtime




((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-01 14:48 . 2007-12-01 14:48 82,496 --a------ C:\WINDOWS\system32\gxdbewju.exe
2007-12-01 13:39 . 2007-12-01 13:39 <DIR> d-------- C:\Program Files\E404 Helper
2007-12-01 11:33 . 2007-12-01 11:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-11-30 22:19 . 2007-12-01 10:43 <DIR> d-------- C:\Program Files\World of Warcraft
2007-11-30 00:22 . 2007-11-30 00:22 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-11-29 22:22 . 2007-12-02 17:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-29 22:22 . 2007-11-29 22:22 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-29 22:15 . 2007-11-29 22:15 20,480 --a------ C:\WINDOWS\mgrs.doc
2007-11-29 22:15 . 2007-11-29 22:32 45 --a------ C:\TEST.XML
2007-11-29 20:22 . 2007-12-01 00:29 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-29 18:37 . 2007-11-29 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 18:03 . 2007-11-29 18:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-25 17:38 . 2007-11-25 17:38 <DIR> d-------- C:\WINDOWS\Ad-Ware Pro
2007-11-25 17:38 . 2007-11-25 17:38 <DIR> d-------- C:\Program Files\Ad-Ware Pro
2007-11-25 16:23 . 2007-11-25 20:57 <DIR> d-------- C:\Program Files\xbtwjhjb
2007-11-25 09:41 . 2007-11-25 09:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 09:35 . 2007-11-25 16:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 09:35 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-11-25 09:34 . 2007-11-25 09:34 <DIR> d-------- C:\ie-spyad_zo
2007-11-25 00:52 . 2007-11-25 00:52 <DIR> d-------- C:\Program Files\foobar2000
2007-11-25 00:51 . 2007-12-01 14:26 <DIR> d-------- C:\Program Files\Trillian
2007-11-25 00:40 . 2007-11-25 00:40 <DIR> d-------- C:\WINDOWS\system32\backuped
2007-11-25 00:40 . 2007-11-25 00:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\True Sword
2007-11-25 00:33 . 2007-11-25 00:36 <DIR> d-------- C:\Program Files\Winamp
2007-11-25 00:33 . 2007-11-25 00:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2007-11-25 00:02 . 2007-12-01 11:22 <DIR> d-------- C:\Program Files\Xfire
2007-11-25 00:02 . 2007-12-01 11:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-11-24 23:22 . 2007-11-24 23:22 102,912 --a------ C:\WINDOWS\system32\drvfap.dll
2007-11-24 23:22 . 2007-11-24 23:22 34,304 --a------ C:\WINDOWS\system32\mljjijk.dll
2007-11-24 23:22 . 2007-11-24 23:22 20,992 --a------ C:\WINDOWS\system32\winzoa32.dll
2007-11-24 21:53 . 2007-11-24 21:53 <DIR> d-------- C:\WINDOWS\Sun
2007-11-24 21:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-24 21:46 . 2007-11-24 21:49 <DIR> d-------- C:\Program Files\Java
2007-11-24 21:42 . 2007-11-24 21:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-22 15:27 . 2007-11-22 15:27 <DIR> d-------- C:\Program Files\IrfanView
2007-11-22 15:02 . 2007-11-22 15:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-11-22 15:01 . 2007-11-22 15:01 21 --a------ C:\WINDOWS\atid.ini
2007-11-22 14:58 . 2007-11-22 14:58 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-11-22 14:58 . 2007-11-22 15:02 865 --ah----- C:\IPH.PH
2007-11-22 10:12 . 2007-11-22 10:12 <DIR> d-------- C:\Program Files\iPod
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-12 06:25 . 2007-11-12 06:25 1,208,320 --a------ C:\WINDOWS\system32\PTxSCP.ocx
2007-11-12 06:25 . 2007-11-12 06:25 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2007-11-12 06:25 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-11 20:26 . 2007-11-11 20:26 135,168 --a------ C:\WINDOWS\War3Unin.exe
2007-11-11 20:26 . 2007-11-11 20:35 17,627 --a------ C:\WINDOWS\War3Unin.dat
2007-11-11 20:26 . 2007-11-11 20:26 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-11-11 20:23 . 2007-11-22 12:48 <DIR> d-------- C:\Program Files\Warcraft III
2007-11-08 22:01 . 2003-07-20 22:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-11-08 22:01 . 2005-01-04 13:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-11-08 21:47 . 2007-11-08 21:47 <DIR> d-------- C:\Program Files\Acclaim
2007-11-08 18:05 . 2007-11-08 18:05 <DIR> d-------- C:\WINDOWS\system32\SolidStateNetworks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 22:02 --------- d-----w C:\Program Files\StepMania
2007-12-01 15:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-01 03:19 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-25 04:05 --------- d-----w C:\Program Files\DivX
2007-11-25 04:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 04:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-24 02:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2007-11-23 12:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-22 15:12 --------- d-----w C:\Program Files\iTunes
2007-11-22 15:10 --------- d-----w C:\Program Files\QuickTime
2007-10-29 03:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2007-10-28 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2007-10-28 18:08 --------- d-----w C:\Program Files\SoundSpectrum
2007-10-14 23:32 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-08 01:04 107 ---ha-w C:\Program Files\Desktop.ini
2007-10-08 00:47 --------- d-----w C:\Program Files\TGTSoft
2007-10-07 22:29 --------- d-----w C:\Program Files\uTorrent
2007-10-07 22:03 --------- d-----w C:\Program Files\Common Files\Real
2007-10-07 22:02 --------- d-----w C:\Program Files\Real
2007-10-07 22:01 --------- d-----w C:\Program Files\Apple Software Update
2007-10-07 21:19 --------- d-----w C:\Program Files\Intel
2007-10-07 21:17 --------- d-----w C:\Program Files\Analog Devices
2007-10-07 21:15 --------- d-----w C:\Program Files\Broadcom
2007-10-07 18:58 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
C:\Program Files\Vufkdlqd\qifwfknm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F02D978-0FF6-80F7-60BB-0426224AB7B3}]
2007-11-25 23:17 110592 --a------ C:\Program Files\xbtwjhjb\chxejwjt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
2007-12-01 13:39 17920 --a------ C:\Program Files\E404 Helper\e404.v4.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []
"AdwareProMFC"="C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe" [2007-11-12 07:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 15:23]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 15:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"RegistryMechanic"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"


