Csrs.exe

Lyceum · Dec 5, 2006

Logfile of HijackThis v1.99.1
Scan saved at 4:05:11 PM, on 12/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\winje.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\PCPitstop\Optimize\Reminder.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\mouse.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\csrs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\MsiExec.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\qpenc.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winje.exe] C:\WINDOWS\system32\winje.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [SpyHunter] ????

O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\znfeguiq.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

My firewall Zonealarm says that Csrs.exe is trying to access the internet.

fredmh · Dec 6, 2006

Hello lyceum, and welcome to TSF.

One of the infections you have, a variant of vundo, recognizes HijackThis and prevents HJT from reading the registry locations where it resides as well as
hiding other infections in those locations.

I'd like you to rename HijackThis.exe to lyceum.exe.

Navigate to C:\HJT\HijackThis.exe
Right click on HijackThis.exe
Select 'Rename'
Type in lyceum.exe
[*]Press Enter.

Please run a scan with the newly renamed lyceum.exe and post the new log here.

In the meantime, I will be reviewing this log for the infections which are showing.
Please do not allow internet access to any program which is unknown to you.

Lyceum · Dec 6, 2006

Logfile of HijackThis v1.99.1
Scan saved at 10:36:46 PM, on 12/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\WINDOWS\system32\winje.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\PCPitstop\Optimize\Reminder.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\mouse.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\csrs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\MsiExec.exe
C:\HJT\Lyceum.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\qpenc.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\fcyvv.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C1C8345-95F6-45F9-9645-613CF34F129F} - C:\WINDOWS\arssm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\ljhfc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winje.exe] C:\WINDOWS\system32\winje.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [SpyHunter] ????

O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\znfeguiq.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: arssm - C:\WINDOWS\arssm.dll
O20 - Winlogon Notify: fcyvv - C:\WINDOWS\SYSTEM32\fcyvv.dll
O20 - Winlogon Notify: ljhfc - C:\WINDOWS\SYSTEM32\ljhfc.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

fredmh · Dec 6, 2006

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

Your system is seriously infected with multiple types of infection and other items which will comprise the security of your PC and
affect is performance. The fix may take several passes to complete. I realize this portion is long and uses several different tools, but they are
necessary due to the different infections present. Please stick with me on this.

----------------------------------------

DOWNLOADS

CLEANUP! version 4.52 – TEMP FILE CLEANING

Please download Cleanup! and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

AVG Anti-Spyware 7.5

Please download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti-Spyware 7.5.
Double-click the icon on Desktop to launch AVG A-S 7.5
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

SDFix

Download SDFix and save it to your desktop.

ABOUT BUSTER

Download AboutBuster and uncompress the files to a folder on your the Desktop.
Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Brute Force Uninstaller

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE
and choose "Save As" (in IE it's "Save Target As") in order to download Media Gateway Remover.

Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet

CWSHREDDER

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree.
Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file,
choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

ComboFix

1. Download this file - You MUST save it to your desktop

COMBOFIX

2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v fcyvv ljhfc

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SpywareStormer
SpyHunter<<<These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products
are of unknown,questionable, or dubious value as anti-spyware protection. See THIS SITE for more information[/color][/b]

Download Accelerator - DAP>>>You are using Download Accelerator - DAP Be informed that it delivers popup/popunder ads,

and tracks your internet usage. You can find safer alternatives here: spywareinfo

----------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\qpenc.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4C1C8345-95F6-45F9-9645-613CF34F129F} - C:\WINDOWS\arssm.dll
O4 - HKLM\..\Run: [winje.exe] C:\WINDOWS\system32\winje.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [SpyHunter] ????
O4 - HKLM\..\Run: [mouse] SpyHunter
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\znfeguiq.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O20 - Winlogon Notify: arssm - C:\WINDOWS\arssm.dll

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\qpenc.dll
C:\WINDOWS\arssm.dll

C:\WINDOWS\system32\winje.exe
C:\WINDOWS\System32\vmdriver.exe

C:\WINDOWS\SYSTEM\blank.htm

C:\Program Files\Internet Explorer\znfeguiq.exe

C:\Program Files\Windows AdTools
C:\Program Files\Spyware Stormer
C:\Program Files\TBONBin

SpyHunter>>>Should be in c:\Program Files

mouse.exe>>>Find via Start>>Search

----------------------------------------

ABOUT BUSTER

Run AboutBuster 6.0 and select "Begin Removal". Make sure you click "Yes" to every message box that appears.
Restart your computer (IN SAFE MODE) and run AboutBuster one final time. Locate 'Ab LogFile.txt'
(... in the same folder as AboutBuster) and post it in your next reply.

