PDA

View Full Version : serious popup problem



alman520
2007-05-16, 02:43
i have done many scans and cant seem to get rid of the popups. it has gotten to the point where you cant be onthe internet for 2 minutes without being bombarded.
here is my log from hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 7:25:44 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Steven\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\citrkhbs.dll",realset
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000140.exe 61A847B5BBF72813329B385776F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178375630015
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

miekiemoes
2007-05-16, 10:18
Hello,


i have done many scans and cant seem to get rid of the popupsEhm, many scans? I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira (http://www.free-av.com/), AVG (http://free.grisoft.com/freeweb.php/doc/2/) OR Active Virus Shield (http://www.activevirusshield.com/antivirus/freeav/index.adp) (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo (http://www.personalfirewall.comodo.com/) OR Kerio (http://www.sunbelt-software.com/Kerio.cfm) are FREE firewalls.

Understanding and using firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)

Then perform a full scan with your Antivirus and let it remove anything it is finding.
Then reboot.
After reboot, post a new HijackThislog in your next reply - then we can start from there, because it really makes no sense that we try to clean this up manually if an Antivirus already deletes most.

alman520
2007-05-16, 22:54
thanx, i downl;oaded and installed aol active virus sheild
here is my new log

Logfile of HijackThis v1.99.1
Scan saved at 3:51:13 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\retadpu1000140.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM\aim.exe
F:\Programs\AOL\Active Virus Shield\avp.exe
F:\Programs\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Steven\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000140.exe 61A847B5BBF72813329B385776F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\uocguggs.dll",realset
O4 - HKLM\..\Run: [aol] "F:\Programs\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178375630015
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - F:\Programs\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

miekiemoes
2007-05-16, 23:02
Hi,

Let's deal with the rest now, because we still have a lot to perform..

It is important you don't miss a step and perform everything in the right order!!

* Go to start > controlpanel > software > add/remove programs and uninstall next programs if present:

ipwindows / ipwins

Reboot after uninstalling!
After reboot,

* Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: http://users.telenet.be/bluepatchy/miekiemoes/images/bfuicon.gif
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000140.exe 61A847B5BBF72813329B385776F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\uocguggs.dll",realset
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

Please download, install, and update AVG Anti-Spyware (http://www.ewido.net/en/download/)

Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")

Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close AVG Anti-Spyware and reboot!!
I need the log later.
-------------------------

* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post next logs in your following reply:
Log from combofix (combofix.txt) - do NOT post the ComboFix-quarantined-files.txt - unless I ask you to
Log from AVG Antispyware
New HijackThislog
You may need several replies to post the logs in case they won't fit in one reply.
In case your AVG Antispywarelog is too long (which will most probably the case here), Go to this page (http://www.bleepingcomputer.com/submit-malware.php?channel=8).
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to the AVG Antispywarelog you saved, Select it and click ok:
Then click the Send File button below. This will upload the log to my channel.