.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-02 22:23:27 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-01 14:51:52 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 17:23:53
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 17:25:11 - machine was rebooted
.
--- E O F ---

((I also ran HijackThis incase you wanted it anyway.))

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:34 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowhead.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Vufkdlqd\qifwfknm.dll (file missing)
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\xbtwjhjb\chxejwjt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v4.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareProMFC] C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191793207781
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

--
End of file - 3083 bytes

[tetonbob]

Rather than choose "Run" for the Avira installer, select Download, or Save....save the file to your desktop, and run it from there.

Let's clean what I see, and then you can try it again. I'll also provide a couple of other options.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Ad-Ware Pro <<<<it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Reboot your machine.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/197439-i-have-malware-infection-please-help.html

Folder::
C:\WINDOWS\Ad-Ware Pro
C:\Program Files\Ad-Ware Pro
C:\Program Files\E404 Helper
C:\Program Files\xbtwjhjb
C:\Program Files\Vufkdlqd

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F02D978-0FF6-80F7-60BB-0426224AB7B3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]


Collect::
C:\WINDOWS\system32\gxdbewju.exe
C:\WINDOWS\system32\drvfap.dll
C:\WINDOWS\system32\mljjijk.dll
C:\WINDOWS\system32\winzoa32.dll
C:\WINDOWS\system32\mcrh.tmp
C:\Program Files\E404 Helper\e404.v4.dll
C:\Program Files\xbtwjhjb\chxejwjt.dll
C:\Program Files\Vufkdlqd\qifwfknm.dll

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------

Now try again to install Avira, from an installer file you've downloaded and saved. Please capture any error messages exactly.

If that doesn't work, here are two other free options:


Here are a few very good free Antivirus products which are available:

• Avast!
• AVG

Post the ComboFix log, and a new HijackThis log.

[Eskimio52]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:26 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowhead.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareProMFC] C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191793207781
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

--
End of file - 2669 bytes

(Sorry if having Mozilla Firefox open was a problem... I'm 3/4s of the way through downloading Avira.)

