• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1265
  • Last Modified:

Facebook link infected my system

Son clicked on facebook link on AIM. Computer is infected with Downloader, spyot32, and Vundo. I have all the tools to remove it ie hijack this, combo fix  atf cleaner etc. I need someone to look at my hijackthis log and give the sequence to run the programs .

0
wildbill327
Asked:
wildbill327
  • 22
  • 15
  • 2
  • +2
1 Solution
 
wildbill327Author Commented:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:10 AM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system\mgrsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\mljgdca.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153129484593
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: awtsppq - C:\WINDOWS\SYSTEM32\awtsppq.dll
O20 - Winlogon Notify: mljgdca - C:\WINDOWS\SYSTEM32\mljgdca.dll
O20 - Winlogon Notify: nnnmmji - C:\WINDOWS\SYSTEM32\nnnmmji.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8644 bytes
0
 
r-kCommented:
The free version of SuperAntiSpyware should be able to clean these pests. In any case post another HJT log after cleaning with SuperAntiSpyware:

 http://www.superantispyware.com/
0
 
SheharyaarSaahilCommented:
>> I need someone to look at my hijackthis log and give the sequence to run the programs

that's a vundo infection; so get SAS as r-k suggested above, install and update it
then boot under safemode and run SAS first
after that run VundoFix
then CCleaner to clean temp files
reboot back and post a fresh log file
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
wildbill327Author Commented:
OK I  ran SAS in safe mode after I updated it. ran VundoFix(no problem found) Ran CCleaner also ran combofix. I'm still getting W32.Spybot.worm file = mgrsvc.exe file alert from Symantec. Here is the hjt and combofix log.


***Combofix and Hijackthis logs removed by rpggamergirl, Zone Advisor***
0
 
SheharyaarSaahilCommented:
fix this entry in hjt
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.exe

then boot under safemode and delete the following file,
C:\WINDOWS\system\mgrsvc.exe

it should get you rid of the virus alert.
0
 
rpggamergirlCommented:
Is combofix the last scanner ran?
Still a lot of bad files there. Is your Combofix a recent download? If not then delete that one and download a new one.

Open notepad and copy/paste the text inside the lines below into it.
-----------------------------------------------------------------------------------------------------------------
File::
C:\WINDOWS\system32\kioxeprt.dll
C:\WINDOWS\system32\ubtqjpkg.exe
C:\WINDOWS\system32\aiquehcq.exe
C:\WINDOWS\system32\yctcdpvf.exe
C:\WINDOWS\system32\pezugkjt.dll
C:\WINDOWS\system32\rqrolmk.dll
C:\WINDOWS\system32\mljgdca.dll
C:\WINDOWS\system32\lgnturdw.dll
C:\WINDOWS\system32\yiuujohm.exe
C:\WINDOWS\system32\cbxxyvu.dll.vir
C:\WINDOWS\system32\qgpwlhqr.dll
C:\WINDOWS\system32\cgsstdjy.exe
C:\WINDOWS\system32\tuvtqqn.dll
C:\WINDOWS\system32\jkkhgff.dll
C:\WINDOWS\system32\hggdayw.dll
C:\WINDOWS\system32\yayvwtq.dll
C:\WINDOWS\system32\urqqonl.dll
C:\WINDOWS\system32\tuvtsqr.dll
C:\WINDOWS\system32\rqromkl.dll
C:\WINDOWS\system32\cbxyvss.dll.vir
C:\WINDOWS\system32\urqrstt.dll
C:\WINDOWS\system32\iifghgg.dll
C:\WINDOWS\system32\rqrpqno.dll
C:\WINDOWS\system32\vtuussq.dll
C:\WINDOWS\system32\byxwuut.dll.vir
C:\WINDOWS\system32\hggecdb.dll
C:\WINDOWS\system32\jkkhffg.dll
C:\WINDOWS\system32\jkkhhef.dll
C:\WINDOWS\system32\khfdedb.dll
C:\WINDOWS\system32\nnnonlk.dll
C:\WINDOWS\system32\opnoljg.dll
C:\WINDOWS\system32\ggddglax.exe
C:\WINDOWS\system32\ssqqqqr.dll
C:\WINDOWS\system32\khfgfdb.dll
C:\WINDOWS\system32\nnnmmji.dll
C:\WINDOWS\system32\awtsppq.dll
C:\WINDOWS\system32\dwlvojav.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsppq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kioxeprt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgdca]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmji]

-------------------------------------------------------------------------------------------------------------------

Save this as CFScript (CFScript.txt) in the same location as ComboFix.exe
then drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThisl og.
0
 
wildbill327Author Commented:
ComboFix is current here are the results after following your instructions.
Followed by the HiJT log.

***Combofix and Hijackthis logs removed by rpggamergirl, Zone Advisor***
0
 
rpggamergirlCommented:
Did you drag and drop the CFScript.txt into the Combofix.exe?

The above Combofix log shows that it DID NOT delete those files I listed on the script.
I don't know why it didn't, but it should have.

Please try again and if that still won't work, then we'll use another tool.
Your hijackthis log shows that you're running in diagnostic startup mode, did you uncheck any malware startup entries? only checked entries will show up in the scan.
0
 
rpggamergirlCommented:
>>ComboFix is current here are the results after following your instructions.<<
I asked because "CFScript" doesn't work on the older version of Combofix.
0
 
wildbill327Author Commented:
Ran it again in Normal Starup not Safe with the script here is the Combo Fix log along with the HJT log I ran immediately following the ComboFix.

ComboFix 07-10-12.4 - Dad 2007-10-15  8:03:30.12 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.162 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\My Documents\Bill\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\My Documents\Bill\CFScript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2007-09-15 to 2007-10-15  )))))))))))))))))))))))))))))))
.

