PDA

View Full Version : virtumondu again (different computer)



getitdone
2007-12-15, 02:47
I have another nasty virsus on another computer.
I was not able to run the Kaspersky online scanner. was able to goto the site downloaded the active x but it did not install all the way I believe and the def. did not download. (zonealarm is running on this machine, tried to see what was possibly blocking but no avail. tried from IE 6.0.2 sp2. I put kaspersky.com in the trusted sites, still no luck.)

I also ran spybot 1.5 with all the updates in safemode. it found 125 problems. fixed them. when reran scan it found 30, and fixed them. did this three times. (have not run it until it does not find any anything yet)

On this computer all that was installed was zonealarm firewall. went and brought the full (antivirus) package and installed it, because we were getting popups etc.

I see winfixer, smitfraud-c.
Zone alarm sees virtumude.azt and is trying to clean/delete/rename/ quartine (sp?) and nothing works.

this is the HJT logfile.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:19 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\spoolcv.exe
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\146b8.exe
C:\Program Files\QdrPack\QdrPack10.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=2.0&bm=bz_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=2.0&bm=bz_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Haca] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [7R37Gscq70] rundll32.exe "C:\WINDOWS\KBOpt\kjezmxup.dll",DllCleanServer
O4 - Startup: Spruce - Auto Update.lnk.disabled
O4 - Startup: TA_Start.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.kaspersky.com
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

--
End of file - 4731 bytes


I would greatly appreciate any help you could give me. you guys were a great help one other time, please and thank you at the same time.

Blade81
2007-12-17, 20:28
Hi

Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> getitdone.exe. Post a fresh hjt log after renaming is done. :)

getitdone
2007-12-17, 22:08
Here is the requested log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:53 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\spoolcv.exe
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBLPSWX.EXE
C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBLJSWX.EXE
C:\Program Files\Trend Micro\HijackThis\getitdone.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=2.0&bm=bz_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=2.0&bm=bz_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC} - C:\Program Files\Common Files\hokev4444.dll (file missing)
O2 - BHO: (no name) - {2D4559CD-588E-42A4-88F6-DEEFADA4AB24} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6b3eb38a-0c58-4d5f-a86b-70e17b2906b2} - C:\WINDOWS\system32\nqtlgbd.dll (file missing)
O2 - BHO: (no name) - {7127E8FC-218B-4A82-A766-11F4BA791B64} - C:\Program Files\Common Files\hokev83122.dll (file missing)
O2 - BHO: (no name) - {7F9EBA3D-84B9-43D0-8338-AB2D5F722497} - C:\WINDOWS\system32\jkklm.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\jkkiffg.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {B5ACAD68-438D-3B20-DA28-4FE604855EE5} - C:\WINDOWS\system32\ilrhvzhw.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: 0 - {D7CBE96C-D706-4510-C8A4-450D5583C1DA} - C:\Program Files\Internet Explorer\lavupah.dll (file missing)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {F42D43E3-67A1-45C3-A642-2E48101514FC} - C:\Program Files\Common Files\hokev555077.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Haca] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [7R37Gscq70] rundll32.exe "C:\WINDOWS\KBOpt\kjezmxup.dll",DllCleanServer
O4 - Startup: Spruce - Auto Update.lnk.disabled
O4 - Startup: TA_Start.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.kaspersky.com
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: jkkiffg - C:\WINDOWS\SYSTEM32\jkkiffg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

--
End of file - 8257 bytes

Blade81
2007-12-17, 22:16
Hi

1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

getitdone
2007-12-17, 23:43
ComboFix 07-12-17.1 - Owner 2007-12-17 12:27:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1493 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\exglujov.dll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\PPPATC~1
C:\Documents and Settings\Owner\Application Data\PPPATC~1\?ppPatch\
C:\Documents and Settings\Owner\Application Data\PPPATC~1\dvdplay.exe.vzr
C:\Documents and Settings\Owner\Application Data\SMANTE~1
C:\Documents and Settings\Owner\Application Data\SMANTE~1\r?gedit.exe
C:\Documents and Settings\Owner\Desktop\searchus.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\QdrPack\trgts.gz
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\7R37Gscq70.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\daSgo02\daSgo021099.exe
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\YET31.sys
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wcpicomsv32.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\x64
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.