ComboFix 07-12-02.3 - Owner 2007-12-02 17:21:03.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\bepsvora.dll
C:\Documents and Settings\All Users\Application Data.\jmryxwxe.dll
C:\Documents and Settings\All Users\Application Data.\qpehuxqr.dll
C:\Documents and Settings\All Users\Application Data.\ujozanit.dll
C:\Documents and Settings\All Users\Application Data.\yjipmdkj.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Owner\Application Data\trant.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.tmp
C:\WINDOWS\system32\cymvwqsd.dll
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\runtime2.sy_
C:\WINDOWS\system32\drvfapr.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\hwanpwep.exe
C:\WINDOWS\system32\loccqdtt.ini
C:\WINDOWS\system32\onrribps.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\scoeomlw.exe
C:\WINDOWS\system32\sdwntayg.dll
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\tmjbtyqu.ini
C:\WINDOWS\system32\ttdqccol.dll
C:\WINDOWS\system32\tuvustq.dll
C:\WINDOWS\system32\uqytbjmt.dll
C:\WINDOWS\system32\vgfddwtv
C:\WINDOWS\system32\vgfddwtv\bg1.gif
C:\WINDOWS\system32\vgfddwtv\bgtop.gif
C:\WINDOWS\system32\vgfddwtv\bottom1.gif
C:\WINDOWS\system32\vgfddwtv\essentials.gif
C:\WINDOWS\system32\vgfddwtv\icon1.ico
C:\WINDOWS\system32\vgfddwtv\install1.gif
C:\WINDOWS\system32\vgfddwtv\left1.gif
C:\WINDOWS\system32\vgfddwtv\li.gif
C:\WINDOWS\system32\vgfddwtv\logo.gif
C:\WINDOWS\system32\vgfddwtv\main.htm
C:\WINDOWS\system32\vgfddwtv\mainframe.htm
C:\WINDOWS\system32\vgfddwtv\reinstall1.gif
C:\WINDOWS\system32\vgfddwtv\right1.gif
C:\WINDOWS\system32\vgfddwtv\s1.htm
C:\WINDOWS\system32\vgfddwtv\s2.htm
C:\WINDOWS\system32\vgfddwtv\s3.htm
C:\WINDOWS\system32\vgfddwtv\SMTop1.gif
C:\WINDOWS\system32\vgfddwtv\SMTop2.gif
C:\WINDOWS\system32\vgfddwtv\SMTop3.gif
C:\WINDOWS\system32\vgfddwtv\SMTop4.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_off.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_on.gif
C:\WINDOWS\system32\vgfddwtv\softleft_off.gif
C:\WINDOWS\system32\vgfddwtv\softleft_on.gif
C:\WINDOWS\system32\vgfddwtv\top1.gif
C:\WINDOWS\system32\vgfddwtv\top2.gif
C:\WINDOWS\system32\vgfddwtv\turnoff1.gif
C:\WINDOWS\system32\vgfddwtv\turnon1.gif
C:\WINDOWS\system32\vgfddwtv\vgfddwtv1.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv2.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv3.exe
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\yiewkuvn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\runtime


-------\LEGACY_CTL_W32
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\ctl_w32
-------\runtime