2007-10-14 23:24      34,304      --a------      C:\WINDOWS\system32\nnnnmkl.dll
2007-10-14 23:08      34,304      --a------      C:\WINDOWS\system32\rqroonn.dll
2007-10-14 21:04      34,304      --a------      C:\WINDOWS\system32\efcccbb.dll
2007-10-14 20:51      34,304      --a------      C:\WINDOWS\system32\xxywttr.dll
2007-10-14 19:43      <DIR>      d--------      C:\Program Files\PC Registry Cleaner
2007-10-14 18:37      34,304      --a------      C:\WINDOWS\system32\qomljkh.dll
2007-10-14 18:19      34,304      --a------      C:\WINDOWS\system32\tuvvvvs.dll
2007-10-14 15:44      34,304      --a------      C:\WINDOWS\system32\fccbyyv.dll
2007-10-14 10:47      34,304      --a------      C:\WINDOWS\system32\fccbcyv.dll.vir
2007-10-14 09:56      389,184      --a------      C:\WINDOWS\system32\wqjmduji.exe
2007-10-14 09:56      339,968      --a------      C:\WINDOWS\system32\avzzkbht.dll.vir
2007-10-14 09:34      389,184      --a------      C:\WINDOWS\system32\ubtqjpkg.exe
2007-10-14 09:16      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15      <DIR>      d--------      C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12      <DIR>      d-a------      C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37      51,200      --a------      C:\WINDOWS\NirCmd.exe
2007-10-13 09:34      <DIR>      d--------      C:\Program Files\Trend Micro
2007-10-13 08:36      389,184      --a------      C:\WINDOWS\system32\aiquehcq.exe
2007-10-13 06:33      389,184      --a------      C:\WINDOWS\system32\yctcdpvf.exe
2007-10-13 06:33      339,968      --a------      C:\WINDOWS\system32\pezugkjt.dll
2007-10-12 23:58      34,304      --a------      C:\WINDOWS\system32\rqrolmk.dll
2007-10-12 21:25      34,304      --a------      C:\WINDOWS\system32\mljgdca.dll
2007-10-12 21:06      339,968      --a------      C:\WINDOWS\system32\lgnturdw.dll
2007-10-12 21:05      389,184      --a------      C:\WINDOWS\system32\yiuujohm.exe
2007-10-12 21:01      34,304      --a------      C:\WINDOWS\system32\cbxxyvu.dll.vir
2007-10-12 20:50      339,968      --a------      C:\WINDOWS\system32\qgpwlhqr.dll
2007-10-12 20:49      389,184      --a------      C:\WINDOWS\system32\cgsstdjy.exe
2007-10-12 20:13      34,304      --a------      C:\WINDOWS\system32\tuvtqqn.dll
2007-10-12 17:39      34,304      --a------      C:\WINDOWS\system32\jkkhgff.dll
2007-10-12 16:09      34,304      --a------      C:\WINDOWS\system32\hggdayw.dll
2007-10-12 13:36      34,304      --a------      C:\WINDOWS\system32\yayvwtq.dll
2007-10-11 22:15      34,304      --a------      C:\WINDOWS\system32\urqqonl.dll
2007-10-11 22:06      34,304      --a------      C:\WINDOWS\system32\tuvtsqr.dll
2007-10-11 22:02      34,304      --a------      C:\WINDOWS\system32\rqromkl.dll
2007-10-11 21:41      34,304      --a------      C:\WINDOWS\system32\cbxyvss.dll.vir
2007-10-11 21:38      34,304      --a------      C:\WINDOWS\system32\urqrstt.dll
2007-10-11 19:58      34,304      --a------      C:\WINDOWS\system32\iifghgg.dll
2007-10-11 17:58      34,304      --a------      C:\WINDOWS\system32\rqrpqno.dll
2007-10-11 15:25      34,304      --a------      C:\WINDOWS\system32\vtuussq.dll
2007-10-11 14:08      34,304      --a------      C:\WINDOWS\system32\byxwuut.dll.vir
2007-10-11 13:16      <DIR>      d--------      C:\VundoFix Backups
2007-10-05 20:59      0      --a------      C:\WINDOWS\system32\hggecdb.dll
2007-10-05 18:17      0      --a------      C:\WINDOWS\system32\jkkhffg.dll
2007-10-05 17:11      <DIR>      d--------      C:\WINDOWS\pss
2007-10-05 15:22      0      --a------      C:\WINDOWS\system32\jkkhhef.dll
2007-10-04 20:27      0      --a------      C:\WINDOWS\system32\khfdedb.dll
2007-10-04 20:22      0      --a------      C:\WINDOWS\system32\nnnonlk.dll
2007-10-04 17:49      107,696      --a------      C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 17:49      87,808      --a------      C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-04 17:48      <DIR>      d--------      C:\Program Files\Symantec AntiVirus
2007-10-04 17:36      0      --a------      C:\WINDOWS\system32\opnoljg.dll
2007-10-04 17:05      0      --a------      C:\WINDOWS\system32\ggddglax.exe
2007-10-04 16:49      0      --a------      C:\WINDOWS\system32\ssqqqqr.dll
2007-10-02 19:48      34,304      --a------      C:\WINDOWS\system32\khfgfdb.dll
2007-10-02 19:36      34,304      --a------      C:\WINDOWS\system32\nnnmmji.dll
2007-10-02 17:59      34,304      --a------      C:\WINDOWS\system32\awtsppq.dll
2007-10-02 17:59      31,232      -r-hs----      C:\WINDOWS\system\mgrsvc.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 15:59      ---------      d-----w      C:\Program Files\Google
2007-10-13 15:36      ---------      d-----w      C:\Program Files\Java
2007-10-05 21:12      ---------      d-----w      C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-04 21:52      ---------      d-----w      C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51      ---------      d-----w      C:\Program Files\Symantec
2007-10-04 21:48      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09      60,968      ----a-w      C:\Documents and Settings\Dad\GoToAssistDownloadHelper.exe
2007-08-24 17:18      ---------      d-----w      C:\Program Files\Common Files\AOL
2007-08-24 17:18      ---------      d-----w      C:\Program Files\AIM
2007-08-21 06:15      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2007-08-18 03:56      ---------      d-----w      C:\Program Files\AIM6
2007-08-18 03:56      ---------      d-----w      C:\Documents and Settings\Nicole\Application Data\acccore
2007-08-18 03:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51      ---------      d-----w      C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19      92,504      ----a-w      C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19      549,720      ----a-w      C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19      53,080      ----a-w      C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19      43,352      ----a-w      C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19      325,976      ----a-w      C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19      203,096      ----a-w      C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19      1,712,984      ----a-w      C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18      33,624      ----a-w      C:\WINDOWS\system32\wups.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-10-13_ 9.51.16.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-13 14:15:06      585,791      ----a-w      C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18      581,632      ----a-r      C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14      29,696      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-14 13:16:14      18,944      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-14 13:16:15      65,024      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-10-13 14:15:06      70,001      ----a-w      C:\WINDOWS\system32\drivers\gmer.sys
- 2006-11-09 18:28:20      49,248      ----a-w      C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:28      135,168      ----a-w      C:\WINDOWS\system32\java.exe
- 2006-11-09 18:28:30      53,346      ----a-w      C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 02:30:30      135,168      ----a-w      C:\WINDOWS\system32\javaw.exe
- 2006-11-09 20:07:32      127,078      ----a-w      C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 03:31:42      139,264      ----a-w      C:\WINDOWS\system32\javaws.exe
- 2007-10-12 21:41:29      11,195      ----a-w      C:\WINDOWS\system32\nvModes.dat
+ 2007-10-14 19:04:20      17,128      ----a-w      C:\WINDOWS\system32\nvModes.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP32.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Dad\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\dwlvojav.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLTRYSVC"=2 (0x2)
"SavRoam"=3 (0x3)

R2 IISLvc;Intel Input Service;"C:\WINDOWS\system\mgrsvc.exe"
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 05:48:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.job"
- C:\WINDOWS\twain_32
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 08:06:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-15  8:06:49
C:\ComboFix2.txt ... 2007-10-15 06:31
C:\ComboFix3.txt ... 2007-10-14 23:10
.
      --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:58 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINDOWS\system\mgrsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153129484593
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7718 bytes
0
 
rpggamergirlCommented:
What I meant was your hijackthis log shows that Windows is running in diagnostic mode, which usually happens when you uncheck startup entries in msconfig.

Still the same, entries are still there.
Let's use Avenger to delete those entries, you need to paste exactly what's between the lines, everything, all characters, including the colon ":" otherwise the script will not run.

Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\system32\kioxeprt.dll
C:\WINDOWS\system32\ubtqjpkg.exe
C:\WINDOWS\system32\aiquehcq.exe
C:\WINDOWS\system32\yctcdpvf.exe
C:\WINDOWS\system32\pezugkjt.dll
C:\WINDOWS\system32\rqrolmk.dll
C:\WINDOWS\system32\mljgdca.dll
C:\WINDOWS\system32\lgnturdw.dll
C:\WINDOWS\system32\yiuujohm.exe
C:\WINDOWS\system32\cbxxyvu.dll.vir
C:\WINDOWS\system32\qgpwlhqr.dll
C:\WINDOWS\system32\cgsstdjy.exe
C:\WINDOWS\system32\tuvtqqn.dll
C:\WINDOWS\system32\jkkhgff.dll
C:\WINDOWS\system32\hggdayw.dll
C:\WINDOWS\system32\yayvwtq.dll
C:\WINDOWS\system32\urqqonl.dll
C:\WINDOWS\system32\tuvtsqr.dll
C:\WINDOWS\system32\rqromkl.dll
C:\WINDOWS\system32\cbxyvss.dll.vir
C:\WINDOWS\system32\urqrstt.dll
C:\WINDOWS\system32\iifghgg.dll
C:\WINDOWS\system32\rqrpqno.dll
C:\WINDOWS\system32\vtuussq.dll
C:\WINDOWS\system32\byxwuut.dll.vir
C:\WINDOWS\system32\hggecdb.dll
C:\WINDOWS\system32\jkkhffg.dll
C:\WINDOWS\system32\jkkhhef.dll
C:\WINDOWS\system32\khfdedb.dll
C:\WINDOWS\system32\nnnonlk.dll
C:\WINDOWS\system32\opnoljg.dll
C:\WINDOWS\system32\ggddglax.exe
C:\WINDOWS\system32\ssqqqqr.dll
C:\WINDOWS\system32\khfgfdb.dll
C:\WINDOWS\system32\nnnmmji.dll
C:\WINDOWS\system32\awtsppq.dll
C:\WINDOWS\system32\dwlvojav.dll

Registry keys to delete:
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtsppq
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\kioxeprt
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mljgdca
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmji
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.


