View Full Version : Command Service Help please
I've read numerous topics on Command Service and i'm not quite sure what's being said in them and i've downloaded many programs to rid my computer of it but i still have it
Logfile of HijackThis v1.99.1
Scan saved at 9:53:11 AM, on 1/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\SmFrZQ\command.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\win513.tmp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\?ymantec\l?ass.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A14E2C93-E071-BCA6-5754-EB1BB37310C0} - C:\WINDOWS\system32\utfub.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30379~1\Bar888.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win513.tmp.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\omjldgxn.dll",setvm
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Bpjgeywj] "C:\WINDOWS\?ymantec\l?ass.exe" 99001162
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFrZQ\command.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
That's my hijackthis log...is there a definate way to rid your computer of cmdService?
Hi Thechea and welcome to the Forums :)
You got infections....
Create a new folder for HijackThis and move HijackThis.exe into it.
First install MVPS HOSTS:
Download and unzip hosts.zip from HERE (http://www.mvps.org/winhelp2002/hosts.zip) to a folder (hosts).
When you get a chance please read more about what we are doing HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Here's a Tutorial (http://www.mvps.org/winhelp2002/hosts2.htm) on how to install it, but it's installed like this:
Open up the hosts folder and double-click on the mvps.bat file, it will rename your present HOSTS file to HOSTS.MVP, then it will copy the new HOSTS file to the correct location on your machine. It happens very quickly so don't blink!
You're done with this step.
Next....
Look in your control panels add/remove programs for any of these and uninstall them:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if your not sure please ask first
Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
The uninstaller (outerinfo i think) doesn't work. Well, the link doesn't work so i can't get the .exe
Hi :)
OK thanks for letting me know, skip the uninstaller part then and continue with the instructions...
:bigthumb:
Okay, Here's the Combo Fix Log:
"Owner" - 07-01-28 8:42:30 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Owner\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\Ipwindows\ipwins.dll
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\svchost.exe
C:\Program Files\Common Files\{30379~1
C:\Program Files\Common Files\{E0379~2
C:\Program Files\Ipwindows
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\{E0379~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\YMANTE~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-28 to 2007-01-28 ))))))))))))))))))))))))))))))))))
2007-01-28 08:48 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-28 03:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-01-27 23:00 <DIR> d----c--- C:\DOCUME~1\Owner\Application Data\Azureus
2007-01-27 23:00 <DIR> d-------- C:\Program Files\Azureus
2007-01-27 21:52 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-01-27 21:49 <DIR> d----c--- C:\DOCUME~1\Owner\Shared
2007-01-27 21:49 <DIR> d----c--- C:\DOCUME~1\Owner\Incomplete
2007-01-27 21:46 <DIR> d----c--- C:\DOCUME~1\Owner\.limewire
2007-01-27 18:10 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Apple Computer
2007-01-27 09:14 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Yahoo! Companion
2007-01-27 09:14 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-27 09:09 <DIR> d-------- C:\Program Files\Yahoo!