((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-01 14:48 . 2007-12-01 14:48 82,496 --a------ C:\WINDOWS\system32\gxdbewju.exe
2007-12-01 13:39 . 2007-12-01 13:39 <DIR> d-------- C:\Program Files\E404 Helper
2007-12-01 11:33 . 2007-12-01 11:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-11-30 22:19 . 2007-12-01 10:43 <DIR> d-------- C:\Program Files\World of Warcraft
2007-11-30 00:22 . 2007-11-30 00:22 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-11-29 22:22 . 2007-12-02 17:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-29 22:22 . 2007-11-29 22:22 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-29 22:15 . 2007-11-29 22:15 20,480 --a------ C:\WINDOWS\mgrs.doc
2007-11-29 22:15 . 2007-11-29 22:32 45 --a------ C:\TEST.XML
2007-11-29 20:22 . 2007-12-01 00:29 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-29 18:37 . 2007-11-29 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 18:03 . 2007-11-29 18:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-25 17:38 . 2007-11-25 17:38 <DIR> d-------- C:\WINDOWS\Ad-Ware Pro
2007-11-25 17:38 . 2007-11-25 17:38 <DIR> d-------- C:\Program Files\Ad-Ware Pro
2007-11-25 16:23 . 2007-11-25 20:57 <DIR> d-------- C:\Program Files\xbtwjhjb
2007-11-25 09:41 . 2007-11-25 09:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 09:35 . 2007-11-25 16:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 09:35 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-11-25 09:34 . 2007-11-25 09:34 <DIR> d-------- C:\ie-spyad_zo
2007-11-25 00:52 . 2007-11-25 00:52 <DIR> d-------- C:\Program Files\foobar2000
2007-11-25 00:51 . 2007-12-01 14:26 <DIR> d-------- C:\Program Files\Trillian
2007-11-25 00:40 . 2007-11-25 00:40 <DIR> d-------- C:\WINDOWS\system32\backuped
2007-11-25 00:40 . 2007-11-25 00:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\True Sword
2007-11-25 00:33 . 2007-11-25 00:36 <DIR> d-------- C:\Program Files\Winamp
2007-11-25 00:33 . 2007-11-25 00:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2007-11-25 00:02 . 2007-12-01 11:22 <DIR> d-------- C:\Program Files\Xfire
2007-11-25 00:02 . 2007-12-01 11:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-11-24 23:22 . 2007-11-24 23:22 102,912 --a------ C:\WINDOWS\system32\drvfap.dll
2007-11-24 23:22 . 2007-11-24 23:22 34,304 --a------ C:\WINDOWS\system32\mljjijk.dll
2007-11-24 23:22 . 2007-11-24 23:22 20,992 --a------ C:\WINDOWS\system32\winzoa32.dll
2007-11-24 21:53 . 2007-11-24 21:53 <DIR> d-------- C:\WINDOWS\Sun
2007-11-24 21:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-24 21:46 . 2007-11-24 21:49 <DIR> d-------- C:\Program Files\Java
2007-11-24 21:42 . 2007-11-24 21:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-22 15:27 . 2007-11-22 15:27 <DIR> d-------- C:\Program Files\IrfanView
2007-11-22 15:02 . 2007-11-22 15:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-11-22 15:01 . 2007-11-22 15:01 21 --a------ C:\WINDOWS\atid.ini
2007-11-22 14:58 . 2007-11-22 14:58 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-11-22 14:58 . 2007-11-22 15:02 865 --ah----- C:\IPH.PH
2007-11-22 10:12 . 2007-11-22 10:12 <DIR> d-------- C:\Program Files\iPod
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-12 06:25 . 2007-11-12 06:25 1,208,320 --a------ C:\WINDOWS\system32\PTxSCP.ocx
2007-11-12 06:25 . 2007-11-12 06:25 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2007-11-12 06:25 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-11 20:26 . 2007-11-11 20:26 135,168 --a------ C:\WINDOWS\War3Unin.exe
2007-11-11 20:26 . 2007-11-11 20:35 17,627 --a------ C:\WINDOWS\War3Unin.dat
2007-11-11 20:26 . 2007-11-11 20:26 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-11-11 20:23 . 2007-11-22 12:48 <DIR> d-------- C:\Program Files\Warcraft III
2007-11-08 22:01 . 2003-07-20 22:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-11-08 22:01 . 2005-01-04 13:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-11-08 21:47 . 2007-11-08 21:47 <DIR> d-------- C:\Program Files\Acclaim
2007-11-08 18:05 . 2007-11-08 18:05 <DIR> d-------- C:\WINDOWS\system32\SolidStateNetworks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 22:02 --------- d-----w C:\Program Files\StepMania
2007-12-01 15:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-01 03:19 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-25 04:05 --------- d-----w C:\Program Files\DivX
2007-11-25 04:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 04:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-24 02:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2007-11-23 12:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-22 15:12 --------- d-----w C:\Program Files\iTunes
2007-11-22 15:10 --------- d-----w C:\Program Files\QuickTime
2007-10-29 03:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2007-10-28 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2007-10-28 18:08 --------- d-----w C:\Program Files\SoundSpectrum
2007-10-14 23:32 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-08 01:04 107 ---ha-w C:\Program Files\Desktop.ini
2007-10-08 00:47 --------- d-----w C:\Program Files\TGTSoft
2007-10-07 22:29 --------- d-----w C:\Program Files\uTorrent
2007-10-07 22:03 --------- d-----w C:\Program Files\Common Files\Real
2007-10-07 22:02 --------- d-----w C:\Program Files\Real
2007-10-07 22:01 --------- d-----w C:\Program Files\Apple Software Update
2007-10-07 21:19 --------- d-----w C:\Program Files\Intel
2007-10-07 21:17 --------- d-----w C:\Program Files\Analog Devices
2007-10-07 21:15 --------- d-----w C:\Program Files\Broadcom
2007-10-07 18:58 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
C:\Program Files\Vufkdlqd\qifwfknm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F02D978-0FF6-80F7-60BB-0426224AB7B3}]
2007-11-25 23:17 110592 --a------ C:\Program Files\xbtwjhjb\chxejwjt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
2007-12-01 13:39 17920 --a------ C:\Program Files\E404 Helper\e404.v4.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []
"AdwareProMFC"="C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe" [2007-11-12 07:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 15:23]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 15:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"RegistryMechanic"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"


