PDA

View Full Version : Multiple malware need help, command service!



trezz1324
2008-03-13, 22:18
Hi, everyone, somehow i got a ton of malware on my computer. its so bad that its not letting me use task manager, and everytime i go on the internet the page freezes within minutes. Every now and then i get some popups too. spybot keepts finding command service but it cant delete because its in memory so it asks me to restart, when i do, it still cant delete it. I dowloaded hijack this and here is the logfile. any help would be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:28 PM, on 3/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\ss245sd.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\QdrModule\QdrModule13.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {08A3084E-E8C8-4DE1-9FB4-48179982C8DE} - C:\WINDOWS\System32\gebxyax.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8b17634e-1dd2-11b2-b56f-84f41bc99059} - C:\WINDOWS\fcvgnets.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {D65B4659-E583-4767-BAA3-53A7CC239EE2} - C:\WINDOWS\System32\ursst.dll (file missing)
O2 - BHO: (no name) - {DB4A879B-69E6-4F11-8F6C-9AA2AA4CD3FE} - C:\WINDOWS\System32\nnnnl.dll (file missing)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ss245sd] C:\WINDOWS\ss245sd.exe
O4 - HKLM\..\Run: [irulazip] regsvr32 /u "C:\Documents and Settings\All Users.WINDOWS\Application Data\irulazip.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack13] "C:\Program Files\QdrPack\QdrPack13.exe"
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [3HJfb9LKRn] rundll32.exe "C:\WINDOWS\zwrubcpm.dll",DllCleanServer
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: gebxyax - C:\WINDOWS\SYSTEM32\gebxyax.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmVuIFRyZXp6YQ\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6342 bytes

someone please help!

[I]Edit: The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37)

ken545
2008-03-15, 19:24
Hello trezz1324

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Let me tell ya, you have one heavily infected computer :red: Your Operating System is also out of date and letting some of this garbage in, we need to fix that when were done.

Run these programs in the order that I am posting them and I need to see the log for each program and a New HJT log when your done with the last program.



Do this first.

Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect






Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.






Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.








Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

trezz1324
2008-03-15, 20:42
hope its not a problem, but ive been downloading these to a flash drive then transferring them to my infected computer, because the infected comp wont let you on the internet for more than a few minutes before freezing. Also I'm not sure if I can disable anything because normally i would go through task manager, however the malware disabled it and i cant get to it.

ken545
2008-03-15, 21:25
That fine trezz, at this point you have to do what you can do. I was not aware this was so severe so if you can run Combofix first and post the log and we can go from there

Ken

trezz1324
2008-03-16, 00:11
wow that might have fixed it, i have no probs anymore, or at least none i can actually see. task manager works again. Vundofix couldnt find anything when i scanned so there is no file, but here is from the other three: Its too long so this is just the anti-malware one, ill reply again with the combofix and hijackthis

Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Full Scan (A:\|C:\|G:\|)
Objects scanned: 127166
Time elapsed: 39 minute(s), 9 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 3
Registry Keys Infected: 41
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 75

Memory Processes Infected:
c:\WINDOWS\ss245sd.exe (Trojan.Downloader) -> Unloaded process successfully.
c:\program files\JavaCore\JavaCore.exe (Trojan.Insider) -> Unloaded process successfully.
C:\Program Files\QdrModule\QdrModule13.exe (Adware.ISM) -> Unloaded process successfully.
C:\Program Files\QdrPack\QdrPack14.exe (Adware.ISM) -> Unloaded process successfully.
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\hggef.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jekkqqyo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\gebxyax.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6ac04c5-497d-4dca-acb8-db8170bae864} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a6ac04c5-497d-4dca-acb8-db8170bae864} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{08a3084e-e8c8-4de1-9fb4-48179982c8de} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08a3084e-e8c8-4de1-9fb4-48179982c8de} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebxyax (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{17996e72-ee06-4d59-943f-4c3ebba5a916} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{17996e72-ee06-4d59-943f-4c3ebba5a916} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8041e642-8cfc-4720-bc9d-d2db8904286f} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8041e642-8cfc-4720-bc9d-d2db8904286f} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\System\sysold (Adware.Tagasaurus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ss245sd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaCore (Trojan.Insider) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{08a3084e-e8c8-4de1-9fb4-48179982c8de} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QdrModule13 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QdrPack14 (Adware.ISM) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggef.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\mgmrwmrv.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\U3RldmVuIFRyZXp6YQ (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\ss245sd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\JavaCore\JavaCore.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hggef.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\feggh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\feggh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jekkqqyo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\oyqqkkej.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\\JavaCore\\JavaCore.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gebxyax.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Steve\Local Settings\Temp\ismtpa11.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\Temp\mrmoney.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\Temp\msiexec.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\Temp\Setup195.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\ISM\ism.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\Program Files\Temporary\InsiDERInst.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP16\A0000622.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP16\A0000629.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP16\A0000630.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP16\A0000633.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP16\A0000635.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP17\A0000651.exe (Adware.Mirar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP17\A0000652.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP17\A0000653.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP17\A0000654.dll (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP17\A0000657.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP17\A0000658.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP17\A0000659.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP22\A0000826.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP23\A0000828.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP24\A0000831.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP24\A0000837.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000857.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000858.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000869.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000879.exe (Trojan.TagASaurus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000880.exe (Trojan.TagASaurus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000882.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000928.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP25\A0000946.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP26\A0002939.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP27\A0006005.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP27\A0006007.exe (Trojan.TagASaurus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP27\A0006008.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP27\A0006009.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{27070F18-023E-4D08-8385-0FB1968C14F7}\RP27\A0006014.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\WINDOWS\U3RldmVuIFRyZXp6YQ\asappsrv.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\WINDOWS\PerfInfo\3HJfb9LKRnwp.exe (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive12.dll (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore\UnInstall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\dic.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\kwd.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule13.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack14.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pharma.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\other.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\finance.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adult.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lt.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32:lzx32.sys (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mgmrwmrv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

trezz1324
2008-03-16, 00:12
heres combofix:

