Could someone please help me? Several trojans and malware :(

**pskelley** · 2007-11-30, 01:22

Thanks for returning your information. Another item has shown, so we need to back up a moment like this.

Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\PROGRA~1\MSNMES~1\BAK

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply

Let's move to Option 4 now:

Double-click FindAWF.exe to start the tool.

Select option #4 - Reset domain zones by typing 4 and press 'Enter'
You will receive a warning to reset domain zones
Press 1 then press Enter.
If you have manually included sites in the trusted zones, these will need to be re-inserted.

When you get to this point, follow these directions:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

**CamaroJeff** · 2007-11-30, 01:58

Here is the report from the first step:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/29/2007
The current time is: 19:26:30.18

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

The second step was accompanied with several errors, along with explorer.exe and combofix shutting down. I followed the prompts, did not click on the window, and was away for 10 minutes. When I returned the errors showed up. I was not able to catch all the information.
Should I run combofix option 4 again?

**pskelley** · 2007-11-30, 02:04

Combofix is a different tool, make sure you are finished completely with FindAWF, including option 4. Then restart your computer and try combofix again. Read the directions carefully. If you have any problem, stop and let me know and we will try another method to kill the junk.

New tool entirely:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

**CamaroJeff** · 2007-11-30, 02:10

I am sorry, option 4 of FindAWF did run successfully. It was combofix that failed. This is all new to me and I will try to slow down and read more carefully. I would just like to get rid of these programs!

I will run combofix again after restarting, and not walk away from it this time. After that I will post the log, accompanied by a fresh HJT log.

Thanks so much for your patience and effort!

**pskelley** · 2007-11-30, 02:17

OK, combofix is fairly simple, just follow the prompts. Make sure not to touch it while it is running.

Thanks

**CamaroJeff** · 2007-11-30, 04:22

ComboFix 07-11-19.4C - Spiderman 2007-11-29 22:10:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT -5:00]
Running from: C:\Documents and Settings\Spiderman\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191628715.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\83122.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\Downloaded Program Files.\nethv32.inf
C:\WINDOWS\hosts
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\b1\dnslook11.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\bemwdll3.exe
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\i2\mper83122.exe
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\n8\ensts2dll.exe
C:\WINDOWS\SYSTEM32\wvvwa.ini
C:\WINDOWS\SYSTEM32\wvvwa.ini2
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-25 11:15 464,928 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-11-25 11:15 1,604 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2007-11-25 11:06 <DIR> d-------- C:\Documents and Settings\Spiderman\Application Data\AVG7
2007-11-25 11:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-25 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-25 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-25 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-25 08:18 79,936 --a------ C:\WINDOWS\SYSTEM32\kodeckwv.dll
2007-11-22 20:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 23:32 35,840 --a------ C:\WINDOWS\17PHolmes1000106.exe
2007-11-21 23:31 <DIR> d-------- C:\temp\abW9
2007-11-21 23:31 36,864 --a------ C:\WINDOWS\SYSTEM32\gebaxxv.dll
2007-10-21 19:13 <DIR> d-------- C:\Program Files\PFConfig
2007-10-15 17:01 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-15 16:55 639,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
2007-10-09 15:35 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 00:26 --------- d-----w C:\Program Files\MSN Messenger
2007-11-29 23:34 --------- d-----w C:\Program Files\QuickTime
2007-11-29 23:34 --------- d-----w C:\Program Files\AIM
2007-11-28 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 02:15 --------- d-----w C:\Program Files\Rockstar Games
2007-11-25 16:26 --------- d-----w C:\Documents and Settings\Spiderman\Application Data\nView_Wallpaper
2007-11-25 15:54 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-25 14:28 --------- d-----w C:\Program Files\RealFlightG3
2007-11-24 17:59 81,472 ----a-w C:\WINDOWS\SYSTEM32\mjipaeri.dll
2007-11-23 20:30 83,520 ----a-w C:\WINDOWS\SYSTEM32\uuhyelcu.dll
2007-11-22 16:50 79,936 ----a-w C:\WINDOWS\SYSTEM32\nuwdkndm.dll
2007-11-22 04:32 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-20 00:04 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-20 00:04 --------- d-----w C:\Documents and Settings\Spiderman\Application Data\uTorrent
2007-11-13 02:26 --------- d-----w C:\Program Files\DivX
2007-10-18 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-13 22:41 --------- d-----w C:\Program Files\Google
2007-10-13 17:41 --------- d-----w C:\Program Files\EA Games
2007-10-01 01:27 --------- d-----w C:\Program Files\AC3Filter
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-09-28 16:07 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-09-28 16:07 129,784 ----a-w C:\WINDOWS\SYSTEM32\pxafs.dll
2007-09-28 16:07 120,056 ----a-w C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-09-28 16:07 118,520 ----a-w C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-09-06 21:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 21:14 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-03-29 13:13 87,608 ----a-w C:\Documents and Settings\Spiderman\Application Data\ezpinst.exe
2007-03-29 13:13 47,360 ----a-w C:\Documents and Settings\Spiderman\Application Data\pcouffin.sys
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2006-06-08 07:02 2,048 ----a-w C:\Program Files\func.exe
2005-08-21 16:42 905 -c--a-w C:\Program Files\uninstal.log
2004-07-09 23:24 784 ----a-w C:\Documents and Settings\Spiderman\Application Data\mpauth.dat
2006-01-11 06:41 56 --sh--r C:\WINDOWS\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\U3BpZGVybWFu\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\U3BpZGVybWFu\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\U3BpZGVybWFu\oa1Dt3pVvqIR.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C79F3B8-45AC-4AF4-8D5E-D99F8D0B99E9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D42572D-F02C-4543-9448-F210B949BBA4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]
2007-11-21 23:31 36864 --a------ C:\WINDOWS\system32\gebaxxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8d40812c-1993-4b5e-96db-b2d01b7b2381}]
2007-11-25 08:18 79936 --a------ C:\WINDOWS\system32\kodeckwv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6895296-6896-4A1A-A6A1-FAD2C95B0481}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFF50636-5E41-43B7-D9A8-23861A5A5812}]
2007-11-21 23:32 70144 --a------ C:\Program Files\MSN\woqufes.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 11:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 11:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\narrator.exe]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]
"{4A54500A-65FE-4F4A-B860-20EAE2F577F9}"= C:\WINDOWS\system32\gebaxxv.dll [2007-11-21 23:31 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaxxv]
gebaxxv.dll 2007-11-21 23:31 36864 C:\WINDOWS\SYSTEM32\gebaxxv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=C:\Documents and Settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=C:\WINDOWS\pss\clippy.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=C:\Documents and Settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=C:\WINDOWS\pss\Magnifier.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 01:04 114741 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 10:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-02-10 11:51 118784 --a------ C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 11:55 155648 --a------ C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-03 20:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
2004-10-07 21:44 40960 --a------ C:\WINDOWS\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2003-04-10 12:16 151552 --a------ C:\Program Files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
2003-04-10 12:23 86016 --a------ C:\Program Files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install