----------------------------------------

SDFix

Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file
Report.txt back onto the forum with a new HijackThis log

----------------------------------------

RUNNING SCANNERS

Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.

AVG Anti-Spyware 7.5

Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine (1),
If not click Recommended Action and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

Brute Force Uninstaller

Please go to Start > My Computer and navigate to the C:BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Beside the scriptline to execute field click the folder icon

and select MediaGateway.BFU by double clicking on it.
Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on

located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on

then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
----------------------------------------

FOLLOW-UP

Please return and post these items:

c:\combofix.txt
AB LogFile.txt from AboutBuster
Report.txt from SDFix
AVG A/S
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

Lyceum · Dec 6, 2006

Do I download the programs first and use them before I fix checked on HijJackThis?

fredmh · Dec 6, 2006

Use this link:

ABOUT BUSTER

Download About Buster 6.0 and unzip it to your desktop.

Some of them are downloaded first and used later. some are used at downloading.

Lyceum · Dec 7, 2006

About Buster log did notappear because I did not extract files to folder.

ComboFix 06-12-01W-BetaE - Running from: "C:\Documents and Settings\Computer\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\csrss.exe
C:\WINDOWS\hosts
C:\WINDOWS\secure32.html
C:\WINDOWS\start.exe

((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))

2006-12-05 22:28 <DIR> d--hs---- C:\FOUND.000
2006-12-05 15:56 1,485,387 ---hs---- C:\WINDOWS\mssra.ini2
2006-12-05 15:49 <DIR> d-------- C:\HJT
2006-12-02 22:52 <DIR> d-------- C:\Pro
2006-12-01 14:31 <DIR> d-------- C:\Program Files\JAM Software
2006-11-30 15:48 86,188 --ahs---- C:\WINDOWS\SYSTEM32\vmdriver.exe
2006-11-30 15:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2006-11-30 15:45 <DIR> d-------- C:\Program Files\WinRAR
2006-11-29 22:20 4,239,360 --a------ C:\WINDOWS\SYSTEM32\qtp-mt334.dll
2006-11-29 22:20 30,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hotcore2.sys
2006-11-29 22:20 <DIR> d-------- C:\Program Files\Paragon Software
2006-11-29 21:36 126,996 --a------ C:\WINDOWS\SYSTEM32\vqjbgwok.dll
2006-11-29 14:55 8,192 --a------ C:\WINDOWS\SYSTEM32\wnaspi32.dll
2006-11-29 00:55 88,340 --a------ C:\WINDOWS\SYSTEM32\vrkhtsgt.exe
2006-11-29 00:55 42,516 --a------ C:\WINDOWS\SYSTEM32\okeqoflv.dll
2006-11-23 22:34 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\MSNInstaller
2006-11-23 21:42 <DIR> d-------- C:\Program Files\XP Codec Pack
2006-11-23 20:27 38,420 --a------ C:\WINDOWS\SYSTEM32\xvmhkehk.dll
2006-11-23 20:26 110,612 --a------ C:\WINDOWS\SYSTEM32\uprxuext.exe
2006-11-21 05:55 110,612 --a------ C:\WINDOWS\SYSTEM32\ndwsktxt.exe
2006-11-21 05:54 1,482,066 ---hs---- C:\WINDOWS\mssra.bak2
2006-11-20 21:26 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\DivX
2006-11-20 20:51 692,244 ---hs---- C:\WINDOWS\arssm.dll
2006-11-17 04:33 126,996 --a------ C:\WINDOWS\SYSTEM32\jaksaemk.dll
2006-11-17 04:32 110,612 --a------ C:\WINDOWS\SYSTEM32\qfeeluoc.exe
2006-11-12 16:09 110,612 --a------ C:\WINDOWS\SYSTEM32\txouqbny.exe
2006-11-12 14:18 <DIR> d-------- C:\Storage
2006-11-07 19:58 60,436 --a------ C:\WINDOWS\SYSTEM32\pbcmykum.dll
2006-11-07 19:57 110,612 --a------ C:\WINDOWS\SYSTEM32\nikdbavj.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-02 09:10 80912 --a------ C:\WINDOWS\SYSTEM32\sherlock2.exe
2006-10-28 11:10 16384 --a------ C:\WINDOWS\SYSTEM32\ac3config.exe
2006-10-26 20:03 69652 --a------ C:\WINDOWS\SYSTEM32\xorkjrpi.exe
2006-10-26 20:02 98324 --a------ C:\WINDOWS\SYSTEM32\oaosbkcu.dll