Next time you run Hijackthis, can you please rename it before scanning so it won't have the word "hijackthis", rename it to anything.exe or whatever.exe
or you can use this already renamed version --> http://danborg.org/spy/hjt/alternativ.exe

and show us the logfile from the renamed version.
0
 
rpggamergirlCommented:
Please also run this, and see if it finds any nasties to remove.

Download MsnCleaner_eng.zip
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please post the contents of C:\MsnCleaner.txt in a reply to this post.
0
 
wildbill327Author Commented:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fouxhgbs

*******************

Script file located at: \??\C:\Program Files\yvtdcwty.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtsppq not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtsppq failed!
Status: 0xc0000034



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\kioxeprt not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\kioxeprt failed!
Status: 0xc0000034



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mljgdca not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mljgdca failed!
Status: 0xc0000034



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmji not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmji failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.
0
 
wildbill327Author Commented:
Logfile of HijackThis v1.99.1
Scan saved at 9:06:47 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system\mgrsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Dad\My Documents\Bill\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dwlvojav.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153129484593
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

0
 
rpggamergirlCommented:
Now thats a weird result!
let's assume that those bad reg entries are gone, but what about the files???
avenger should say, something like files either "deleted successfully" or "delete failed"
it didn't mentioned the files at all, all those files were included in the script right?
0
 
wildbill327Author Commented:
Yes I'll run it again MsnCleaner_eng found nothing
0
 
wildbill327Author Commented:
Here is another Avenger log I just ran

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ydsxqgmq

*******************

Script file located at: \??\C:\WINDOWS\system32\gqyqkkbb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtsppq not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\awtsppq failed!
Status: 0xc0000034



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\kioxeprt not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\kioxeprt failed!
Status: 0xc0000034



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mljgdca not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mljgdca failed!
Status: 0xc0000034



Registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmji not found!
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmji failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.
0
 
wildbill327Author Commented:
Symantec is still finding win32.spybot.worm file is msgsvc.exe. Unable to remove in safe mode with HijT.
0
 
wildbill327Author Commented:
CORRECTION : Symantec is still finding win32.spybot.worm file is MGRSVC.EXE. Unable to remove in safe mode with HijT
0
 
wildbill327Author Commented:
Ran Kaspersky Scan Here are the results


-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Monday, October 15, 2007 2:44:07 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 15/10/2007
 Kaspersky Anti-Virus database records: 436309
-------------------------------------------------------------------------------

Scan Settings:
      Scan using the following antivirus database: extended
      Scan Archives: true
      Scan Mail Bases: true

Scan Target - My Computer:
      C:\
      D:\

Scan Statistics:
      Total number of scanned objects: 44223
      Number of viruses found: 4
      Number of infected objects: 12
      Number of suspicious objects: 0
      Duration of the scan process: 00:53:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ad467c05beccc10a4951384e1f0c67d3_7d1d64b6-da05-4db9-addd-c62855bda6ec      Object is locked      skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp      Object is locked      skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01022007-145257.log      Object is locked      skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat      Object is locked      skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\049C0000\479E4FB7.VBN      Infected: Trojan-Downloader.Win32.Tiny.id      skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0000\4FBEC49A.VBN      Infected: Trojan-Downloader.Win32.Tiny.id      skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\093C0000\4F3E67B6.VBN      Infected: Trojan-Downloader.Win32.Tiny.id      skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C7C0000\4F7D8B11.VBN      Infected: Trojan-Downloader.Win32.Tiny.id      skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D180000\4F1EA9DA.VBN      Infected: Trojan-Downloader.Win32.Tiny.id      skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FCC0000\4FCD6195.VBN      Infected: Trojan.Win32.Agent.bck      skipped
C:\Documents and Settings\Dad\Cookies\index.dat      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{00E1CD54-706E-4F66-97A2-7ABD98A13336}      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\MSHist012007101520071016\index.dat      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat      Object is locked      skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat      Object is locked      skipped
C:\Documents and Settings\Dad\ntuser.dat      Object is locked      skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG      Object is locked      skipped
C:\Documents and Settings\LocalService\Cookies\index.dat      Object is locked      skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat      Object is locked      skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG      Object is locked      skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat      Object is locked      skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat      Object is locked      skipped
C:\Documents and Settings\LocalService\NTUSER.DAT      Object is locked      skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG      Object is locked      skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat      Object is locked      skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG      Object is locked      skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT      Object is locked      skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log      Object is locked      skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log      Object is locked      skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0480NAV~.TMP      Object is locked      skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0732NAV~.TMP      Object is locked      skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rkwhlsha.dll.vir      Infected: not-a-virus:AdWare.Win32.Virtumonde.ace      skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\twboxkbs.dll.vir      Infected: not-a-virus:AdWare.Win32.Virtumonde.wn      skipped
C:\System Volume Information\MountPointManagerRemoteDatabase      Object is locked      skipped
C:\VundoFix Backups\hnaapohi.dll.bad      Infected: not-a-virus:AdWare.Win32.Virtumonde.ace      skipped
C:\VundoFix Backups\qdicikhv.dll.bad      Infected: not-a-virus:AdWare.Win32.Virtumonde.ace      skipped
C:\VundoFix Backups\qkiwyuiy.dll.bad      Infected: not-a-virus:AdWare.Win32.Virtumonde.ace      skipped
C:\VundoFix Backups\yhvqoice.dll.bad      Infected: not-a-virus:AdWare.Win32.Virtumonde.ace      skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll      Object is locked      skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll      Object is locked      skipped
C:\WINDOWS\Debug\PASSWD.LOG      Object is locked      skipped
C:\WINDOWS\SchedLgU.Txt      Object is locked      skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{84BA63FD-9B66-4C9E-A741-E711AFEB1EE4}.bin      Object is locked      skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log      Object is locked      skipped
C:\WINDOWS\Sti_Trace.log      Object is locked      skipped
C:\WINDOWS\system32\CatRoot2\edb.log      Object is locked      skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb      Object is locked      skipped
C:\WINDOWS\system32\config\AppEvent.Evt      Object is locked      skipped
C:\WINDOWS\system32\config\default      Object is locked      skipped
C:\WINDOWS\system32\config\default.LOG      Object is locked      skipped
C:\WINDOWS\system32\config\Internet.evt      Object is locked      skipped
C:\WINDOWS\system32\config\SAM      Object is locked      skipped
C:\WINDOWS\system32\config\SAM.LOG      Object is locked      skipped
C:\WINDOWS\system32\config\SecEvent.Evt      Object is locked      skipped
C:\WINDOWS\system32\config\SECURITY      Object is locked      skipped
C:\WINDOWS\system32\config\SECURITY.LOG      Object is locked      skipped
C:\WINDOWS\system32\config\software      Object is locked      skipped
C:\WINDOWS\system32\config\software.LOG      Object is locked      skipped
C:\WINDOWS\system32\config\SysEvent.Evt      Object is locked      skipped
C:\WINDOWS\system32\config\system      Object is locked      skipped
C:\WINDOWS\system32\config\system.LOG      Object is locked      skipped
C:\WINDOWS\system32\h323log.txt      Object is locked      skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      Object is locked      skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP      Object is locked      skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER      Object is locked      skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP      Object is locked      skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP      Object is locked      skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      Object is locked      skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP      Object is locked      skipped
C:\WINDOWS\wiadebug.log      Object is locked      skipped
C:\WINDOWS\wiaservc.log      Object is locked      skipped
C:\WINDOWS\WindowsUpdate.log      Object is locked      skipped

Scan process completed.
0
 
rpggamergirlCommented:
I'm very much confused with this.
Combofix latest version can't make the CFScript works, this never happens before.
Avenger result doesn't makes sense, it didn't process the files to be deleted.
are you sure this line was included in the script? --> Files to delete:
that has to be included for avenger to process it.


and about hat service file that NOD32 keeps alerting,
Stop and delete that service --> IISLvc
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop IISLvc
sc delete IISLvc

exit

C:\WINDOWS\system\mgrsvc.exe <-- see if this file still exists, don't use "Search" to look for it, use explorer and showing hidden files.