2007-01-27 09:08 <DIR> d-------- C:\Program Files\CCleaner
2007-01-27 08:21 <DIR> d-------- C:\Program Files\TryMedia
2007-01-27 07:40 <DIR> d-------- C:\Downloads
2007-01-26 17:53 22,029 ---hs---- C:\WINDOWS\system32\efcddaw.dll
2007-01-26 16:38 <DIR> d----c--- C:\DOCUME~1\Owner\Application Data\vlc
2007-01-26 15:45 1,008,089 ---hs---- C:\WINDOWS\system32\aybeg.bak2
2007-01-26 10:10 22,029 ---hs---- C:\WINDOWS\system32\iifcdax.dll
2007-01-25 19:46 <DIR> d----c--- C:\DOCUME~1\LOCALS~1.NTA\Application Data\Opera
2007-01-25 19:46 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Spybot - Search & Destroy
2007-01-25 19:32 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-25 19:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-01-25 19:32 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-01-25 19:32 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-25 19:32 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-25 19:32 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-25 19:32 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-25 19:32 <DIR> d----c--- C:\DOCUME~1\Owner\Application Data\AVG7
2007-01-25 19:32 <DIR> d----c--- C:\DOCUME~1\LOCALS~1.NTA\Application Data\AVG7
2007-01-25 19:32 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Grisoft
2007-01-25 19:32 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\avg7
2007-01-25 19:28 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-01-25 19:18 <DIR> d----c--- C:\DOCUME~1\Owner\Application Data\Xfire
2007-01-25 18:32 <DIR> d----c--- C:\DOCUME~1\Owner\Application Data\Viewpoint
2007-01-25 18:27 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-25 18:26 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Windows Genuine Advantage
2007-01-25 18:19 11,264 --a------ C:\WINDOWS\INRES.DLL
2007-01-25 18:09 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-01-25 18:09 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-01-25 18:08 299,520 --a------ C:\WINDOWS\uninst.exe
2007-01-25 18:03 <DIR> d----c--- C:\DOCUME~1\Owner\WINDOWS
2007-01-25 17:37 <DIR> d----c--- C:\DOCUME~1\Owner\Application Data\Opera
2007-01-25 17:34 <DIR> d----c--- C:\DOCUME~1\Owner\Application Data\Aim
2007-01-25 17:33 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-01-25 17:33 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Viewpoint
2007-01-25 17:27 155,648 ---h----- C:\Program Files\Common Files\svchost.exe
2007-01-25 17:21 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-01-25 17:21 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-01-25 17:15 <DIR> d-------- C:\WINDOWS\zkqm
2007-01-25 17:15 <DIR> d-------- C:\Program Files\Common Files\zkqm
2007-01-25 16:13 <DIR> d--hs---- C:\WINDOWS\SmFrZQ
2007-01-25 15:45 957,983 ---hs---- C:\WINDOWS\system32\aybeg.bak1
2007-01-25 15:45 88,340 --a--c--- C:\WINDOWS\system32\bkhogjig.exe
2007-01-25 15:45 277,056 ---hs---- C:\WINDOWS\system32\gebya.dll
2007-01-25 15:45 118,804 --a--c--- C:\WINDOWS\system32\omjldgxn.dll
2007-01-25 15:40 8,704 --a------ C:\WINDOWS\system32\v6.exe
2007-01-25 15:40 2 --a------ C:\WINDOWS\system32\wtsit.exe
2007-01-25 15:39 22,029 ---hs---- C:\WINDOWS\system32\rqrpmkh.dll
2007-01-25 15:35 <DIR> d---sc--- C:\DOCUME~1\Owner\UserData
2007-01-25 15:33 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2007-01-25 15:19 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2007-01-25 15:18 <DIR> d--hsc--- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2007-01-25 15:16 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-01-25 15:16 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-01-25 15:16 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-01-25 15:16 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-01-25 15:16 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-01-25 15:16 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-01-25 15:16 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-01-25 15:16 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-01-25 15:16 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-01-25 15:16 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-01-25 15:16 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2007-01-25 15:16 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-01-25 15:16 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-01-25 15:16 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-01-25 15:16 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-01-25 15:16 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-01-25 15:16 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-01-25 15:16 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-01-25 15:16 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-01-25 15:16 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-01-25 15:16 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-01-25 15:16 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-01-25 15:16 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-01-25 15:16 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-01-25 15:16 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-01-25 15:16 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-01-25 15:16 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-01-25 15:16 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-01-25 15:16 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-01-25 15:16 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-01-25 15:16 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-01-25 15:16 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-01-25 15:16 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2007-01-25 15:16 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-01-25 15:16 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-01-25 15:16 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-01-25 15:16 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2007-01-25 15:16 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2007-01-25 15:16 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-01-25 15:16 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-01-25 15:16 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2007-01-25 15:16 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-01-25 15:16 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-01-25 15:16 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-01-25 15:16 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-01-25 15:14 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-01-25 15:14 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-01-25 15:14 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-01-25 15:14 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-01-25 15:14 9,728 --a------ C:\WINDOWS\system32\reset.exe