alman520
2007-05-20, 22:05
the avg report is sent to you

Logfile of HijackThis v1.99.1
Scan saved at 15:01, on 2007-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Fonts\aolhost.exe
F:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Programs\AOL\Active Virus Shield\avp.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\uk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1142468473\ee\AOLSoftware.exe
F:\Programs\AOL\Active Virus Shield\avp.exe
F:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Documents and Settings\Steven\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {59FCCCEA-1A93-42CD-B633-BF3AEC6960A5} - C:\WINDOWS\system32\ynnjiuqs.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {966BC7FB-D3F3-4DF8-8876-06F381A92A64} - C:\Program Files\NetMeeting\safekuv.dll (file missing)
O2 - BHO: 0 - {A48E9BE9-2874-4E67-25BA-0A0BD906CFC9} - C:\Program Files\Windows Media Player\woqudewyp.dll (file missing)
O2 - BHO: (no name) - {B6CC0926-5483-41BF-AF7A-A5A7F4EE5370} - (no file)
O2 - BHO: (no name) - {CFADB71F-E11B-414B-AB1C-82799F25CE01} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142468473\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [aol] "F:\Programs\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [plzbtee] C:\WINDOWS\system32\plzbtee.exe
O4 - HKLM\..\Run: [immcyixkfpvd] C:\WINDOWS\system32\immcyixkfpvd.exe
O4 - HKLM\..\Run: [bppge] C:\WINDOWS\system32\bppge.exe
O4 - HKLM\..\Run: [wzqhjf] C:\WINDOWS\system32\wzqhjf.exe
O4 - HKLM\..\Run: [dbzak] C:\WINDOWS\system32\dbzak.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [h] C:\WINDOWS\system32\h.exe
O4 - HKLM\..\Run: [uk] C:\WINDOWS\system32\uk.exe
O4 - HKLM\..\RunServices: [f] C:\WINDOWS\system32\f.exe
O4 - HKLM\..\RunServices: [d] C:\WINDOWS\system32\d.exe
O4 - HKLM\..\RunServices: [plzbtee] C:\WINDOWS\system32\plzbtee.exe
O4 - HKLM\..\RunServices: [bmeebbshrap] C:\WINDOWS\system32\bmeebbshrap.exe
O4 - HKLM\..\RunServices: [gtlspgugpjjw] C:\WINDOWS\system32\gtlspgugpjjw.exe
O4 - HKLM\..\RunServices: [immcyixkfpvd] C:\WINDOWS\system32\immcyixkfpvd.exe
O4 - HKLM\..\RunServices: [bppge] C:\WINDOWS\system32\bppge.exe
O4 - HKLM\..\RunServices: [wzqhjf] C:\WINDOWS\system32\wzqhjf.exe
O4 - HKLM\..\RunServices: [dbzak] C:\WINDOWS\system32\dbzak.exe
O4 - HKLM\..\RunServices: [h] C:\WINDOWS\system32\h.exe
O4 - HKLM\..\RunServices: [uk] C:\WINDOWS\system32\uk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: LimeWire On Startup.lnk.disabled
O4 - Global Startup: Event Reminder.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178375630015
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: qomklkh - qomklkh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Service Host (AOL-SVCHst) - Unknown owner - C:\WINDOWS\Fonts\aolhost.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - F:\Programs\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Print Spooler Service (oaiofuxmx2) - Unknown owner - C:\WINDOWS\system32\afguhvmcr.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--------------------------------------------------------------------------
"Steven" - 2007-05-20 9:54:08 Service Pack 2
ComboFix 07-05.20.9.V - Running from: "C:\Documents and Settings\Steven\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\seqruhhx.exe
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak2
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.tmp
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak2
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\INF\IEM\msac.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

miekiemoes
2007-05-20, 22:08
Hi,

Can you use a new reply to post your Combofix log, because the log is incomplete.

Edit.. as a sidenote, I really have no clue what you have been doing in between, but now your system is even worse infected than before :(
Did you visit any illegal sites in between?
Extra edit - I see Limewire got installed in between - and most probably you have been downloading and installing pirated software which explains the extra nasty infections now present... this because I know that the previous malware you were dealing with doesn't download and install this kind of additional malware - this is only installed by visiting illegal sites and/or downloading illegal software via p2p.

Anyway, post the complete combofix log in your next reply, because I really need to see that log before we proceed with further removal.

alman520
2007-05-21, 00:36
for some reason the last log was only that small piece.
--------------------------------------------------------------------------
"Steven" - 2007-05-20 17:03:38 Service Pack 2
ComboFix 07-05.21.3.V - Running from: "C:\Documents and Settings\Steven\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\d.exe
C:\WINDOWS\system32\f.exe
C:\WINDOWS\system32\h.exe
C:\Program Files\Windows Media Player\bazyraqin.html
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Steven
C:\qoobox\purity\C\DOCUME~1\Steven\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Steven\APPLIC~1\YMANTE~1
C:\qoobox\purity\C\DOCUME~1\Steven\APPLIC~1\YMANTE~1\?ymantec


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))