getitdone
2007-12-17, 23:45
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_YET31
-------\nm


((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-17 12:48 . 2007-12-17 12:48 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-12-17 12:31 . 2007-12-17 12:31 37,376 --a------ C:\WINDOWS\system32\jkkiffg.dll.vir
2007-12-14 15:17 . 2004-08-27 01:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-14 15:17 . 2004-11-15 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-14 15:17 . 2004-11-15 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2007-12-14 14:40 . 2007-12-14 16:12 1,109 --a------ C:\WINDOWS\wininit.ini
2007-12-14 12:53 . 2007-12-14 12:53 <DIR> d-------- C:\WINDOWS\uuqdfudn
2007-12-14 12:53 . 2007-12-14 12:53 <DIR> d-------- C:\WINDOWS\KBOpt
2007-12-14 12:52 . 2007-12-14 12:52 <DIR> d-------- C:\WINDOWS\system32\ineWc13
2007-12-14 12:52 . 2007-12-14 12:52 80,896 --a------ C:\WINDOWS\hchajghs.dll
2007-12-14 12:52 . 2007-12-14 12:52 3,638 --a------ C:\winbhwb.exe
2007-12-14 12:42 . 2007-12-14 12:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 12:41 . 2007-12-14 12:41 679,424 --a------ C:\WINDOWS\isRS-000.tmp
2007-12-13 09:56 . 2007-12-14 16:28 1,122 --a------ C:\rollback.ini
2007-12-12 19:13 . 2007-12-14 17:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MailFrontier
2007-12-12 19:09 . 2007-12-17 12:47 2,369,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 19:09 . 2007-12-17 12:45 32,732 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 19:03 . 2007-12-13 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-12 14:42 . 2007-12-12 14:42 29 --a------ C:\WINDOWS\system32\typsghrw.tmp
2007-12-12 14:41 . 2007-12-12 14:41 144,896 --a------ C:\winosmc.exe
2007-12-12 14:21 . 2007-12-14 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-12 14:20 . 2007-12-12 14:20 <DIR> d-------- C:\WINDOWS\system32\ineWc06
2007-12-12 14:20 . 2007-12-12 14:20 <DIR> d-------- C:\temp\tpBe12
2007-12-12 14:20 . 2007-12-12 14:22 <DIR> d-------- C:\Program Files\Spruce
2007-12-12 14:20 . 2007-12-12 14:20 97,280 -rahs---- C:\WINDOWS\system32\spoolcv.exe
2007-12-12 14:20 . 2007-12-12 16:10 7,713 --a------ C:\WINDOWS\system32\ldcore.dll.vzr
2007-12-12 14:20 . 2007-12-12 14:20 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-12-12 14:20 . 2007-12-12 14:20 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-12 14:19 . 2007-12-12 22:00 <DIR> d-------- C:\WINDOWS\system32\rex2
2007-12-12 14:19 . 2007-12-13 13:52 <DIR> d-------- C:\WINDOWS\system32\doc4
2007-12-12 14:19 . 2007-12-12 14:19 <DIR> d-------- C:\WINDOWS\system32\bbc5
2007-12-12 14:19 . 2007-12-12 14:56 <DIR> d-------- C:\WINDOWS\system32\ashell3
2007-12-12 14:19 . 2007-12-12 14:19 37,376 --a------ C:\WINDOWS\system32\jkkiffg.dll
2007-12-05 10:32 . 2003-08-29 09:20 200,192 --a------ C:\WINDOWS\system32\lexlmpm.dll
2007-11-27 14:57 . 2007-12-14 12:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-27 14:57 . 2007-11-27 14:57 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-05 21:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-11-15 00:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-09 17:50 --------- d-----w C:\Program Files\Intel
2007-11-09 17:33 --------- d-----w C:\Program Files\Analog Devices
2007-11-09 17:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 15:42 37,027 ----a-w C:\WINDOWS\atmoUn.exe