0
 
wildbill327Author Commented:
OK Avenger ran and deleted those files. I didn't leave the file to delete line the first timeI  lost the log here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:59, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cscript.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jzorkusd.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153129484593
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8013 bytes
0
 
wildbill327Author Commented:
Also ran this again

ComboFix 07-10-12.4 - Dad 2007-10-16  6:58:35.18 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.94 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\alfylhjb.ini
C:\WINDOWS\system32\bhivgqeq.dll
C:\WINDOWS\system32\bjhlyfla.dll
C:\WINDOWS\system32\dclyxnyu.ini
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fhkmp.tmp
C:\WINDOWS\system32\fhkmp.tmp
C:\WINDOWS\system32\fhkmp.tmp
C:\WINDOWS\system32\glsdjpjh.dll
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\qeqgvihb.ini
C:\WINDOWS\system32\uynxylcd.dll
C:\WINDOWS\system32\yktvobvc.dll

.
(((((((((((((((((((((((((   Files Created from 2007-09-16 to 2007-10-16  )))))))))))))))))))))))))))))))
.

2007-10-16 06:57      339,968      --a------      C:\WINDOWS\system32\jzorkusd.dll
2007-10-16 06:56      389,184      --a------      C:\WINDOWS\system32\mqvigcru.exe
2007-10-16 06:34      389,184      --a------      C:\WINDOWS\system32\hhfledew.exe
2007-10-16 06:34      339,968      --a------      C:\WINDOWS\system32\jrcnbdfy.dll
2007-10-16 06:24      339,968      --a------      C:\WINDOWS\system32\txenfhxp.dll
2007-10-16 06:23      389,184      --a------      C:\WINDOWS\system32\cfhulhfn.exe
2007-10-16 06:07      389,184      --a------      C:\WINDOWS\system32\omxglxxv.exe
2007-10-16 06:07      339,968      --a------      C:\WINDOWS\system32\uvaglvtb.dll
2007-10-16 03:44      389,184      --a------      C:\WINDOWS\system32\rppmfgkx.exe
2007-10-16 03:44      339,968      --a------      C:\WINDOWS\system32\kkwostel.dll
2007-10-15 14:54      <DIR>      d--------      C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 14:13      34,304      --a------      C:\WINDOWS\system32\ddcdbax.dll
2007-10-15 12:42      <DIR>      d--------      C:\WINDOWS\system32\Kaspersky Lab
2007-10-15 12:42      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24      34,304      --a------      C:\WINDOWS\system32\nnnnmkl.dll
2007-10-14 23:08      34,304      --a------      C:\WINDOWS\system32\rqroonn.dll
2007-10-14 21:04      34,304      --a------      C:\WINDOWS\system32\efcccbb.dll
2007-10-14 20:51      34,304      --a------      C:\WINDOWS\system32\xxywttr.dll
2007-10-14 19:43      <DIR>      d--------      C:\Program Files\PC Registry Cleaner
2007-10-14 18:37      34,304      --a------      C:\WINDOWS\system32\qomljkh.dll
2007-10-14 18:19      34,304      --a------      C:\WINDOWS\system32\tuvvvvs.dll
2007-10-14 15:44      34,304      --a------      C:\WINDOWS\system32\fccbyyv.dll
2007-10-14 10:47      34,304      --a------      C:\WINDOWS\system32\fccbcyv.dll.vir
2007-10-14 09:56      389,184      --a------      C:\WINDOWS\system32\wqjmduji.exe
2007-10-14 09:56      339,968      --a------      C:\WINDOWS\system32\avzzkbht.dll.vir
2007-10-14 09:16      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15      <DIR>      d--------      C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12      <DIR>      d-a------      C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37      51,200      --a------      C:\WINDOWS\NirCmd.exe
2007-10-13 09:34      <DIR>      d--------      C:\Program Files\Trend Micro
2007-10-11 13:16      <DIR>      d--------      C:\VundoFix Backups
2007-10-05 17:11      <DIR>      d--------      C:\WINDOWS\pss
2007-10-04 17:49      107,696      --a------      C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 17:49      87,808      --a------      C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-04 17:48      <DIR>      d--------      C:\Program Files\Symantec AntiVirus

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 19:12      ---------      d-----w      C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59      ---------      d-----w      C:\Program Files\Google
2007-10-13 15:36      ---------      d-----w      C:\Program Files\Java
2007-10-04 21:52      ---------      d-----w      C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51      ---------      d-----w      C:\Program Files\Symantec
2007-10-04 21:48      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09      60,968      ----a-w      C:\Documents and Settings\Dad\GoToAssistDownloadHelper.exe
2007-08-24 17:18      ---------      d-----w      C:\Program Files\Common Files\AOL
2007-08-24 17:18      ---------      d-----w      C:\Program Files\AIM
2007-08-21 06:15      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2007-08-18 03:56      ---------      d-----w      C:\Program Files\AIM6
2007-08-18 03:56      ---------      d-----w      C:\Documents and Settings\Nicole\Application Data\acccore
2007-08-18 03:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51      ---------      d-----w      C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19      92,504      ----a-w      C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19      549,720      ----a-w      C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19      53,080      ----a-w      C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19      43,352      ----a-w      C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19      325,976      ----a-w      C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19      203,096      ----a-w      C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19      1,712,984      ----a-w      C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18      33,624      ----a-w      C:\WINDOWS\system32\wups.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-10-13_ 9.51.16.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-13 14:15:06      585,791      ----a-w      C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18      581,632      ----a-r      C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14      29,696      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-14 13:16:14      18,944      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-14 13:16:15      65,024      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-10-13 14:15:06      70,001      ----a-w      C:\WINDOWS\system32\drivers\gmer.sys
- 2006-11-09 18:28:20      49,248      ----a-w      C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:28      135,168      ----a-w      C:\WINDOWS\system32\java.exe
- 2006-11-09 18:28:30      53,346      ----a-w      C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 02:30:30      135,168      ----a-w      C:\WINDOWS\system32\javaw.exe
- 2006-11-09 20:07:32      127,078      ----a-w      C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 03:31:42      139,264      ----a-w      C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 16:27:16      213,048      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20      94,208      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54      950,272      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-12 21:41:29      11,195      ----a-w      C:\WINDOWS\system32\nvModes.dat
+ 2007-10-14 19:04:20      17,128      ----a-w      C:\WINDOWS\system32\nvModes.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-16 06:57      339968      --a------      C:\WINDOWS\system32\jzorkusd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}]
2007-10-15 14:13      34304      --a------      C:\WINDOWS\system32\ddcdbax.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\jzorkusd.dll [2007-10-16 06:57 339968]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\jzorkusd.dll [2007-10-16 06:57 339968]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP32.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"= C:\WINDOWS\system32\ddcdbax.dll [2007-10-15 14:13 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdbax]
ddcdbax.dll 2007-10-15 14:13 34304 C:\WINDOWS\system32\ddcdbax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jzorkusd]
jzorkusd.dll 2007-10-16 06:57 339968 C:\WINDOWS\system32\jzorkusd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkhf.dll

R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-16 11:16:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.job"
- C:\WINDOWS\twain_32
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 07:15:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16  7:18:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-15 15:39
C:\ComboFix3.txt ... 2007-10-15 10:56
.
      --- E O F ---
0
 
rpggamergirlCommented:
The above Combofix log is not a CFScript run, that's just a normal Combofix scan, unless portion of the log is missing.
I really don't know why Combofix CFScript is not working here.
Bad files are still showing.