2006-10-02 12:04 806912 --a------ C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2006-10-02 12:04 806912 --a------ C:\WINDOWS\SYSTEM32\divx_xx07.dll
2006-10-02 12:04 790528 --a------ C:\WINDOWS\SYSTEM32\divx_xx11.dll
2006-10-02 12:04 635486 --a------ C:\WINDOWS\SYSTEM32\DivX.dll
2006-09-19 04:14 86068 --a------ C:\WINDOWS\SYSTEM32\xpwyynus.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="131A6951-7F78-11D0-A979-00C04FD705A2"
"SubscribedURL"="131A6951-7F78-11D0-A979-00C04FD705A2"
"FriendlyName"="Internet Explorer Channel Bar"
"Flags"=dword:00000003
"Position"=hex:2c,00,00,00,d8,01,00,00,0f,00,00,00,54,00,00,00,aa,01,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d8,01,00,00,0f,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,d8,01,00,00,0f,00,00,00,54,00,00,00,aa,01,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""
"{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BurnQuick Queue]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BQTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\BurnQuick\\BQTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Server Runtime Process]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="csrs"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\csrs.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaGateway"
"hkey"="HKLM"
"command"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mouse]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mouse"
"hkey"="HKLM"
"command"="mouse.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="????
"
"hkey"="HKLM"
"command"="????
"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UsrPrmpt"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061206-131954-491
O20 - Winlogon Notify: arssm - C:\WINDOWS\arssm.dll
backup-20061206-131954-836
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\znfeguiq.exe
backup-20061206-131953-762
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
backup-20061206-131954-699
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
backup-20061206-131953-309
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20061206-131953-132
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20061206-131953-399
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
backup-20061206-131953-598
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061206-131953-266
R3 - Default URLSearchHook is missing
backup-20061206-131953-260
O2 - BHO: (no name) - {7B4EDF51-5D0B-42DF-BE28-C19A22947A00} - C:\WINDOWS\arssm.dll
backup-20061206-131953-906
O4 - HKLM\..\Run: [winje.exe] C:\WINDOWS\system32\winje.exe
backup-20061206-131953-643
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
backup-20061206-131953-495
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20061206-131953-596
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
backup-20061206-131953-838
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
backup-20061206-131953-113
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
backup-20061206-131953-756
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
backup-20061206-131953-685
O4 - HKLM\..\RunServices: [mouse] mouse.exe
backup-20061206-131953-414
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
backup-20061206-131953-493
O4 - HKCU\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
backup-20061206-131953-991
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
backup-20061206-131953-100
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20061206-131953-117
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
backup-20061206-131953-166
O4 - HKLM\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
backup-20061206-131953-202
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\qpenc.dll/index.html#27859

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job

Completion time: 06-12-06 14:59:49.20

I have to set up internet to get the other programs on the infected computer.

fredmh · Dec 7, 2006

Take your time. I'll review these logs while waiting for the others.