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2005-12-14 21:12 266 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2005-05-27 21:37 561,152 ----a-w C:\Documents and Settings\Owner\chatlnk.exe
2005-04-04 23:55 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC}]
C:\Program Files\Common Files\hokev4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6b3eb38a-0c58-4d5f-a86b-70e17b2906b2}]
C:\WINDOWS\system32\nqtlgbd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7127E8FC-218B-4A82-A766-11F4BA791B64}]
C:\Program Files\Common Files\hokev83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
C:\Program Files\QdrDrive\QdrDrive8.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-12-12 14:19 37376 --a------ C:\WINDOWS\system32\jkkiffg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5ACAD68-438D-3B20-DA28-4FE604855EE5}]
C:\WINDOWS\system32\ilrhvzhw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7CBE96C-D706-4510-C8A4-450D5583C1DA}]
C:\Program Files\Internet Explorer\lavupah.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F42D43E3-67A1-45C3-A642-2E48101514FC}]
C:\Program Files\Common Files\hokev555077.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Haca"="C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" []
"QdrPack10"="C:\Program Files\QdrPack\QdrPack10.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 05:34]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-13 22:39]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-08-13 22:41]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-13 22:38]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 04:44]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk.disabled [2007-12-12 14:20:48]
TA_Start.lnk.disabled [2007-12-12 16:49:09]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\profsydyb.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\jkkiffg.dll [2007-12-12 14:19 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiffg]
jkkiffg.dll 2007-12-12 14:19 37376 C:\WINDOWS\system32\jkkiffg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-08-13 22:41 114688 -ra------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-08-13 22:39 98304 -ra------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 15:24 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2003-12-10 04:21 380928 --a------ C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-08-13 22:38 94208 -ra------ C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 12:42 212992 --a------ C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 19:42 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRFirstRun]
rundll32 srclient.dll,CreateFirstRunRp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2004-10-18 14:05 135168 --a------ C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"PrismXL"=2 (0x2)
"ose"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WebBuying"=C:\Program Files\Web Buying\v1.8.6\webbuying.exe
"Rquzm"="C:\Documents and Settings\Owner\Application Data\S?mantec\r?gedit.exe"
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"{37-7F-F7-71-ZN}"=C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001.exe CHD001
"io43mvuiw4kj"=C:\WINDOWS\io43mvuiw4kj.exe
"runner1"=C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
"winshow"="C:\WINDOWS\winshow.exe"