2007-05-20 14:28 62,464 --a------ C:\WINDOWS\SYSTEM32\afguhvmcr.exe
2007-05-20 10:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-20 10:12 62,464 --a------ C:\WINDOWS\SYSTEM32\uk.exe
2007-05-20 07:22 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-05-20 07:17 <DIR> d-------- C:\bintheredunthat
2007-05-20 07:01 62,464 --a------ C:\WINDOWS\SYSTEM32\dbzak.exe
2007-05-19 14:35 62,464 --a------ C:\WINDOWS\SYSTEM32\wzqhjf.exe
2007-05-19 14:32 62,464 --a------ C:\WINDOWS\SYSTEM32\bppge.exe
2007-05-19 13:06 62,464 --a------ C:\WINDOWS\SYSTEM32\immcyixkfpvd.exe
2007-05-19 07:21 62,464 --a------ C:\WINDOWS\SYSTEM32\zig.exe
2007-05-18 21:32 62,464 --a------ C:\WINDOWS\SYSTEM32\gtlspgugpjjw.exe
2007-05-18 21:27 62,464 --a------ C:\WINDOWS\SYSTEM32\bmeebbshrap.exe
2007-05-18 21:25 62,464 --a------ C:\WINDOWS\SYSTEM32\plzbtee.exe
2007-05-16 15:16 46,112 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2007-05-16 15:16 11,196,448 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-05-14 19:27 167 --a------ C:\DOCUME~1\Steven\5010.bat
2007-05-14 19:14 167 --a------ C:\WINDOWS\SYSTEM32\3972.bat
2007-05-14 19:13 90,112 --a------ C:\WINDOWS\SYSTEM32\ps.exe
2007-05-14 19:13 837 --a------ C:\WINDOWS\SYSTEM32\x.dat
2007-05-14 19:13 73 --a------ C:\WINDOWS\SYSTEM32\n.bat
2007-05-14 19:13 109,360 --a------ C:\WINDOWS\SYSTEM32\app.exe
2007-05-14 19:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\SBO
2007-05-14 19:12 32,768 --a------ C:\WINDOWS\SYSTEM32\setup9x.exe
2007-05-14 19:12 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2007-05-14 19:12 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe
2007-05-12 20:15 38,400 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\SRS_SSCFilter_i386.sys
2007-05-12 19:54 <DIR> d-------- C:\Program Files\LimeWire
2007-05-10 17:52 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-02 07:58 <DIR> d-------- C:\Program Files\Virtools Web Player 3.5
2007-04-28 22:14 <DIR> d-------- C:\Program Files\Hidden Expedition Titanic
2007-04-28 22:14 <DIR> d-------- C:\Program Files\BFG
2007-04-28 08:28 <DIR> d-------- C:\DOCUME~1\Daniel\APPLIC~1\COMCASTTOOLBAR
2007-04-20 20:42 <DIR> d-------- C:\DOCUME~1\Steven\APPLIC~1\STOIK