Lyceum · Dec 8, 2006

BFU v1.00.9
Windows XP (WinNT 5.01.2600 )
Script started at 12:49:28 PM, on 12/7/2006

Option Delete files to Recycle Bin: Yes
Failed: DllUnregister C:\Program Files\zango\zangohook.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll|1 (file not found)
Failed: DllUnregister \MedAccX.dll|1 (file not found)
Failed: DllUnregister \ZbHostIE.dll|1 (file not found)
Failed: FolderDelete C:\Documents and Settings\Computer\Start Menu\Programs\Zango (folder not found)
Failed: FolderDelete C:\Documents and Settings\Computer\Start Menu\Programs\Zango Games (folder not found)
Failed: FolderDelete C:\Program Files\MediaGateway (folder not found)
Failed: FolderDelete C:\Program Files\Zango Programs (folder not found)
Failed: FolderDelete C:\Program Files\Zango (folder not found)
Failed: FolderDelete C:\Program Files\ZangoClient (folder not found)
Failed: FolderDelete C:\Program Files\Zango Applications (folder not found)
Failed: FolderDelete C:\Program Files\Zango Games (folder not found)
Failed: FolderDelete C:\Program Files\ZangoToolbar (folder not found)
Failed: FolderDelete C:\Program Files\180SearchAssistant (folder not found)
Failed: FolderDelete C:\Program Files\Media Access (folder not found)
Failed: FolderDelete C:\Program Files\Media Pass (folder not found)
Failed: FileDelete C:\DOCUME~1\Computer\LOCALS~1\Temp\ZLT0756e.TMP (operation failed)
Failed: FileDelete C:\DOCUME~1\Computer\LOCALS~1\Temp\Perflib_Perfdata_6e4.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\Computer\LOCALS~1\Temp\~DF98A1.tmp (operation failed)
Script completed.

Sophos Anti-Virus
Version 4.12.0 [Win32/Intel]
Virus data version 4.12, December 2006
Includes detection for 202200 viruses, trojans and worms
Copyright (c) 1989-2006 Sophos Plc, www.sophos.com

System time 11:30:44, System date 07 December 2006
Command line qualifiers are: -f -remove -nc -nb --stop-scan