.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-02 22:23:27 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-01 14:51:52 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 17:23:53
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 17:25:11 - machine was rebooted
.
--- E O F ---

[tetonbob]

Hi, you posted the same ComboFix log.

Please post C:\ComboFix.txt

[Eskimio52]

I tried installing Avira again, but it said "(Title) Setup of Avira AntiVir PersonalEdition Classic" "(Text) The CRC sum of C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\basic\setup.exe has been changed! This could be due to a virus!
Do you want to shut down Setup?" And the only choice it gives me is "OK".

I'm going to try installing Avast! instead...

[Eskimio52]

Quote:

Originally Posted by tetonbob

Hi, you posted the same ComboFix log.

Please post C:\ComboFix.txt

My bad! Sorry!

ComboFix 07-12-02.3 - Owner 2007-12-02 20:14:12.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v4.dll
C:\Program Files\xbtwjhjb
C:\Program Files\xbtwjhjb\chxejwjt.dll
C:\Program Files\xbtwjhjb\chxejwjt.doc
C:\WINDOWS\Ad-Ware Pro
C:\WINDOWS\Ad-Ware Pro\uninstall.exe
C:\WINDOWS\system32\drvfap.dll
C:\WINDOWS\system32\gxdbewju.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljjijk.dll
C:\WINDOWS\system32\winzoa32.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-02 19:34 . 2007-12-02 20:12 <DIR> d-------- C:\Program Files\World of Warcraft
2007-12-01 11:33 . 2007-12-01 11:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-11-30 00:22 . 2007-11-30 00:22 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-11-29 22:22 . 2007-12-02 20:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-29 22:22 . 2007-11-29 22:22 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-29 22:15 . 2007-11-29 22:15 20,480 --a------ C:\WINDOWS\mgrs.doc
2007-11-29 22:15 . 2007-11-29 22:32 45 --a------ C:\TEST.XML
2007-11-29 18:37 . 2007-11-29 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 18:03 . 2007-11-29 18:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-25 09:41 . 2007-11-25 09:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 09:35 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-11-25 09:34 . 2007-11-25 09:34 <DIR> d-------- C:\ie-spyad_zo
2007-11-25 00:52 . 2007-11-25 00:52 <DIR> d-------- C:\Program Files\foobar2000
2007-11-25 00:51 . 2007-12-01 14:26 <DIR> d-------- C:\Program Files\Trillian
2007-11-25 00:40 . 2007-11-25 00:40 <DIR> d-------- C:\WINDOWS\system32\backuped
2007-11-25 00:40 . 2007-11-25 00:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\True Sword
2007-11-25 00:33 . 2007-11-25 00:36 <DIR> d-------- C:\Program Files\Winamp
2007-11-25 00:33 . 2007-11-25 00:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2007-11-25 00:02 . 2007-12-01 11:22 <DIR> d-------- C:\Program Files\Xfire
2007-11-25 00:02 . 2007-12-01 11:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-11-24 21:53 . 2007-11-24 21:53 <DIR> d-------- C:\WINDOWS\Sun
2007-11-24 21:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-24 21:46 . 2007-11-24 21:49 <DIR> d-------- C:\Program Files\Java
2007-11-24 21:42 . 2007-11-24 21:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-22 15:27 . 2007-11-22 15:27 <DIR> d-------- C:\Program Files\IrfanView
2007-11-22 15:02 . 2007-11-22 15:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-11-22 15:01 . 2007-11-22 15:01 21 --a------ C:\WINDOWS\atid.ini
2007-11-22 14:58 . 2007-11-22 14:58 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-11-22 14:58 . 2007-11-22 15:02 865 --ah----- C:\IPH.PH
2007-11-22 10:12 . 2007-11-22 10:12 <DIR> d-------- C:\Program Files\iPod
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-12 06:25 . 2007-11-12 06:25 1,208,320 --a------ C:\WINDOWS\system32\PTxSCP.ocx
2007-11-12 06:25 . 2007-11-12 06:25 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2007-11-12 06:25 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-11 20:26 . 2007-11-11 20:26 135,168 --a------ C:\WINDOWS\War3Unin.exe
2007-11-11 20:26 . 2007-11-11 20:35 17,627 --a------ C:\WINDOWS\War3Unin.dat
2007-11-11 20:26 . 2007-11-11 20:26 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-11-11 20:23 . 2007-11-22 12:48 <DIR> d-------- C:\Program Files\Warcraft III