Let's try another tool.
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a

folder named WinPFind3u on your desktop.
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
* In the 'Files Created Within' group click 30 days
* In the 'Files Modified Within' group select 30 days
* In the 'File String Search' group select Non-Microsoft
* In the 'Drivers Services' group select Non-Microsoft
* In the 'Additional Scans' group select 'Desktop Components'

Now click the "Run Scan" button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked.
If it is, then click on it to uncheck it.

Please upload the log at EE-Stuff.com
0
 
wildbill327Author Commented:
I placed it up there!
0
 
wildbill327Author Commented:
I ran the Combo fix with the script Here is the log:

ComboFix 07-10-12.4 - Dad 2007-10-16 16:56:52.20 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.130 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.log
 * Created a new restore point

FILE::
C:\WINDOWS\system32\aiquehcq.exe
C:\WINDOWS\system32\awtsppq.dll
C:\WINDOWS\system32\byxwuut.dll.vir
C:\WINDOWS\system32\cbxxyvu.dll.vir
C:\WINDOWS\system32\cbxyvss.dll.vir
C:\WINDOWS\system32\cgsstdjy.exe
C:\WINDOWS\system32\dwlvojav.dll
C:\WINDOWS\system32\ggddglax.exe
C:\WINDOWS\system32\hggdayw.dll
C:\WINDOWS\system32\hggecdb.dll
C:\WINDOWS\system32\iifghgg.dll
C:\WINDOWS\system32\jkkhffg.dll
C:\WINDOWS\system32\jkkhgff.dll
C:\WINDOWS\system32\jkkhhef.dll
C:\WINDOWS\system32\khfdedb.dll
C:\WINDOWS\system32\khfgfdb.dll
C:\WINDOWS\system32\kioxeprt.dll
C:\WINDOWS\system32\lgnturdw.dll
C:\WINDOWS\system32\mljgdca.dll
C:\WINDOWS\system32\nnnmmji.dll
C:\WINDOWS\system32\nnnonlk.dll
C:\WINDOWS\system32\opnoljg.dll
C:\WINDOWS\system32\pezugkjt.dll
C:\WINDOWS\system32\qgpwlhqr.dll
C:\WINDOWS\system32\rqrolmk.dll
C:\WINDOWS\system32\rqromkl.dll
C:\WINDOWS\system32\rqrpqno.dll
C:\WINDOWS\system32\ssqqqqr.dll
C:\WINDOWS\system32\tuvtqqn.dll
C:\WINDOWS\system32\tuvtsqr.dll
C:\WINDOWS\system32\ubtqjpkg.exe
C:\WINDOWS\system32\urqqonl.dll
C:\WINDOWS\system32\urqrstt.dll
C:\WINDOWS\system32\vtuussq.dll
C:\WINDOWS\system32\yayvwtq.dll
C:\WINDOWS\system32\yctcdpvf.exe
C:\WINDOWS\system32\yiuujohm.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini

.
(((((((((((((((((((((((((   Files Created from 2007-09-16 to 2007-10-16  )))))))))))))))))))))))))))))))
.

2007-10-16 06:56      389,184      --a------      C:\WINDOWS\system32\mqvigcru.exe
2007-10-16 06:34      389,184      --a------      C:\WINDOWS\system32\hhfledew.exe
2007-10-16 06:34      339,968      --a------      C:\WINDOWS\system32\jrcnbdfy.dll
2007-10-16 06:24      339,968      --a------      C:\WINDOWS\system32\txenfhxp.dll
2007-10-16 06:23      389,184      --a------      C:\WINDOWS\system32\cfhulhfn.exe
2007-10-16 06:07      389,184      --a------      C:\WINDOWS\system32\omxglxxv.exe
2007-10-16 06:07      339,968      --a------      C:\WINDOWS\system32\uvaglvtb.dll
2007-10-16 03:44      389,184      --a------      C:\WINDOWS\system32\rppmfgkx.exe
2007-10-16 03:44      339,968      --a------      C:\WINDOWS\system32\kkwostel.dll
2007-10-15 14:54      <DIR>      d--------      C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 14:13      34,304      --a------      C:\WINDOWS\system32\ddcdbax.dll
2007-10-15 12:42      <DIR>      d--------      C:\WINDOWS\system32\Kaspersky Lab
2007-10-15 12:42      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24      34,304      --a------      C:\WINDOWS\system32\nnnnmkl.dll
2007-10-14 23:08      34,304      --a------      C:\WINDOWS\system32\rqroonn.dll
2007-10-14 21:04      34,304      --a------      C:\WINDOWS\system32\efcccbb.dll
2007-10-14 20:51      34,304      --a------      C:\WINDOWS\system32\xxywttr.dll
2007-10-14 19:43      <DIR>      d--------      C:\Program Files\PC Registry Cleaner
2007-10-14 18:37      34,304      --a------      C:\WINDOWS\system32\qomljkh.dll
2007-10-14 18:19      34,304      --a------      C:\WINDOWS\system32\tuvvvvs.dll
2007-10-14 15:44      34,304      --a------      C:\WINDOWS\system32\fccbyyv.dll
2007-10-14 10:47      34,304      --a------      C:\WINDOWS\system32\fccbcyv.dll.vir
2007-10-14 09:56      389,184      --a------      C:\WINDOWS\system32\wqjmduji.exe
2007-10-14 09:56      339,968      --a------      C:\WINDOWS\system32\avzzkbht.dll.vir
2007-10-14 09:16      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15      <DIR>      d--------      C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12      <DIR>      d-a------      C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37      51,200      --a------      C:\WINDOWS\NirCmd.exe
2007-10-13 09:34      <DIR>      d--------      C:\Program Files\Trend Micro
2007-10-11 13:16      <DIR>      d--------      C:\VundoFix Backups
2007-10-05 17:11      <DIR>      d--------      C:\WINDOWS\pss
2007-10-04 17:49      107,696      --a------      C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 17:49      87,808      --a------      C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-04 17:48      <DIR>      d--------      C:\Program Files\Symantec AntiVirus

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 19:12      ---------      d-----w      C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59      ---------      d-----w      C:\Program Files\Google
2007-10-13 15:36      ---------      d-----w      C:\Program Files\Java
2007-10-04 21:52      ---------      d-----w      C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51      ---------      d-----w      C:\Program Files\Symantec
2007-10-04 21:48      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09      60,968      ----a-w      C:\Documents and Settings\Dad\GoToAssistDownloadHelper.exe
2007-08-24 17:18      ---------      d-----w      C:\Program Files\Common Files\AOL
2007-08-24 17:18      ---------      d-----w      C:\Program Files\AIM
2007-08-21 06:15      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2007-08-18 03:56      ---------      d-----w      C:\Program Files\AIM6
2007-08-18 03:56      ---------      d-----w      C:\Documents and Settings\Nicole\Application Data\acccore
2007-08-18 03:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51      ---------      d-----w      C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19      92,504      ----a-w      C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19      549,720      ----a-w      C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19      53,080      ----a-w      C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19      43,352      ----a-w      C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19      325,976      ----a-w      C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19      203,096      ----a-w      C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19      1,712,984      ----a-w      C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18      33,624      ----a-w      C:\WINDOWS\system32\wups.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-10-13_ 9.51.16.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-13 14:15:06      585,791      ----a-w      C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18      581,632      ----a-r      C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14      29,696      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-14 13:16:14      18,944      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-14 13:16:15      65,024      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-10-13 14:15:06      70,001      ----a-w      C:\WINDOWS\system32\drivers\gmer.sys
- 2006-11-09 18:28:20      49,248      ----a-w      C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:28      135,168      ----a-w      C:\WINDOWS\system32\java.exe
- 2006-11-09 18:28:30      53,346      ----a-w      C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 02:30:30      135,168      ----a-w      C:\WINDOWS\system32\javaw.exe
- 2006-11-09 20:07:32      127,078      ----a-w      C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 03:31:42      139,264      ----a-w      C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 16:27:16      213,048      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20      94,208      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54      950,272      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-12 21:41:29      11,195      ----a-w      C:\WINDOWS\system32\nvModes.dat
+ 2007-10-14 19:04:20      17,128      ----a-w      C:\WINDOWS\system32\nvModes.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D089509-246B-4B9B-8B84-AA6DA7CA61E4}]
                  C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}]
2007-10-15 14:13      34304      --a------      C:\WINDOWS\system32\ddcdbax.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP32.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"= C:\WINDOWS\system32\ddcdbax.dll [2007-10-15 14:13 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdbax]
ddcdbax.dll 2007-10-15 14:13 34304 C:\WINDOWS\system32\ddcdbax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jzorkusd]
jzorkusd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvts.dll