2007-01-25 15:14 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-01-25 15:14 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-01-25 15:14 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-01-25 15:14 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-01-25 15:14 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-01-25 15:14 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-01-25 15:14 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-01-25 15:14 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-01-25 15:14 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-01-25 15:14 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-01-25 15:14 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2007-01-25 15:14 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-01-25 15:14 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-01-25 15:14 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2007-01-25 15:14 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-01-25 15:14 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-01-25 15:14 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-01-25 15:14 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-01-25 15:14 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2007-01-25 15:14 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-01-25 15:14 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-01-25 15:14 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2007-01-25 15:14 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2007-01-25 15:14 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-01-25 15:14 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-01-25 15:14 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-01-25 15:14 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-01-25 15:14 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2007-01-25 15:14 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2007-01-25 15:14 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-01-25 15:14 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-01-25 15:14 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2007-01-25 15:14 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-01-25 15:14 33,792 --a------ C:\WINDOWS\system32\regini.exe
2007-01-25 15:14 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-01-25 15:14 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2007-01-25 15:14 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2007-01-25 15:14 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-01-25 15:14 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2007-01-25 15:14 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2007-01-25 15:14 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-01-25 15:14 20,992 --a------ C:\WINDOWS\system32\msg.exe
2007-01-25 15:14 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-01-25 15:14 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2007-01-25 15:14 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-01-25 15:14 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-01-25 15:14 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-01-25 15:14 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-01-25 15:14 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-01-25 15:14 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2007-01-25 15:14 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2007-01-25 15:14 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2007-01-25 15:14 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-01-25 15:14 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2007-01-25 15:14 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2007-01-25 15:14 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2007-01-25 15:14 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-01-25 15:14 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2007-01-25 15:14 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-01-25 15:14 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2007-01-25 15:14 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2007-01-25 15:14 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2007-01-25 15:14 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-01-25 15:14 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-01-25 15:14 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-01-25 15:14 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-01-25 15:14 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-01-25 15:14 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-01-25 15:14 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-01-25 15:14 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-01-25 15:14 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-01-25 15:14 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-01-25 15:14 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-01-25 15:14 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2007-01-25 15:14 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-01-25 15:14 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-01-25 15:14 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2007-01-25 15:13 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-01-25 15:13 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-01-25 14:32 166,656 --a------ C:\WINDOWS\system32\drivers\sis7012.sys
2007-01-25 14:32 <DIR> d-------- C:\WINDOWS\setup.pss
2007-01-25 10:11 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-01-25 10:11 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-01-25 10:11 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-01-25 10:10 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-01-25 10:10 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-01-25 10:10 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-01-25 10:10 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-01-25 10:10 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-01-25 10:10 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-01-25 10:10 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-01-25 10:10 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-01-25 10:10 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-01-25 10:10 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-01-25 10:10 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-01-25 10:09 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-01-25 10:09 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-01-25 10:09 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-01-25 10:09 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys
2007-01-25 10:09 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-01-25 10:09 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2007-01-25 10:08 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-01-25 10:08 41,088 --a------ C:\WINDOWS\system32\drivers\SISAGP.SYS
2007-01-25 10:08 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-01-25 10:04 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2007-01-25 10:04 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-01-25 10:04 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-01-25 10:04 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-01-25 10:04 8,704 --a------ C:\WINDOWS\system32\batt.dll
2007-01-25 10:04 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-01-25 10:04 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-01-25 10:04 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2007-01-25 10:04 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2007-01-25 10:04 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2007-01-25 10:04 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2007-01-25 10:04 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2007-01-25 10:04 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2007-01-25 10:04 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2007-01-25 10:04 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2007-01-25 10:04 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2007-01-25 10:04 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2007-01-25 10:04 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2007-01-25 10:04 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2007-01-25 10:04 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2007-01-25 10:04 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2007-01-25 10:04 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2007-01-25 10:04 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-01-25 10:04 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2007-01-25 10:04 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2007-01-25 10:04 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2007-01-25 10:04 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2007-01-25 10:04 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-01-25 10:04 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2007-01-25 10:04 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-01-25 10:04 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2007-01-25 10:04 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2007-01-25 10:04 <DIR> dr---c--- C:\DOCUME~1\ALLUSE~1.WIN\Documents
2007-01-24 18:23 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-20 09:18 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\AVG7
2007-01-20 09:18 <DIR> d-------- C:\DOCUME~1\Chea\Application Data\AVG7
2007-01-20 09:17 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-20 09:06 <DIR> d---s---- C:\Program Files\Xfire
2007-01-20 09:06 <DIR> d-------- C:\DOCUME~1\Chea\Application Data\Xfire
2007-01-20 08:56 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-19 16:46 <DIR> d-------- C:\Program Files\Steam
2007-01-13 17:12 <DIR> d-------- C:\Program Files\Belkin
2007-01-13 14:47 <DIR> d-------- C:\DOCUME~1\Chea\Application Data\Viewpoint
2007-01-08 14:29 <DIR> d-------- C:\Program Files\ANDROME NV
2007-01-07 18:01 <DIR> d-------- C:\WINDOWS\OvtCam
2007-01-07 16:49 <DIR> d-------- C:\Program Files\MSN Messenger
2007-01-06 23:12 <DIR> d-------- C:\Program Files\EA Games
2007-01-04 15:23 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\nView_Profiles
2007-01-03 21:06 <DIR> d-------- C:\WINDOWS\nview
2007-01-02 21:30 <DIR> d-------- C:\Program Files\Disney
2006-12-31 18:09 <DIR> d-------- C:\Program Files\ATITool
2006-12-31 18:07 <DIR> d-------- C:\Program Files\Ray Adams
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-28 08:49 -------- d-------- C:\Program Files\microsoft intellipoint
2007-01-28 08:34 -------- d----c--- C:\Documents and Settings\Owner\Application Data\avg7
2007-01-28 03:13 -------- d-------- C:\Program Files\messenger
2007-01-27 23:34 -------- d----c--- C:\Documents and Settings\Owner\Application Data\azureus
2007-01-27 22:58 -------- d-------- C:\Program Files\java
2007-01-27 22:56 -------- d-------- C:\Program Files\bitcomet
2007-01-27 21:59 -------- d----c--- C:\Documents and Settings\Owner\Application Data\macromedia
2007-01-27 21:48 -------- d-------- C:\Program Files\limewire
2007-01-27 19:38 -------- d----c--- C:\Documents and Settings\Owner\Application Data\xfire
2007-01-26 16:38 -------- d----c--- C:\Documents and Settings\Owner\Application Data\vlc
2007-01-26 15:50 -------- d---sc--- C:\Documents and Settings\Owner\Application Data\microsoft
2007-01-25 21:23 -------- d----c--- C:\Documents and Settings\Owner\Application Data\mozilla
2007-01-25 21:23 -------- d-------- C:\Program Files\mozilla firefox
2007-01-25 18:32 -------- d----c--- C:\Documents and Settings\Owner\Application Data\viewpoint
2007-01-25 18:10 -------- d-------- C:\Program Files\dell aio printer a920
2007-01-25 17:37 -------- d----c--- C:\Documents and Settings\Owner\Application Data\opera
2007-01-25 17:36 -------- d-------- C:\Program Files\opera
2007-01-25 17:34 -------- d----c--- C:\Documents and Settings\Owner\Application Data\aim
2007-01-25 17:34 -------- d-------- C:\Program Files\aim
2007-01-25 17:33 -------- d-------- C:\Program Files\aod
2007-01-25 15:28 -------- d----c--- C:\Documents and Settings\Owner\Application Data\identities
2007-01-25 10:04 62 --ahsc--- C:\Documents and Settings\Owner\Application Data\desktop.ini
2007-01-20 22:57 -------- d-------- C:\Program Files\divx
2007-01-13 17:11 -------- d--h----- C:\Program Files\installshield installation information
2006-12-31 23:04 -------- d-------- C:\Program Files\dvlad
2006-11-29 20:00 -------- d-------- C:\Program Files\windows media connect 2
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"syswin"="C:\\WINDOWS\\TEMP\\win513.tmp.exe"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\omjldgxn.dll\",setvm"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"P17Helper"="Rundll32 P17.dll,P17Helper"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{45F23DE1-81C7-4CA2-A98D-95D1158A95D6}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
Hi :)
Looks like a bit is missing in the end of ComboFix log. Please post the remaining part to here :bigthumb:
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\WINDOWS\\svchost.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebya
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpmkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winosz32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Completion time: 07-01-28 8:54:57
whoops, sorry about that
Ok good :)
Create a new folder for HijackThis and move HijackThis.exe into it.