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 19:04:50 -------- d-----w C:\DOCUME~1\Steven\APPLIC~1\ComcastToolbar
2007-05-19 12:18:17 -------- d-----w C:\Program Files\Windows Live Safety Center
2007-05-19 12:16:32 -------- d-----w C:\Program Files\Sonic
2007-05-17 22:32:47 10 ----a-w C:\WINDOWS\popcinfo.dat
2007-05-15 23:46:26 1,742 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-11 04:12:48 42,496 ----a-w C:\WINDOWS\system32\libusb0.dll
2007-05-11 04:12:48 29,184 ----a-w C:\WINDOWS\system32\drivers\libusb0.sys
2007-05-09 20:52:25 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-09 20:52:18 -------- d-----w C:\Program Files\DFX
2007-05-09 02:29:46 -------- d-----w C:\DOCUME~1\Steven\APPLIC~1\COREL
2007-05-02 22:20:51 -------- d-----w C:\Program Files\ComcastToolbar
2007-05-02 21:35:04 -------- d-----w C:\DOCUME~1\Steven\APPLIC~1\Viewpoint
2007-05-02 11:58:36 1,913 ----a-w C:\WINDOWS\mozver.dat
2007-05-01 18:35:47 -------- d-----w C:\Program Files\AIM
2007-05-01 18:34:54 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-01 18:34:38 -------- d-----w C:\Program Files\AOD
2007-04-29 12:08:13 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-04-21 11:07:06 -------- d-----w C:\Program Files\Live_TV
2007-04-21 01:25:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-11 23:59:59 -------- d-----w C:\Program Files\Power Tab Software
2007-04-10 01:08:08 -------- d-----w C:\Program Files\QuickTime
2007-04-10 01:02:01 -------- d-----w C:\Program Files\Uniblue
2007-04-10 01:01:41 -------- d-----w C:\DOCUME~1\Steven\APPLIC~1\Uniblue
2007-04-09 21:05:51 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-04-09 14:04:16 -------- d-----w C:\Program Files\McAfee.com
2007-04-09 13:16:52 -------- d-----w C:\Program Files\Modem Helper
2007-04-09 13:16:52 -------- d-----w C:\Program Files\Greetings Workshop
2007-03-19 22:53:02 -------- d-----w C:\DOCUME~1\Steven\APPLIC~1\Windows Desktop Search
2007-03-19 22:51:43 -------- d-----w C:\Program Files\Windows Desktop Search
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-12 15:15:36 44,416 ----a-r C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2007-03-12 15:15:36 37,248 ----a-r C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2007-03-12 15:15:36 32,000 ----a-r C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2007-03-12 15:15:34 46,592 ----a-r C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2007-03-08 23:48:04 -------- d-----w C:\Program Files\Windows Defender
2007-03-08 23:47:11 -------- d-----w C:\Program Files\Dell AIO Printer A940
2007-03-08 23:46:48 -------- d-----w C:\Program Files\ATI Multimedia
2007-03-08 23:46:24 -------- d-----w C:\Program Files\Messenger
2007-03-08 23:46:10 -------- d-----w C:\Program Files\Google
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll
2007-02-05 19:43:06 1,481,728 ------w C:\WINDOWS\system32\mssrch.dll
2007-02-05 19:42:10 1,504,768 ------w C:\WINDOWS\system32\tquery.dll
2007-02-05 19:41:14 122,368 ------w C:\WINDOWS\system32\UncPH.dll
2007-02-05 19:41:06 134,656 ------w C:\WINDOWS\system32\UncDMS.dll
2007-02-05 19:41:04 108,544 ------w C:\WINDOWS\system32\UncNE.dll
2007-02-05 19:40:58 98,304 ------w C:\WINDOWS\system32\UncCplExt.dll
2007-02-05 19:40:56 260,096 ------w C:\WINDOWS\system32\oeph.dll
2007-02-05 19:36:48 52,224 ------w C:\WINDOWS\system32\msstrc.dll
2007-02-05 19:36:08 27,136 ------w C:\WINDOWS\system32\rtffilt.dll
2007-02-05 19:36:06 111,104 ------w C:\WINDOWS\system32\xmlfilter.dll
2007-02-05 19:35:38 248,320 ------w C:\WINDOWS\system32\msshsq.dll
2007-02-05 19:35:24 167,424 ------w C:\WINDOWS\system32\mssphtb.dll
2007-02-05 19:34:38 300,032 ------w C:\WINDOWS\system32\searchindexer.exe
2007-02-05 19:33:54 331,776 ------w C:\WINDOWS\system32\mssph.dll
2007-02-05 19:32:28 182,784 ------w C:\WINDOWS\system32\searchprotocolhost.exe
2007-02-05 19:32:02 65,536 ------w C:\WINDOWS\system32\propdefs.dll
2007-02-05 19:31:10 76,800 ------w C:\WINDOWS\system32\searchfilterhost.exe
2007-02-05 19:30:16 23,552 ------w C:\WINDOWS\system32\msscb.dll
2007-02-05 19:29:24 51,200 ------w C:\WINDOWS\system32\msscntrs.dll
2007-02-05 19:29:14 98,816 ------w C:\WINDOWS\system32\mssitlb.dll
2007-02-05 19:29:12 255,488 ------w C:\WINDOWS\system32\srchadmin.dll
2007-02-05 19:28:56 32,256 ------w C:\WINDOWS\system32\mssprxy.dll
2007-02-05 19:28:46 733,696 ------w C:\WINDOWS\system32\propsys.dll
2007-02-05 19:24:38 2,048 ------w C:\WINDOWS\system32\UncRes.dll
2007-02-05 19:24:36 11,264 ------w C:\WINDOWS\system32\oephRes.dll
2007-02-05 18:24:28 18,271 ------w C:\WINDOWS\system32\structuredqueryschematrivial.bin
2007-02-05 18:24:26 99,999 ------w C:\WINDOWS\system32\structuredqueryschema.bin