IDE directory is: C:\Documents and Settings\Computer\Desktop\SDFix\IDE

Using IDE file strat-bo.ide
Using IDE file dref-o.ide
Using IDE file legmi-yy.ide
Using IDE file rbot-fuo.ide
Using IDE file tileb-fy.ide
Using IDE file bckd-pnp.ide
Using IDE file agnt-dgy.ide
Using IDE file tibs-pf.ide
Using IDE file stex-a.ide
Using IDE file bancb-oj.ide
Using IDE file rbot-fus.ide
Using IDE file looke-ar.ide
Using IDE file line-aeh.ide
Using IDE file pitcom-c.ide
Using IDE file levona-b.ide
Using IDE file ds061113.ide
Using IDE file dropp-ma.ide
Using IDE file pardon-a.ide
Using IDE file sniffe-m.ide
Using IDE file tileb-hx.ide
Using IDE file delspy-e.ide
Using IDE file banc-api.ide
Using IDE file psyme-dd.ide
Using IDE file clagg-aj.ide
Using IDE file ldpin-op.ide
Using IDE file proxy-eu.ide
Using IDE file winspy-l.ide
Using IDE file ds061115.ide
Using IDE file mona-b.ide
Using IDE file banl-aqv.ide
Using IDE file ds061116.ide
Using IDE file qqpa-akl.ide
Using IDE file ntroo-av.ide
Using IDE file batkil-a.ide
Using IDE file zlob-nw.ide
Using IDE file tileb-hn.ide
Using IDE file backdr-c.ide
Using IDE file dwnl-fvg.ide
Using IDE file silly-e.ide
Using IDE file rungbu-c.ide
Using IDE file looke-av.ide
Using IDE file rbot-fwl.ide
Using IDE file nebul-m.ide
Using IDE file rbot-fwm.ide
Using IDE file strd-gen.ide
Using IDE file strat-bq.ide
Using IDE file vb-crj.ide
Using IDE file clagg-ak.ide
Using IDE file look-ax.ide
Using IDE file vixup-bz.ide
Using IDE file qqro-aba.ide
Using IDE file pardon-b.ide
Using IDE file looke-a.ide
Using IDE file looke-ay.ide
Using IDE file dloadaqk.ide
Using IDE file line-aeg.ide
Using IDE file medbot-b.ide
Using IDE file looke-aq.ide
Using IDE file bronto-m.ide
Using IDE file dloa-apl.ide
Using IDE file zlobat.ide
Using IDE file strat-ak.ide
Using IDE file adloa-kb.ide
Using IDE file clagg-al.ide
Using IDE file dload-yt.ide
Using IDE file clagg-am.ide
Using IDE file sdbo-cuj.ide
Using IDE file looke-az.ide
Using IDE file line-aeo.ide
Using IDE file wow-aj.ide
Using IDE file dnsbus-n.ide
Using IDE file nebule-n.ide
Using IDE file rbot-fwy.ide
Using IDE file zlob-wp.ide
Using IDE file strat-bv.ide
Using IDE file ds061127.ide
Using IDE file codeba-u.ide
Using IDE file zlob-wq.ide
Using IDE file feebszip.ide
Using IDE file dloa-akq.ide
Using IDE file ds061128.ide
Using IDE file agen-dsf.ide
Using IDE file dloa-aqn.ide
Using IDE file strat-cd.ide
Using IDE file clagg-an.ide
Using IDE file mytob-if.ide
Using IDE file look-ba.ide
Using IDE file spake-a.ide
Using IDE file zlob-wt.ide
Using IDE file rjump-h.ide
Using IDE file sohana-b.ide
Using IDE file newurg-a.ide
Using IDE file star-bda.ide
Using IDE file paprox-d.ide
Using IDE file dref-q.ide
Using IDE file dloa-aqs.ide
Using IDE file ds061130.ide
Using IDE file bckd-pqp.ide
Using IDE file bagle-qs.ide
Using IDE file strat-cf.ide
Using IDE file looke-bb.ide
Using IDE file nesht-a.ide
Using IDE file baglezip.ide
Using IDE file bagle-qt.ide
Using IDE file poebo-jd.ide
Using IDE file qqro-abd.ide
Using IDE file pardon-c.ide
Using IDE file banc-axx.ide
Using IDE file line-afb.ide
Using IDE file strat-aj.ide
Using IDE file looke-bc.ide
Using IDE file rjump-g.ide
Using IDE file vanity-a.ide
Using IDE file wow-im.ide
Using IDE file ds061204.ide
Using IDE file strat-cg.ide
Using IDE file rbot-fvz.ide
Using IDE file bombka-p.ide
Using IDE file banc-avs.ide
Using IDE file qqhelp-p.ide
Using IDE file strat-ch.ide
Using IDE file ds061205.ide
Using IDE file strat-ci.ide
Using IDE file strat-al.ide
Using IDE file kidala-i.ide
Using IDE file strd-fam.ide
Using IDE file remadm-p.ide
Using IDE file dloa-arb.ide
Using IDE file vb-cuz.ide
Using IDE file lowzo-ds.ide
Using IDE file dloadrwz.ide
Using IDE file murlo-q.ide
Using IDE file limpne-a.ide
Using IDE file dloa-are.ide

Full Scanning

>>> Virus 'Mal/Packer' found in file C:\WINDOWS\SYSTEM32\xvmhkehk.dll
Removal successful
Password protected file C:\Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf

1 boot sector swept.
10121 files swept in 21 minutes and 32 seconds.
1 error was encountered.
1 virus was discovered.
1 file out of 10121 was infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email [email protected]
or telephone +44 1235 559933
1 encrypted file was not checked.
Ending Sophos Anti-Virus.

Activescan:

Spyware:Spyware/Virtumonde Not disinfected C:\HJT\BACKUPS\backup-20061206-131953-260.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\TTORAHLM.DLL
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\SYSTEM32\JXJVNKKY.DLL
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\OAOSBKCU.DLL
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\PBCMYKUM.DLL
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\TXOUQBNY.EXE
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\SYSTEM32\P2P Networking v126.cpl
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\NDWSKTXT.EXE
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\XORKJRPI.EXE
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\NIKDBAVJ.EXE
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\UPRXUEXT.EXE
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\QFEELUOC.EXE
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\JAKSAEMK.DLL
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\SYSTEM32\OKEQOFLV.DLL
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\VRKHTSGT.EXE
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\VQJBGWOK.DLL
Dialer:dialer.b Not disinfected C:\WINDOWS\tmlpcert2005
Adware:adware/webattaker Not disinfected C:\WINDOWS\UNIQ
Adware:adware/secure32 Not disinfected C:\WINDOWS\COUNTRY.EXE
Potentially unwanted tool:application/bestoffer Not disinfected C:\WINDOWS\SMDAT32M.SYS
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\ARSSM.DLL
Dialer