R2 Windows Hosts Plugin;Windows Hosts Plugin;"C:\WINDOWS\system32\spoolcv.exe" [2007-12-12 14:20]
S3 AFW;AFW;C:\DOCUME~1\Owner\LOCALS~1\Temp\0007af1a.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 04:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25dd7503-8e96-11dc-ad10-806d6172696f}]
\Shell\AutoRun\command - E:\Bin\Assetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51b58841-9aae-11db-bb80-001111a6cf2f}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e337a41-3759-11d9-96af-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2005-03-30 21:45:59 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-03-30 21:45:59 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 12:48:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkiffg.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\KBOpt\kjezmxup.dll
.
Completion time: 2007-12-17 12:50:35 - machine was rebooted
.
2007-11-10 09:09:09 --- E O F ---

getitdone
2007-12-17, 23:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:36 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\spoolcv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\getitdone.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=2.0&bm=bz_home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC} - C:\Program Files\Common Files\hokev4444.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: (no name) - {6b3eb38a-0c58-4d5f-a86b-70e17b2906b2} - C:\WINDOWS\system32\nqtlgbd.dll (file missing)
O2 - BHO: (no name) - {7127E8FC-218B-4A82-A766-11F4BA791B64} - C:\Program Files\Common Files\hokev83122.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\jkkiffg.dll
O2 - BHO: (no name) - {B5ACAD68-438D-3B20-DA28-4FE604855EE5} - C:\WINDOWS\system32\ilrhvzhw.dll (file missing)
O2 - BHO: 0 - {D7CBE96C-D706-4510-C8A4-450D5583C1DA} - C:\Program Files\Internet Explorer\lavupah.dll (file missing)
O2 - BHO: (no name) - {F42D43E3-67A1-45C3-A642-2E48101514FC} - C:\Program Files\Common Files\hokev555077.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Haca] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [7R37Gscq70] rundll32.exe "C:\WINDOWS\KBOpt\kjezmxup.dll",DllCleanServer
O4 - Startup: Spruce - Auto Update.lnk.disabled
O4 - Startup: TA_Start.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.kaspersky.com
O20 - Winlogon Notify: jkkiffg - C:\WINDOWS\SYSTEM32\jkkiffg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

--
End of file - 5508 bytes

Blade81
2007-12-18, 09:05
Hi

To make sure TeaTimer won't interfere fixing it's better to disable it until system is clean.

Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Start hjt, click do a system scan only, check:
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\jkkiffg.dll.vir
C:\WINDOWS\hchajghs.dll
C:\winbhwb.exe
C:\WINDOWS\system32\typsghrw.tmp
C:\winosmc.exe
C:\WINDOWS\system32\spoolcv.exe
C:\WINDOWS\system32\ldcore.dll.vzr
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\jkkiffg.dll
C:\Program Files\Common Files\hokev4444.dll
C:\WINDOWS\system32\nqtlgbd.dll
C:\Program Files\Common Files\hokev83122.dll
C:\WINDOWS\system32\jkkiffg.dll
C:\WINDOWS\system32\ilrhvzhw.dll
C:\Program Files\Internet Explorer\lavupah.dll
C:\Program Files\Common Files\hokev555077.dll
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Spruce - Auto Update.lnk.disabled
C:\Program Files\Internet Explorer\profsydyb.html
C:\WINDOWS\system32\jkkiffg.dll
C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\winshow.exe

Driver::
"Windows Hosts Plugin"
AFW

Folder::
C:\WINDOWS\uuqdfudn
C:\WINDOWS\KBOpt
C:\WINDOWS\system32\ineWc13
C:\WINDOWS\system32\ineWc06
C:\temp
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\ashell3
C:\Program Files\Spruce
C:\Program Files\Web Buying

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6b3eb38a-0c58-4d5f-a86b-70e17b2906b2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7127E8FC-218B-4A82-A766-11F4BA791B64}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5ACAD68-438D-3B20-DA28-4FE604855EE5}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7CBE96C-D706-4510-C8A4-450D5583C1DA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F42D43E3-67A1-45C3-A642-2E48101514FC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Haca"=-
"QdrPack10"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiffg]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WebBuying"=-
"Rquzm"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"{37-7F-F7-71-ZN}"=-
"io43mvuiw4kj"=-
"runner1"=-
"winshow"=-



Save this as
CFScript


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

getitdone
2007-12-20, 20:21
hello,
we choose to get a new HD and install a fresh OS etc.

Is this pretty easily cleaned off? can you tell if there are there any bots?

Blade81
2007-12-20, 20:59
Don't see bots there. Cleaning should be highly possible :)

getitdone
2007-12-21, 04:55
for now I do not have access to the HD. He is functioning for now. let's go ahead and close this cause I will be leaving it open longer than what you would want. we will in a couple of weeks.
for now he is functioning.
I will PM you when / if needed?


I want to thank you for the effort and the time.
I want you to know I checked out some of the universities online. do you have a recommendation of one over another?

thanks again,
getitdone

Blade81
2007-12-21, 21:04
No problem. We can leave the topic open so you can reply when you get back :)


I want you to know I checked out some of the universities online. do you have a recommendation of one over another?
Basically those are all good. :)

tashi
2008-01-18, 07:27
Let's close this for now, getitdone please send Blade81 a PM when/if you need the topic re-opened.

Cheers.