R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-16 21:19:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.job"
- C:\WINDOWS\twain_32
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 17:18:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 17:21:00 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 08:03
C:\ComboFix3.txt ... 2007-10-16 07:18
.
      --- E O F ---
0
 
wildbill327Author Commented:
Things looked good for a while. I started getting pop ups again. I ran the Combo fix with the script; SuperAntiSpyware, and PCRegistary cleaner. Here is the Latest Combo Fix log

ComboFix 07-10-12.4 - Dad 2007-10-17  7:46:43.21 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.362 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript_used_2007-10-16@16.56.txt

FILE::
C:\WINDOWS\system32\aiquehcq.exe
C:\WINDOWS\system32\awtsppq.dll
C:\WINDOWS\system32\byxwuut.dll.vir
C:\WINDOWS\system32\cbxxyvu.dll.vir
C:\WINDOWS\system32\cbxyvss.dll.vir
C:\WINDOWS\system32\cgsstdjy.exe
C:\WINDOWS\system32\dwlvojav.dll
C:\WINDOWS\system32\ggddglax.exe
C:\WINDOWS\system32\hggdayw.dll
C:\WINDOWS\system32\hggecdb.dll
C:\WINDOWS\system32\iifghgg.dll
C:\WINDOWS\system32\jkkhffg.dll
C:\WINDOWS\system32\jkkhgff.dll
C:\WINDOWS\system32\jkkhhef.dll
C:\WINDOWS\system32\khfdedb.dll
C:\WINDOWS\system32\khfgfdb.dll
C:\WINDOWS\system32\kioxeprt.dll
C:\WINDOWS\system32\lgnturdw.dll
C:\WINDOWS\system32\mljgdca.dll
C:\WINDOWS\system32\nnnmmji.dll
C:\WINDOWS\system32\nnnonlk.dll
C:\WINDOWS\system32\opnoljg.dll
C:\WINDOWS\system32\pezugkjt.dll
C:\WINDOWS\system32\qgpwlhqr.dll
C:\WINDOWS\system32\rqrolmk.dll
C:\WINDOWS\system32\rqromkl.dll
C:\WINDOWS\system32\rqrpqno.dll
C:\WINDOWS\system32\ssqqqqr.dll
C:\WINDOWS\system32\tuvtqqn.dll
C:\WINDOWS\system32\tuvtsqr.dll
C:\WINDOWS\system32\ubtqjpkg.exe
C:\WINDOWS\system32\urqqonl.dll
C:\WINDOWS\system32\urqrstt.dll
C:\WINDOWS\system32\vtuussq.dll
C:\WINDOWS\system32\yayvwtq.dll
C:\WINDOWS\system32\yctcdpvf.exe
C:\WINDOWS\system32\yiuujohm.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cymnobog.dll
C:\WINDOWS\system32\fthgkkts.dll
C:\WINDOWS\system32\gobonmyc.ini
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.ini

.
(((((((((((((((((((((((((   Files Created from 2007-09-17 to 2007-10-17  )))))))))))))))))))))))))))))))
.

2007-10-17 05:27      339,968      --a------      C:\WINDOWS\system32\oawucwgq.dll
2007-10-17 05:26      389,184      --a------      C:\WINDOWS\system32\tkqwhfyp.exe
2007-10-16 06:56      389,184      --a------      C:\WINDOWS\system32\mqvigcru.exe
2007-10-16 06:34      389,184      --a------      C:\WINDOWS\system32\hhfledew.exe
2007-10-16 06:34      339,968      --a------      C:\WINDOWS\system32\jrcnbdfy.dll
2007-10-16 06:24      339,968      --a------      C:\WINDOWS\system32\txenfhxp.dll
2007-10-16 06:23      389,184      --a------      C:\WINDOWS\system32\cfhulhfn.exe
2007-10-16 06:07      389,184      --a------      C:\WINDOWS\system32\omxglxxv.exe
2007-10-16 06:07      339,968      --a------      C:\WINDOWS\system32\uvaglvtb.dll
2007-10-16 03:44      389,184      --a------      C:\WINDOWS\system32\rppmfgkx.exe
2007-10-16 03:44      339,968      --a------      C:\WINDOWS\system32\kkwostel.dll
2007-10-15 14:54      <DIR>      d--------      C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 12:42      <DIR>      d--------      C:\WINDOWS\system32\Kaspersky Lab
2007-10-15 12:42      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24      34,304      --a------      C:\WINDOWS\system32\nnnnmkl.dll
2007-10-14 23:08      34,304      --a------      C:\WINDOWS\system32\rqroonn.dll
2007-10-14 21:04      34,304      --a------      C:\WINDOWS\system32\efcccbb.dll
2007-10-14 20:51      34,304      --a------      C:\WINDOWS\system32\xxywttr.dll
2007-10-14 19:43      <DIR>      d--------      C:\Program Files\PC Registry Cleaner
2007-10-14 18:37      34,304      --a------      C:\WINDOWS\system32\qomljkh.dll
2007-10-14 18:19      34,304      --a------      C:\WINDOWS\system32\tuvvvvs.dll
2007-10-14 15:44      34,304      --a------      C:\WINDOWS\system32\fccbyyv.dll
2007-10-14 10:47      34,304      --a------      C:\WINDOWS\system32\fccbcyv.dll.vir
2007-10-14 09:56      389,184      --a------      C:\WINDOWS\system32\wqjmduji.exe
2007-10-14 09:56      339,968      --a------      C:\WINDOWS\system32\avzzkbht.dll.vir
2007-10-14 09:16      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15      <DIR>      d--------      C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12      <DIR>      d-a------      C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37      51,200      --a------      C:\WINDOWS\NirCmd.exe
2007-10-13 09:34      <DIR>      d--------      C:\Program Files\Trend Micro
2007-10-11 13:16      <DIR>      d--------      C:\VundoFix Backups
2007-10-05 17:11      <DIR>      d--------      C:\WINDOWS\pss
2007-10-04 17:49      107,696      --a------      C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 17:49      87,808      --a------      C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-04 17:48      <DIR>      d--------      C:\Program Files\Symantec AntiVirus

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 21:19      ---------      d-----w      C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59      ---------      d-----w      C:\Program Files\Google
2007-10-13 15:36      ---------      d-----w      C:\Program Files\Java
2007-10-04 21:52      ---------      d-----w      C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51      ---------      d-----w      C:\Program Files\Symantec
2007-10-04 21:48      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09      60,968      ----a-w      C:\Documents and Settings\Dad\GoToAssistDownloadHelper.exe
2007-08-24 17:18      ---------      d-----w      C:\Program Files\Common Files\AOL
2007-08-24 17:18      ---------      d-----w      C:\Program Files\AIM
2007-08-18 03:56      ---------      d-----w      C:\Program Files\AIM6
2007-08-18 03:56      ---------      d-----w      C:\Documents and Settings\Nicole\Application Data\acccore
2007-08-18 03:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51      ---------      d-----w      C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\AOL Downloads
.