ialer.B Not disinfected C:\WINDOWS\Downloaded Program Files\IA.INF
Adware:Adware/WinAD Not disinfected C:\918.EXE[lc.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\918.EXE[raser.exe]
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat[Documents and Settings/Computer/Cookies/[email protected][3].txt]
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\webp2pinstaller.dll.dat[WINDOWS/Downloaded Program Files/WebP2PInstaller.dll]
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/OfferOptimizer Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat[Documents and Settings/Computer/Cookies/[email protected][3].txt]
Spyware:Cookie/Azjmp Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/OfferOptimizer Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/AdDynamix Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat[Documents and Settings/Computer/Cookies/[email protected][3].txt]
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat[Documents and Settings/Computer/Cookies/[email protected][3].txt]
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Adware:Adware/Dyfuca Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\nem220[1].dll.dat[Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/2TO7YD2H/nem220[1].dll]
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/Computer/Cookies/[email protected][1].txt]
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/Computer/Cookies/[email protected][2].txt]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Computer\My Documents\SDFix.zip[SDFix/apps/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:58:15 AM 12/7/2006

+ Scan result:

HKLM\SOFTWARE\Classes\SigningModule.SigningModule -> Adware.Altnet : Ignored.
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1 -> Adware.Altnet : Ignored.
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CLSID -> Adware.Altnet : Ignored.
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CurVer -> Adware.Altnet : Ignored.
C:\WINDOWS\SYSTEM32\vxwfpwgd.dll -> Adware.BHO : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{23E29B01-78ED-B227-C0D9-7F01F2621B9A} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{3C21EAED-F454-E176-15F0-6596002902B8} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{42B625C4-F206-ADFA-4FA4-AC97FDC73591} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{61675AEA-0AAC-FB29-2A8B-E712314B4A52} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{658FA8D3-31A4-2B28-01F7-6BA9B4C9F68F} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{759118BB-AC07-5964-50D8-10B5ADE220AB} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{8F534F76-94D1-789D-5A3D-063BABD3B7B6} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{910D4451-D597-05F5-D318-00556258E9E2} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{95BB3438-0B60-B4FB-A68F-174D498229E8} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{A037137B-6D52-E750-DE3A-846C338DBEF9} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{B264BD6E-DBFC-36A5-E38B-227DFE3A044B} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{CBD77B3F-8090-DD29-E058-34289DE3949A} -> Adware.CoolWebSearch : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{DC0E40FD-D633-7594-A016-624F4172C934} -> Adware.CoolWebSearch : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\webp2pinstaller.dll.dat/WINDOWS/Downloaded Program Files/WebP2PInstaller.dll -> Adware.PeerNet : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Ignored.
HKU\S-1-5-21-1004336348-706699826-1343024091-1006\Software\RX Toolbar -> Adware.RXToolbar : Ignored.
C:\WINDOWS\SYSTEM32\awtuv.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\byvsq.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\byxxu.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\byxyx.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\efeca.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\gebbc.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\geeff.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\hgdcy.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\hggfe.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\jkhef.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\jkkjk.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\khhef.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\ljhfc.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\ljhig.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\ljjjj.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\mllig.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\mlljg.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\mllki.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\opnkk.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\opnlk.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\oppqq.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\rqrop.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\rqrqp.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\ssqno.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\wvuuv.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\wvwvv.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\xxwtu.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\xxyab.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\SYSTEM32\yabxu.dll -> Adware.Virtumonde : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} -> Adware.Virtumonde : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} -> Adware.Virtumonde : Ignored.