Rename HijackThis.exe to Scanner.exe
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
VundoFix:
VundoFix V6.3.2
Checking Java version...
Java version is 1.5.0.3
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 9:41:40 AM 1/28/2007
Listing files found while scanning....
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\bkhogjig.exe
C:\WINDOWS\system32\daovgucp.dll
C:\WINDOWS\system32\efcddaw.dll
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\iifcdax.dll
C:\WINDOWS\system32\nxgdljmo.ini
C:\WINDOWS\system32\omjldgxn.dll
C:\WINDOWS\system32\rqrpmkh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\aybeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\bkhogjig.exe
C:\WINDOWS\system32\bkhogjig.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\efcddaw.dll
C:\WINDOWS\system32\efcddaw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\gebya.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifcdax.dll
C:\WINDOWS\system32\iifcdax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nxgdljmo.ini
C:\WINDOWS\system32\nxgdljmo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\omjldgxn.dll
C:\WINDOWS\system32\omjldgxn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpmkh.dll
C:\WINDOWS\system32\rqrpmkh.dll Has been deleted!
Performing Repairs to the registry.
Done!
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:53:59 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\HJT\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {45F23DE1-81C7-4CA2-A98D-95D1158A95D6} - C:\WINDOWS\system32\rqrpmkh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {542C3DA8-CE7B-45DF-9E9A-CAE37C5C88AC} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\daovgucp.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win513.tmp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Hi again, we'll continue :)
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Create a new folder for HijackThis and move HijackThis.exe into it.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{45F23DE1-81C7-4CA2-A98D-95D1158A95D6}"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R3 - URLSearchHook: (no name) - {A14E2C93-E071-BCA6-5754-EB1BB37310C0} - C:\WINDOWS\system32\utfub.dll
O2 - BHO: (no name) - {45F23DE1-81C7-4CA2-A98D-95D1158A95D6} - C:\WINDOWS\system32\rqrpmkh.dll (file missing)
O2 - BHO: (no name) - {542C3DA8-CE7B-45DF-9E9A-CAE37C5C88AC} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\daovgucp.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30379~1\Bar888.dll
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win513.tmp.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\omjldgxn.dll",setvm
O4 - HKCU\..\Run: "C:\WINDOWS\?ymantec\l?ass.exe" 99001162
O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)
Please run Killbox.
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\efcddaw.dll
C:\WINDOWS\system32\iifcdax.dll
C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\system32\bkhogjig.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\wtsit.exe
C:\WINDOWS\system32\rqrpmkh.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\zkqm
C:\Program Files\Common Files\zkqm
C:\WINDOWS\SmFrZQ
C:\Program Files\Ipwindows
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick [b]Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Thechea, this topic has been closed to prevent others with similar issues posting in it.
If you have not resolved the problem, please send me a private message (pm) to re-open the thread and provide a link.
Thank you Mr_JAk3.