(((((((((((((((((((((((((((((   snapshot@2007-10-13_ 9.51.16.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-13 14:15:06      585,791      ----a-w      C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18      581,632      ----a-r      C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14      29,696      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-14 13:16:14      18,944      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-14 13:16:15      65,024      ----a-r      C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-10-13 14:15:06      70,001      ----a-w      C:\WINDOWS\system32\drivers\gmer.sys
- 2006-11-09 18:28:20      49,248      ----a-w      C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:28      135,168      ----a-w      C:\WINDOWS\system32\java.exe
- 2006-11-09 18:28:30      53,346      ----a-w      C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 02:30:30      135,168      ----a-w      C:\WINDOWS\system32\javaw.exe
- 2006-11-09 20:07:32      127,078      ----a-w      C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 03:31:42      139,264      ----a-w      C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 16:27:16      213,048      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20      94,208      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54      950,272      ----a-w      C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-12 21:41:29      11,195      ----a-w      C:\WINDOWS\system32\nvModes.dat
+ 2007-10-17 00:02:34      17,083      ----a-w      C:\WINDOWS\system32\nvModes.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D089509-246B-4B9B-8B84-AA6DA7CA61E4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-17 05:27      339968      --a------      C:\WINDOWS\system32\oawucwgq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\oawucwgq.dll [2007-10-17 05:27 339968]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP32.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jzorkusd]
jzorkusd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oawucwgq]
oawucwgq.dll 2007-10-17 05:27 339968 C:\WINDOWS\system32\oawucwgq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjj.dll

S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-17 11:46:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.job"
- C:\WINDOWS\twain_32
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 07:53:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17  7:55:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 17:21
C:\ComboFix3.txt ... 2007-10-16 08:03
.
      --- E O F ---
0
 
rpggamergirlCommented:
>>I placed it up there!<<
that one you uploaded is a screenshot of your group policy.

Have you scanned with WinPFind3u yet, it's the log of WinPFind3u that I'm asking.
0
 
wildbill327Author Commented:
I don't think you are looking at the right file. I checked the file I uploaded and it is the  WinPFind3u.txt log created yesterday. I uploaded a second one today.
0
 
rpggamergirlCommented:
wildbill327,

At EE-Stuff.com, there is only one file uploaded for this question;
jpedit.JPG - 145.83 KB


File ID 1896
Tied with Question ID 22113148
Uploaded by Ryan_R
Upload Date Jan 5th 2007 9:32 PM
# Downloads 7
Filename gpedit.JPG
File size 145.83 KB
File Comment screen shot
0
 
wildbill327Author Commented:
   Sttrange because when I log into EE-Stuff.com here
https://filedb.experts-exchange.com/incoming/ee-stuff/5045-WinPFind3.Txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5062-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5128-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5068-result.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5069-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5071-kasperersky.txt
 I see this.
 
   
Logout [wildbill327]    
 
Home Expert Area  


 View Files - Question ID: 22891312
   
 There are 2 files found uploaded for this question. They are displayed below, in order of their upload date. Click on the file name to view the file details and download the file.
Upload a new file

File Name Uploaded By Upload Date (PST) Comment # Downloads
WinPFind3.Txt wildbill327 Oct 17th 2007 1:07 PM This is the path of the file I uploaded C:\Docu... 0
WinPFind3.Txt wildbill327 Oct 16th 2007 1:44 PM For rpggamergirl: 1

 
   
  Experts-Exchange Home | Experts Exchange logo and layout © 1995-2007 Experts Exchange LLC. Used by permission.  
 
 
 
0
 
rpggamergirlCommented:
wildbill327,
I am very sorry, my mistake and I apologize. I somehow was looking at the wrong question ID.

Start WinPFind3U. Copy/Paste the information in the Quotebox below(all text inside the lines) into the pane where it says "Paste fix here" and then click the Run Fix button.