R3 SaiClass;SaiClass;C:\WINDOWS\system32\drivers\SaiNtBus.sys
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys
S3 DMSKSSRh;DMSKSSRh;\??\C:\DOCUME~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys
S3 SaiNtHid;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys
S3 SaiNtSub;SaiNtSub;C:\WINDOWS\system32\DRIVERS\SaiNtSub.sys
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23460158-7b6a-11dc-8539-000d56efba03}]
\Shell\AutoRun\command - F:\setup.exe
\Shell\install\command - F:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 15:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (BOB-Spiderman).job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 22:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 22:16:44
.
--- E O F ---

HJT report to follow in next post.

**CamaroJeff** · 2007-11-30, 04:24

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:19 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.98rock.com/cc-common/babes/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C79F3B8-45AC-4AF4-8D5E-D99F8D0B99E9} - (no file)
O2 - BHO: (no name) - {1D42572D-F02C-4543-9448-F210B949BBA4} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - C:\WINDOWS\system32\gebaxxv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {1832b7b1-0d2b-bd69-e5b4-3991c21804d8} - {8d40812c-1993-4b5e-96db-b2d01b7b2381} - C:\WINDOWS\system32\kodeckwv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6895296-6896-4A1A-A6A1-FAD2C95B0481} - (no file)
O2 - BHO: 0 - {FFF50636-5E41-43B7-D9A8-23861A5A5812} - C:\Program Files\MSN\woqufes.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZR
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://66.154.44.68/cam/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instantservice.com/jars...rxsigned42.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newaol.com/bkpromo/d...ormerSetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: gebaxxv - C:\WINDOWS\SYSTEM32\gebaxxv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8899 bytes

**pskelley** · 2007-11-30, 12:39

Good morning and great job so far

looks like a Vundo infection, combofix got some of it, follow these directions.

TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

The infection is there, here are a few files I see:
C:\WINDOWS\system32\gebaxxv.dll
C:\WINDOWS\system32\kodeckwv.dll
and there are usually more hidden. Allow Vundofix time to find them, you may have to run it a few times.

Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the Vundofix.txt and a new HJT log, also feedback, how is the computer running?

Thanks..Phil

**CamaroJeff** · 2007-12-01, 02:40

Ok, Teatimer has been disabled (PC restarted after disabling per the instructions), I have read the instructions on Vundofix and installed it, ran the program and was left with a message saying "there were no files found".

Should I run it again? Do you need an HJT log before and/or after a rerun of vundofix? Again, I cant tell you how much youre helping me on this. I wish there were some way to return the favor.

As far as how the computer is running its great. Im not getting any more pop up windows with the "searchfeed results" and explorer.exe isnt reaching 100K of mem usage, its staying around 20K. Seems to have made a big difference already!

Am I safe to do any banking or bill paying yet? Theres a few things Id like to take care of... things that I would not dare to do with all the bugs that have been crawling around lately.

Thanks so much

**pskelley** · 2007-12-01, 11:31

I understand, I also do my bill paying online also, but hold off a bit longer. Run Vundofix once more and post this:

Post the Vundofix.txt and a new HJT log, also feedback, how is the computer running?

As soon as I look at that information, if all is well I will give you instructions to run a Kaspersky scan to check for anything left.

I will keep an eye open for your post and turn it around as quickly as possible.

Thanks...Phil

Thread: Could someone please help me? Several trojans and malware :(

Thread Tools

Display

Posting Permissions