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL [2006-11-07 15:21]
{59FCCCEA-1A93-42CD-B633-BF3AEC6960A5}=C:\WINDOWS\system32\ynnjiuqs.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 14:41]
{966BC7FB-D3F3-4DF8-8876-06F381A92A64}=C:\Program Files\NetMeeting\safekuv.dll []
{A48E9BE9-2874-4E67-25BA-0A0BD906CFC9}=C:\Program Files\Windows Media Player\woqudewyp.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"@"="" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" []
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" []
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09]
"HostManager"="C:\Program Files\Common Files\AOL\1142468473\ee\AOLSoftware.exe" [2006-04-20 13:10]
"aol"="F:\Programs\AOL\Active Virus Shield\avp.exe" [2006-05-30 11:13]
"plzbtee"="C:\WINDOWS\system32\plzbtee.exe" [2007-05-18 21:25]
"immcyixkfpvd"="C:\WINDOWS\system32\immcyixkfpvd.exe" [2007-05-19 13:06]
"bppge"="C:\WINDOWS\system32\bppge.exe" [2007-05-19 14:32]
"wzqhjf"="C:\WINDOWS\system32\wzqhjf.exe" [2007-05-19 14:35]
"dbzak"="C:\WINDOWS\system32\dbzak.exe" [2007-05-20 07:01]
"!AVG Anti-Spyware"="F:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"h"="C:\WINDOWS\system32\h.exe" []
"uk"="C:\WINDOWS\system32\uk.exe" [2007-05-20 10:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 07:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"f"=C:\WINDOWS\system32\f.exe
"d"=C:\WINDOWS\system32\d.exe
"plzbtee"=C:\WINDOWS\system32\plzbtee.exe
"bmeebbshrap"=C:\WINDOWS\system32\bmeebbshrap.exe
"gtlspgugpjjw"=C:\WINDOWS\system32\gtlspgugpjjw.exe
"immcyixkfpvd"=C:\WINDOWS\system32\immcyixkfpvd.exe
"bppge"=C:\WINDOWS\system32\bppge.exe
"wzqhjf"=C:\WINDOWS\system32\wzqhjf.exe
"dbzak"=C:\WINDOWS\system32\dbzak.exe
"h"=C:\WINDOWS\system32\h.exe
"uk"=C:\WINDOWS\system32\uk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Windows Media Player\bazyraqin.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="F:\Programs\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomklkh]
qomklkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WebCamRT.exe"=
"Aim6"=
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"LogitechImageStudioTray"=C:\Program Files\Logitech\ImageStudio\LogiTray.exe
"LogitechGalleryRepair"=C:\Program Files\Logitech\ImageStudio\ISStart.exe
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"LVCOMS"=C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"IPHSend"=C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

*Newly Created Service* -OAIOFUXMX2

Contents of the 'Scheduled Tasks' folder
2007-05-17 20:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2004-01-10 02:17:37 C:\WINDOWS\tasks\ISP signup reminder 1.job
2007-01-21 01:34:59 C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IPoint_exe.job
2007-01-21 01:37:41 C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IType_exe.job
2007-05-20 14:31:09 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-20 17:09:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-20 17:11:05
C:\ComboFix-quarantined-files.txt ... 2007-05-20 17:11
C:\ComboFix2.txt ... 2007-05-20 14:00


--- E O F ---

miekiemoes
2007-05-21, 00:57
From the logs I see that your system got terribly infected once again. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

It's important you follow next instructions in the right order without missing any step..