------------------------------------------------------------------------------------
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> ddcdbax -> %System32%\ddcdbax.dll
YN -> jzorkusd -> jzorkusd.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {2D089509-246B-4B9B-8B84-AA6DA7CA61E4} [HKLM] -> %System32%\ssqpp.dll [Reg Data - Value does not exist]
YN -> {A95B2816-1D7E-4561-A202-68C0DE02353A} [HKLM] -> %System32%\jzorkusd.dll [Reg Data - Value does not exist]
YY -> {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} [HKLM] -> %System32%\ddcdbax.dll [Reg Data - Value does not exist]
YY -> {E35B6C88-E8E7-43D0-9169-4E59B437AC9C} [HKLM] -> %System32%\awvts.dll [Reg Data - Value does not exist]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> %System32%\jzorkusd.dll [Security Toolbar]
[Files/Folders - Created Within 30 days]
NY -> abfqbuel.ini -> %System32%\abfqbuel.ini
NY -> avzzkbht.dll.vir -> %System32%\avzzkbht.dll.vir
NY -> avzzkbht.dllbox -> %System32%\avzzkbht.dllbox
NY -> awvts.dll -> %System32%\awvts.dll
NY -> ayadd.tmp -> %System32%\ayadd.tmp
NY -> bskidxbh.ini -> %System32%\bskidxbh.ini
NY -> cfhulhfn.exe -> %System32%\cfhulhfn.exe
NY -> ddcdbax.dll -> %System32%\ddcdbax.dll
NY -> ecioqvhy.ini -> %System32%\ecioqvhy.ini
NY -> efcccbb.dll -> %System32%\efcccbb.dll
NY -> fccbcyv.dll.vir -> %System32%\fccbcyv.dll.vir
NY -> fccbyyv.dll -> %System32%\fccbyyv.dll
NY -> grwekdho.ini -> %System32%\grwekdho.ini
NY -> hhfledew.exe -> %System32%\hhfledew.exe
NY -> hhhkj.tmp -> %System32%\hhhkj.tmp
NY -> hoxqbqko.ini -> %System32%\hoxqbqko.ini
NY -> ijjlm.tmp -> %System32%\ijjlm.tmp
NY -> jbtvyegb.ini -> %System32%\jbtvyegb.ini
NY -> jjwchdiv.ini -> %System32%\jjwchdiv.ini
NY -> jrcnbdfy.dll -> %System32%\jrcnbdfy.dll
NY -> jrcnbdfy.dllbox -> %System32%\jrcnbdfy.dllbox
NY -> jzorkusd.dllbox -> %System32%\jzorkusd.dllbox
NY -> kioxeprt.dllbox -> %System32%\kioxeprt.dllbox
NY -> kkwostel.dll -> %System32%\kkwostel.dll
NY -> kkwostel.dllbox -> %System32%\kkwostel.dllbox
NY -> ktgxecsy.ini -> %System32%\ktgxecsy.ini
NY -> lgnturdw.dllbox -> %System32%\lgnturdw.dllbox
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> mqvigcru.exe -> %System32%\mqvigcru.exe
NY -> nnnnmkl.dll -> %System32%\nnnnmkl.dll
NY -> ofmzpzuv.dllbox -> %System32%\ofmzpzuv.dllbox
NY -> omxglxxv.exe -> %System32%\omxglxxv.exe
NY -> orqss.tmp -> %System32%\orqss.tmp
NY -> otokoucm.ini -> %System32%\otokoucm.ini
NY -> peygtweb.ini -> %System32%\peygtweb.ini
NY -> pezugkjt.dllbox -> %System32%\pezugkjt.dllbox
NY -> pkcytahg.ini -> %System32%\pkcytahg.ini
NY -> ppqss.bak1 -> %System32%\ppqss.bak1
NY -> ppqss.ini -> %System32%\ppqss.ini
NY -> qgpwlhqr.dllbox -> %System32%\qgpwlhqr.dllbox
NY -> qomljkh.dll -> %System32%\qomljkh.dll
NY -> rkyxkqee.ini -> %System32%\rkyxkqee.ini
NY -> roetukvx.ini -> %System32%\roetukvx.ini
NY -> rppmfgkx.exe -> %System32%\rppmfgkx.exe
NY -> rqroonn.dll -> %System32%\rqroonn.dll
NY -> stvwa.bak1 -> %System32%\stvwa.bak1
NY -> stvwa.ini -> %System32%\stvwa.ini
NY -> tfdwbvim.ini -> %System32%\tfdwbvim.ini
NY -> tnhuepmu.tmp -> %System32%\tnhuepmu.tmp
NY -> tstwa.tmp -> %System32%\tstwa.tmp
NY -> tuvvvvs.dll -> %System32%\tuvvvvs.dll
NY -> txenfhxp.dll -> %System32%\txenfhxp.dll
NY -> txenfhxp.dllbox -> %System32%\txenfhxp.dllbox
NY -> uvaglvtb.dll -> %System32%\uvaglvtb.dll
NY -> uvaglvtb.dllbox -> %System32%\uvaglvtb.dllbox
NY -> wqjmduji.exe -> %System32%\wqjmduji.exe
NY -> xhvrluyn.ini -> %System32%\xhvrluyn.ini
NY -> xxywttr.dll -> %System32%\xxywttr.dll
[Files/Folders - Modified Within 30 days]
NY -> abfqbuel.ini -> %System32%\abfqbuel.ini
NY -> avzzkbht.dll.vir -> %System32%\avzzkbht.dll.vir
NY -> avzzkbht.dllbox -> %System32%\avzzkbht.dllbox
NY -> awvts.dll -> %System32%\awvts.dll
NY -> ayadd.tmp -> %System32%\ayadd.tmp
NY -> bskidxbh.ini -> %System32%\bskidxbh.ini
NY -> cfhulhfn.exe -> %System32%\cfhulhfn.exe
NY -> ddcdbax.dll -> %System32%\ddcdbax.dll
NY -> ecioqvhy.ini -> %System32%\ecioqvhy.ini
NY -> efcccbb.dll -> %System32%\efcccbb.dll
NY -> fccbcyv.dll.vir -> %System32%\fccbcyv.dll.vir
NY -> fccbyyv.dll -> %System32%\fccbyyv.dll
NY -> grwekdho.ini -> %System32%\grwekdho.ini
NY -> hhfledew.exe -> %System32%\hhfledew.exe
NY -> hhhkj.tmp -> %System32%\hhhkj.tmp
NY -> hoxqbqko.ini -> %System32%\hoxqbqko.ini
NY -> ijjlm.tmp -> %System32%\ijjlm.tmp
NY -> jbtvyegb.ini -> %System32%\jbtvyegb.ini
NY -> jjwchdiv.ini -> %System32%\jjwchdiv.ini
NY -> jrcnbdfy.dll -> %System32%\jrcnbdfy.dll
NY -> jrcnbdfy.dllbox -> %System32%\jrcnbdfy.dllbox
NY -> jzorkusd.dllbox -> %System32%\jzorkusd.dllbox
NY -> kioxeprt.dllbox -> %System32%\kioxeprt.dllbox
NY -> kkwostel.dll -> %System32%\kkwostel.dll
NY -> kkwostel.dllbox -> %System32%\kkwostel.dllbox
NY -> ktgxecsy.ini -> %System32%\ktgxecsy.ini
NY -> lgnturdw.dllbox -> %System32%\lgnturdw.dllbox
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> mqvigcru.exe -> %System32%\mqvigcru.exe
NY -> nnnnmkl.dll -> %System32%\nnnnmkl.dll
NY -> ofmzpzuv.dllbox -> %System32%\ofmzpzuv.dllbox
NY -> omxglxxv.exe -> %System32%\omxglxxv.exe
NY -> orqss.tmp -> %System32%\orqss.tmp
NY -> otokoucm.ini -> %System32%\otokoucm.ini
NY -> peygtweb.ini -> %System32%\peygtweb.ini
NY -> pezugkjt.dllbox -> %System32%\pezugkjt.dllbox
NY -> pkcytahg.ini -> %System32%\pkcytahg.ini
NY -> ppqss.bak1 -> %System32%\ppqss.bak1
NY -> ppqss.ini -> %System32%\ppqss.ini
NY -> qgpwlhqr.dllbox -> %System32%\qgpwlhqr.dllbox
NY -> qomljkh.dll -> %System32%\qomljkh.dll
NY -> rkyxkqee.ini -> %System32%\rkyxkqee.ini
NY -> roetukvx.ini -> %System32%\roetukvx.ini
NY -> rppmfgkx.exe -> %System32%\rppmfgkx.exe
NY -> rqroonn.dll -> %System32%\rqroonn.dll
NY -> stvwa.bak1 -> %System32%\stvwa.bak1
NY -> stvwa.ini -> %System32%\stvwa.ini
NY -> tfdwbvim.ini -> %System32%\tfdwbvim.ini
NY -> tnhuepmu.tmp -> %System32%\tnhuepmu.tmp
NY -> tstwa.tmp -> %System32%\tstwa.tmp
NY -> tuvvvvs.dll -> %System32%\tuvvvvs.dll
NY -> txenfhxp.dll -> %System32%\txenfhxp.dll
NY -> txenfhxp.dllbox -> %System32%\txenfhxp.dllbox
NY -> uvaglvtb.dll -> %System32%\uvaglvtb.dll
NY -> uvaglvtb.dllbox -> %System32%\uvaglvtb.dllbox
NY -> wqjmduji.exe -> %System32%\wqjmduji.exe
NY -> xhvrluyn.ini -> %System32%\xhvrluyn.ini
NY -> xxywttr.dll -> %System32%\xxywttr.dll
[File String Scan - Non-Microsoft Only]
NY -> WSUD , -> %System32%\hhhkj.tmp
NY -> WSUD , -> %System32%\ijjlm.tmp
NY -> WSUD , -> %System32%\tstwa.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]

-------------------------------------------------------------------------------
When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan .
0
 
wildbill327Author Commented:
I have uploaded the two requested files. The result of the script is result.txt
0
 
rpggamergirlCommented:
Start WinPFind3U again. Copy/Paste the information in the Quotebox below(all text inside the lines) into the pane where it says "Paste fix here" and then click the Run Fix button.
--------------------------------------------------------------------------------------
[Kill Explorer]
[Unregister Dlls]
[Files/Folders - Created Within 30 days]
NY -> adaway.lic -> %SystemRoot%\adaway.lic
NY -> oawucwgq.dll -> %System32%\oawucwgq.dll
NY -> oawucwgq.dllbox -> %System32%\oawucwgq.dllbox
NY -> tkqwhfyp.exe -> %System32%\tkqwhfyp.exe
[Files/Folders - Modified Within 30 days]
NY -> adaway.lic -> %SystemRoot%\adaway.lic
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> oawucwgq.dll -> %System32%\oawucwgq.dll
NY -> oawucwgq.dllbox -> %System32%\oawucwgq.dllbox
[Start Explorer]
[Reboot]

--------------------------------------------------------------------------------------
When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix.


And then run online scanners, see if they find any more nasties.
Kaspersky online scanner, it doesn't remove what it finds but you can save the report to show us.
http://www.kaspersky.com/virusscanner

OR: TrendMicro
http://housecall65.trendmicro.com/

Or: PandaActivescan
http://www.pandasoftware.com/activescan/activescan/ascan_2.asp
0
 
wildbill327Author Commented:
I ran the kasperersky scan and have uploaded the results file
0
 
dreamyguyCommented:
Even after running all the virus scanners available out there, you can't really be sure that your system's state is back to the way it was prior to the infection. It's really good that you're trying your best to resolve this without re-formatting your machine, but In my opinion, it would be best to take a backup of all your files and do a reinstall.
0
 
rpggamergirlCommented:
Kaspersky's result is clean.
Is Symantec still finding s virus?
0
 
wildbill327Author Commented:
I still get Netflex and American Express pop-ups. I have pop=up blocker enabled in IE.
0
 
rpggamergirlCommented:
Thank you.
Sorry was away for 2 days,
an American Express and Netflex popups?
Could we look at another WinPFind log? or have you resolved this question already since you closed it.
0
 
wildbill327Author Commented:
I'll send another  WinPFind log if you don't mind. I uploaded it to EE-Stuff
0
 
rpggamergirlCommented:
I hope you can forgive me for missing to come back here. I apologize for my incompetence. It's been way too long I'm very sorry.

I've looked at the logs and I couldn't find anything suspicious or maybe I just missed. Kaspersky is the best scanner and I didn't spot the culprit there.

Do you have a screenshot of the popups?


Also try clearing your Trusted\restricted zones, sometimes some nasties list themselves there.
Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".

Again, I'm sorry for replying too late.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 22
  • 15
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now