[1436] C:\WINDOWS\System32\fcyvv.dll -> Adware.Virtumonde : Ignored.
[380] C:\WINDOWS\system32\fcyvv.dll -> Adware.Virtumonde : Ignored.
C:\98.exe -> Adware.WinAD : Ignored.
C:\WINDOWS\SYSTEM32\vmdriver.exe -> Backdoor.Delf.atg : Ignored.
C:\WINDOWS\SYSTEM32\csrs.exe -> Backdoor.IRCBot.fv : Ignored.
C:\WINDOWS\SYSTEM32\TFTP3124 -> Backdoor.SdBot.abk : Ignored.
C:\WINDOWS\SYSTEM32\TFTP464 -> Backdoor.SdBot.abk : Ignored.
C:\WINDOWS\SYSTEM32\mouse.exe -> Backdoor.SdBot.abk : Ignored.
C:\WINDOWS\pojmz.exe -> Downloader.Agent.bc : Ignored.
C:\WINDOWS\SYSTEM32\addbd32.dll -> Downloader.Agent.bq : Ignored.
C:\WINDOWS\SYSTEM32\ipee.dll -> Downloader.Agent.bq : Ignored.
C:\WINDOWS\SYSTEM32\winje.exe -> Downloader.Agent.bq : Ignored.
C:\WINDOWS\d3jc.dll -> Downloader.Agent.bq : Ignored.
C:\WINDOWS\trqccg.dat -> Downloader.Agent.bq : Ignored.
C:\WINDOWS\uqwssc.dat -> Downloader.Agent.bq : Ignored.
C:\WINDOWS\uxwfjf.dat -> Downloader.Agent.bq : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -> Downloader.ConHook.l : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -> Downloader.ConHook.l : Ignored.
C:\WINDOWS\SYSTEM32\byxuu.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\ddaya.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\efcax.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\efeee.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\fcyvv.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\fcyxx.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\hgdaw.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\jkheb.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\khhgf.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\ljhhf.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\mllll.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\nnnkk.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\nnnli.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\opnom.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\qoppm.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\rqonk.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\rqrqo.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\tuspn.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\tusqr.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\urqnm.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\vtstu.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\xxwts.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\yabca.dll -> Downloader.ConHook.r : Ignored.
C:\WINDOWS\SYSTEM32\yayax.dll -> Downloader.ConHook.r : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\nem220[1].dll.dat/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/2TO7YD2H/nem220[1].dll -> Downloader.Dyfuca : Ignored.
C:\WINDOWS\Downloaded Program Files\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.2o7 : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.2o7 : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Addynamix : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Admarketplace : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Adserver : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Bluestreak : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Burstnet : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Burstnet : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Burstnet : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Casalemedia : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Falkag : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat/Documents and Settings/Computer/Cookies/[email protected][3].txt -> TrackingCookie.Falkag : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Falkag : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Questionmarket : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat/Documents and Settings/Computer/Cookies/[email protected][3].txt -> TrackingCookie.Questionmarket : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Ru4 : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat/Documents and Settings/Computer/Cookies/[email protected][3].txt -> TrackingCookie.Ru4 : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Trafficmp : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][3].txt.dat/Documents and Settings/Computer/Cookies/[email protected][3].txt -> TrackingCookie.Trafficmp : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Tribalfusion : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Tribalfusion : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/Computer/Cookies/[email protected][1].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/Computer/Cookies/[email protected][2].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\WINDOWS\SYSTEM32\xpwyynus.dll -> Trojan.BHO.g : Ignored.