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\Windows Media Player\bazyraqin.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {59FCCCEA-1A93-42CD-B633-BF3AEC6960A5} - C:\WINDOWS\system32\ynnjiuqs.dll (file missing)
O2 - BHO: (no name) - {966BC7FB-D3F3-4DF8-8876-06F381A92A64} - C:\Program Files\NetMeeting\safekuv.dll (file missing)
O2 - BHO: 0 - {A48E9BE9-2874-4E67-25BA-0A0BD906CFC9} - C:\Program Files\Windows Media Player\woqudewyp.dll (file missing)
O2 - BHO: (no name) - {B6CC0926-5483-41BF-AF7A-A5A7F4EE5370} - (no file)
O2 - BHO: (no name) - {CFADB71F-E11B-414B-AB1C-82799F25CE01} - (no file)
O4 - HKLM\..\Run: [plzbtee] C:\WINDOWS\system32\plzbtee.exe
O4 - HKLM\..\Run: [immcyixkfpvd] C:\WINDOWS\system32\immcyixkfpvd.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\bppge.exe
O4 - HKLM\..\Run: [wzqhjf] C:\WINDOWS\system32\wzqhjf.exe
O4 - HKLM\..\Run: [dbzak] C:\WINDOWS\system32\dbzak.exe
O4 - HKLM\..\Run: [h] C:\WINDOWS\system32\h.exe
O4 - HKLM\..\Run: [uk] C:\WINDOWS\system32\uk.exe
O4 - HKLM\..\RunServices: [f] C:\WINDOWS\system32\f.exe
O4 - HKLM\..\RunServices: [d] C:\WINDOWS\system32\d.exe
O4 - HKLM\..\RunServices: [plzbtee] C:\WINDOWS\system32\plzbtee.exe
O4 - HKLM\..\RunServices: [bmeebbshrap] C:\WINDOWS\system32\bmeebbshrap.exe
O4 - HKLM\..\RunServices: [gtlspgugpjjw] C:\WINDOWS\system32\gtlspgugpjjw.exe
O4 - HKLM\..\RunServices: [immcyixkfpvd] C:\WINDOWS\system32\immcyixkfpvd.exe
O4 - HKLM\..\RunServices: [bppge] C:\WINDOWS\system32\bppge.exe
O4 - HKLM\..\RunServices: [wzqhjf] C:\WINDOWS\system32\wzqhjf.exe
O4 - HKLM\..\RunServices: [dbzak] C:\WINDOWS\system32\dbzak.exe
O4 - HKLM\..\RunServices: [h] C:\WINDOWS\system32\h.exe
O4 - HKLM\..\RunServices: [uk] C:\WINDOWS\system32\uk.exe
O20 - Winlogon Notify: qomklkh - qomklkh.dll (file missing)
O23 - Service: AOL Service Host (AOL-SVCHst) - Unknown owner - C:\WINDOWS\Fonts\aolhost.exe <== this is certainly NOT an AOL-related file
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) <== this service is a leftover from AOL Spyware Protection Service you had installed before but most probably removed it.
O23 - Service: Print Spooler Service (oaiofuxmx2) - Unknown owner - C:\WINDOWS\system32\afguhvmcr.exe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

* Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
[b]Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

C:\WINDOWS\Fonts\aolhost.exe
C:\WINDOWS\system32\uk.exe
C:\WINDOWS\system32\plzbtee.exe
C:\WINDOWS\system32\immcyixkfpvd.exe
C:\WINDOWS\system32\bppge.exe
C:\WINDOWS\system32\wzqhjf.exe
C:\WINDOWS\system32\dbzak.exe
C:\WINDOWS\system32\bmeebbshrap.exe
C:\WINDOWS\system32\gtlspgugpjjw.exe
C:\WINDOWS\system32\afguhvmcr.exe
C:\bintheredunthat
C:\WINDOWS\SYSTEM32\zig.exe
C:\DOCUME~1\Steven\5010.bat
C:\WINDOWS\SYSTEM32\3972.bat
C:\WINDOWS\SYSTEM32\ps.exe
C:\WINDOWS\SYSTEM32\x.dat
C:\WINDOWS\SYSTEM32\n.bat
C:\WINDOWS\SYSTEM32\app.exe
C:\WINDOWS\SYSTEM32\SBO
C:\WINDOWS\SYSTEM32\setup9x.exe
C:\WINDOWS\SYSTEM32\vbzip10.dll
C:\WINDOWS\SYSTEM32\taskkill.exe