2007-11-08 22:01 . 2003-07-20 22:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-11-08 22:01 . 2005-01-04 13:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-11-08 21:47 . 2007-11-08 21:47 <DIR> d-------- C:\Program Files\Acclaim
2007-11-08 18:05 . 2007-11-08 18:05 <DIR> d-------- C:\WINDOWS\system32\SolidStateNetworks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 00:34 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-02 22:02 --------- d-----w C:\Program Files\StepMania
2007-12-01 15:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-11-25 04:05 --------- d-----w C:\Program Files\DivX
2007-11-25 04:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 04:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-24 02:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2007-11-23 12:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-22 15:12 --------- d-----w C:\Program Files\iTunes
2007-11-22 15:10 --------- d-----w C:\Program Files\QuickTime
2007-10-29 03:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2007-10-28 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2007-10-28 18:08 --------- d-----w C:\Program Files\SoundSpectrum
2007-10-14 23:32 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-08 01:04 107 ---ha-w C:\Program Files\Desktop.ini
2007-10-08 00:47 --------- d-----w C:\Program Files\TGTSoft
2007-10-07 22:29 --------- d-----w C:\Program Files\uTorrent
2007-10-07 22:03 --------- d-----w C:\Program Files\Common Files\Real
2007-10-07 22:02 --------- d-----w C:\Program Files\Real
2007-10-07 22:01 --------- d-----w C:\Program Files\Apple Software Update
2007-10-07 21:19 --------- d-----w C:\Program Files\Intel
2007-10-07 21:17 --------- d-----w C:\Program Files\Analog Devices
2007-10-07 21:15 --------- d-----w C:\Program Files\Broadcom
2007-10-07 18:58 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2007-12-02_17.24.27.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-02 22:23:18 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-03 01:16:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-02 22:23:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-03 01:16:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-02 22:23:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-03 01:16:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []
"AdwareProMFC"="C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 15:23]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-07-16 15:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"


.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-03 01:16:28 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-01 14:51:52 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 20:16:55
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-02 20:18:02 - machine was rebooted
.
--- E O F ---

[tetonbob]

Eskimo52 -

Instead, please do this:

Please run this online scan.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

[Eskimio52]

There were too many characters in the file, so I had to attach it.
Most of the items were skipped though.

((By the way, since Avira isn't working, I should install Avast! or AVG?))

[tetonbob]

Your attachment didn't work. Please try again.

Or. upload the file here:

http://www.bleepingcomputer.com/subm...php?channel=28

[Eskimio52]

Oops. Lemme try again...

[tetonbob]

Ok, it's as bad as I thought from the zip file you uploaded earlier, and why you can't install an AntiVirus program.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (software) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Use the following to help protect you on your clean install.

To help protect your computer in the future I recommend that you follow these steps and use the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
  IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Here are a few very good free Antivirus products which are available:
  • Avira PersonalEdition Classic
  • Avast!
  • AVG
  Select one of these, or another of your choice.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Eskimio52]

So you're saying I should reformat my hard drive?

[tetonbob]

Yes. There really is no good way to repair the OS with this infection.

If you have a Windows installation CD, use that.

If you have a manufacturer's restore disk, or restore partition, use Destructive Restore, as opposed to Non-Destructive Restore, if there is that option.