::Report end

fredmh · Dec 8, 2006

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

I am going to need you to re-run AVG A/S. You did not set the program for QUARANTINE. Please follow the instructions in the diagram.
Also, I need a new HJT log so I can see what is on your system

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

AVG Anti-Spyware 7.5

Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine (1),
If not click Recommended Action and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ON-LINE SCANS

Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

AVG A/S
Kaspersky scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

Lyceum · Dec 8, 2006

Do I load all the items in startup before I use HJT?

fredmh · Dec 8, 2006

Absolutely. Do not configure your system for selective start up which tends to hide items from HJT.

Lyceum · Dec 10, 2006

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 09, 2006 8:54:40 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/12/2006
Kaspersky Anti-Virus database records: 239492
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 27805
Number of viruses found: 9
Number of infected objects: 13 / 0
Number of suspicious objects: 2
Duration of the scan process: 00:41:10

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wfqydymu.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\jxjvnkky.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\SYSTEM32\oaosbkcu.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\ModemLog_Lucent Win Modem.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\UNKNOWN.ldb Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\918.exe/data0003/EXE-file Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\918.exe/data0003 Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\918.exe NSIS: infected - 2 skipped
C:\Program Files\MSN\MsnInstaller\install.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\calendar.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\mibas.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\miadv.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\printing.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\qos.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\market.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\market32.mar Object is locked skipped
C:\Program Files\MSN\MSNCoreFiles\themedef32.mar Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\44D926C5.exe Infected: Trojan-Spy.Win32.Qukart.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\44E978B3.dll Infected: Trojan-Downloader.Win32.Wintrim.w skipped
C:\Program Files\Norton AntiVirus\Quarantine\44EC22AF.exe Infected: Trojan-Spy.Win32.Qukart.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\44F04CAC.exe Infected: Trojan.Win32.StartPage.it skipped
C:\Program Files\Norton AntiVirus\Quarantine\44F376A8.exe Infected: Net-Worm.Win32.Welchia.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\44F620A4.exe Infected: Net-Worm.Win32.Welchia.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B4124EA.dll Infected: Backdoor.Win32.Padodor.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip/asmend.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\Computer\ntuser.dat Object is locked skipped
C:\Documents and Settings\Computer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Temp\fdr1704.fdr Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Temp\ZLT02487.TMP Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\MSN\db30\sallydoan11-msn-com.sdf Object is locked skipped
C:\Documents and Settings\Computer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Computer\Application Data\Microsoft\MSNIA\Journal.Dat Object is locked skipped

Scan process completed.

fredmh · Dec 10, 2006

Good. I'll wait for the AVG and HJT logs.

Lyceum · Dec 10, 2006

AVG says nothing reported, ill do HJT now.

Lyceum · Dec 11, 2006

Logfile of HijackThis v1.99.1
Scan saved at 4:23:14 PM, on 10/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\HJT\Lyceum.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\System32\jxjvnkky.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A55BAC0-8F3F-4C66-906D-FA8FEE112D4A} - C:\WINDOWS\arssm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpyHunter] ????

O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: arssm - C:\WINDOWS\arssm.dll
O20 - Winlogon Notify: fcyvv - fcyvv.dll (file missing)
O20 - Winlogon Notify: ljhfc - ljhfc.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

fredmh · Dec 11, 2006

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

We're getting there, but we have some junk that wants to go out kicking and screaming

----------------------------------------

DOWNLOADS

KILLBOX

Download KillBox (it's important that you get version v2.0.0.175)
Do not run it yet.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\System32\jxjvnkky.dll
O2 - BHO: (no name) - {7A55BAC0-8F3F-4C66-906D-FA8FEE112D4A} - C:\WINDOWS\arssm.dll
O4 - HKLM\..\Run: [SpyHunter] ????
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O20 - Winlogon Notify: arssm - C:\WINDOWS\arssm.dll
O20 - Winlogon Notify: fcyvv - fcyvv.dll (file missing)
O20 - Winlogon Notify: ljhfc - ljhfc.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\P2P Networking
C:\Program Files\Media Gateway

mouse.exe>>>Find via Start>>Search
fcyvv.dll>>>Find via Start>>Search
ljhfc.dll>>>Find via Start>>Search

----------------------------------------

KILLBOX

Launch KillBox.exe & select the following options:

Delete on Reboot
All files (if available)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\wfqydymu.dll
C:\WINDOWS\SYSTEM32\jxjvnkky.dll
C:\WINDOWS\SYSTEM32\oaosbkcu.dll
C:\918.exe
C:\WINDOWS\arssm.dll
C:\WINDOWS\System32\mouse.exe

In Killbox, go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File

Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click NO at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid."
when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on

located at the bottom of the page.

A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *

Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on

then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

ComboFix

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:\combofix.txt
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

========================================================

IMPORTANT!: NO WINDOWS SERVICE PACKS

Before we can proceed any further, please visit the Microsoft's Windows Update Page
and install ALL Critical Updates for your system (except service pack 2) (SP2).
SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6.

Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system.
After we have completed your clean-up, we will have you return to the Windows Update page and install SP2.
We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done.

If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP.
Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1
we must stop the cleansing process here.

**Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/download/5/4/f/54f8bcf8-bb4d-4613-8ee7-db69d01735ed/xpsp1a_en_x86.exe

Lyceum · Dec 11, 2006

Killbox link is broken.

I think I should download sp1 first before I continue.

fredmh · Dec 11, 2006

Use this link

KILLBOX]

Lyceum · Dec 14, 2006

It says Product Key was invalid for Windows. It says I have to email microsoft to get product key.

Csrs.exe

Top Contributors this Month