Then click the red Moveit! button below.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.
Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

Then, * Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Go to start > run and copy and paste next commands in the field:

sc delete oaiofuxmx2 Hit enter

sc delete "AOL-SVCHst" Hit enter

sc delete AOLService Hit enter

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.


Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Back in normal mode, run Combofix again and post the log (combofix.txt) together with the log from SDFix (Report.txt) and a new HijackThislog in your next reply.

alman520
2007-05-21, 03:25
the combo fix will be sent to you
--------------------------------------------------------------------------

SDFix: Version 1.84

Run by Administrator - Sun 05/20/2007 - 19:59:08.75

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\MICROS~1\SIGNAT~1\MPSONG~1.HTM - Deleted
C:\Program Files\Setup.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\_OTMoveIt\MovedFiles\WINDOWS\Fonts\aolhost.exe
C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1001\A0221917.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1001\A0221944.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1001\A0221959.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1002\A0221973.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0222143.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1005\A0224176.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Steven\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Steven\Application Data\Microsoft\Word\~WRL1904.tmp
C:\Documents and Settings\Steven\Application Data\Microsoft\Word\~WRL3166.tmp
C:\Documents and Settings\Steven\Application Data\Microsoft\Word\~WRL3419.tmp
C:\WINDOWS\INF\IEM\ntp2.tmp
C:\WINDOWS\SYSTEM32\xbadd.tmp
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG

Finished
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 20:13, on 2007-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
F:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Programs\AOL\Active Virus Shield\avp.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
F:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1142468473\ee\AOLSoftware.exe
F:\Programs\AOL\Active Virus Shield\avp.exe
F:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Steven\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: 0 - {A48E9BE9-2874-4E67-25BA-0A0BD906CFC9} - C:\Program Files\Windows Media Player\woqudewyp.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142468473\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [aol] "F:\Programs\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: LimeWire On Startup.lnk.disabled
O4 - Global Startup: Event Reminder.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178375630015
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - F:\Programs\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--------------------------------------------------------------------------

miekiemoes
2007-05-21, 08:44
Hi,

You forgot this step previously:


* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\Windows Media Player\bazyraqin.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

Then, Check and fix next entry in HijackThis:

O2 - BHO: 0 - {A48E9BE9-2874-4E67-25BA-0A0BD906CFC9} - C:\Program Files\Windows Media Player\woqudewyp.dll (file missing)

Also, check and fix next entries in HijackThis, because as I see from the combofix log, the files appear to be missing anyway:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

Also check and fix next entry since this one is still pointing to the old version of java while you already have the updated version installed (and is not really needed to start up with Windows anyway):

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Delete next files:

C:\WINDOWS\INF\IEM\ntp2.tmp
C:\WINDOWS\SYSTEM32\xbadd.tmp

Go to this page (http://www.bleepingcomputer.com/submit-malware.php?channel=8).
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\_OTMoveIt\MovedFiles\WINDOWS\Fonts\aolhost.exe

Select it and click ok.
Then click the Send File button below.

* Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Under Browsing History, click "Delete".
Click "Delete Files", "Delete cookies" and "Delete history"
Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu..
Click the Clear now button below.. A new window will popup what to clear.
Select all and click the Clear button again.
Click OK to close the Options window
* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
Then, * Open OTMoveIt and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.

Let me know in your next reply how things are now.

alman520
2007-05-22, 00:59
thanks alot.

the computer and internet are running great and i dont have to worry about pop ups. Thanks again for the help.
:laugh:

miekiemoes
2007-05-22, 01:19
Glad I could help. :)

Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).

Happy Surfing again!