ComboFix 08-03-14.4 - Steve 2008-03-15 16:47:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.754 [GMT -5:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data.\irulazip.dll
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Steve\My Documents\ICROSO~1
C:\Program Files\sstem3~1
C:\Program Files\winupdates
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\fcvgnets.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\3HJfb9LKRnwp.exe.bak
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\aaadd.ini
C:\WINDOWS\system32\aaadd.ini2
C:\WINDOWS\system32\ewpnuhwu.ini
C:\WINDOWS\system32\gfafcfwg.dll
C:\WINDOWS\system32\lnnnn.ini
C:\WINDOWS\system32\lnnnn.ini2
C:\WINDOWS\system32\loxtpwcb.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\qieeysbe.dll
C:\WINDOWS\system32\ronwfwtm.dll
C:\WINDOWS\system32\tssru.ini
C:\WINDOWS\system32\tssru.ini2
C:\WINDOWS\system32\uwhunpwe.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-15 16:58 . 2008-03-15 16:58 <DIR> d-------- C:\WINDOWS\PerfInfo
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Malwarebytes
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-15 14:37 . 2008-03-15 14:37 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-15 14:37 . 2008-03-15 14:37 20,224 --a------ C:\WINDOWS\didduid.ini
2008-03-13 00:53 . 2008-03-13 00:53 <DIR> d-------- C:\Program Files\180search assistant
2008-03-12 23:20 . 2008-03-12 23:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-12 23:20 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-12 23:18 . 2008-03-15 15:37 <DIR> d-------- C:\VundoFix Backups
2008-03-12 23:18 . 2008-03-12 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 16:46 . 2008-03-15 14:40 483 --a------ C:\WINDOWS\wininit.ini
2008-03-08 15:28 . 2008-03-08 15:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-08 15:28 . 2008-03-08 15:28 2,550 --a------ C:\WINDOWS\unins000.dat
2008-03-08 15:27 . 2008-03-08 15:27 <DIR> d-------- C:\Program Files\stc
2008-03-08 15:26 . 2008-03-09 13:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-08 15:17 . 2008-03-08 15:17 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:16 . 2008-03-08 15:16 31,232 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-08 15:16 . 2008-03-08 15:16 30,464 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-08 15:16 . 2008-03-08 15:16 26,880 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 15:16 . 2008-03-08 15:16 25,600 --a------ C:\WINDOWS\athprxy32.dll
2008-03-08 15:16 . 2008-03-08 15:16 17,920 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-08 15:16 . 2008-03-08 15:16 17,408 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-08 15:16 . 2008-03-08 15:16 9,984 --a------ C:\WINDOWS\asferror32.dll
2008-03-08 15:12 . 2008-03-08 15:12 29 --a------ C:\WINDOWS\system32\gquetado.tmp
2008-03-08 15:00 . 2008-03-08 16:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rabio
2008-03-08 15:00 . 2008-03-08 15:00 3,805,830 --a------ C:\WINDOWS\3HJfb9LKRn.exe
2008-03-08 15:00 . 2008-03-08 15:01 295,819 --a------ C:\WINDOWS\system32\L3D18.tmp
2008-03-08 15:00 . 2008-03-08 15:00 229,532 --a------ C:\WINDOWS\system32\L2347.tmp
2008-03-08 14:59 . 2008-03-08 14:59 <DIR> d-------- C:\WINDOWS\kpdvkkqv
2008-03-08 14:59 . 2008-03-08 14:59 184,832 --a------ C:\WINDOWS\zwrubcpm.dll
2008-03-08 14:59 . 2008-03-08 14:59 88,593 --a------ C:\WINDOWS\dejwnkjw.exe
2008-03-08 14:59 . 2008-03-08 14:59 47,104 --a------ C:\WINDOWS\opavutkr.exe
2008-03-08 14:58 . 2008-03-08 14:58 295,819 --a------ C:\WINDOWS\system32\L25B7.tmp
2008-03-08 14:58 . 2008-03-08 14:58 229,532 --a------ C:\WINDOWS\system32\L1EFD.tmp
2008-03-08 14:28 . 2008-03-08 14:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-08 14:28 . 2008-03-08 14:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 12:56 . 2008-03-04 12:56 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Aim
2008-03-04 12:56 . 2008-03-04 12:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-03-04 12:56 . 2004-02-25 13:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-27 14:57 . 2008-02-27 14:57 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-27 14:57 . 2008-02-27 14:57 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-27 14:56 . 2008-02-27 14:57 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-24 15:31 . 2004-11-25 21:55 577,664 -ra------ C:\WINDOWS\system32\drivers\Envy24HF.sys
2008-02-24 15:31 . 2004-11-16 04:29 254,000 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-02-24 15:31 . 2004-11-16 04:29 254,000 -ra------ C:\WINDOWS\system32\A3D.dll
2008-02-24 15:30 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-02-24 15:30 . 2002-08-29 02:01 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-02-24 15:30 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-02-24 15:30 . 2002-08-29 01:32 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-02-24 15:21 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-17 15:35 . 2004-08-17 21:14 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 21:58 --------- d-----w C:\Documents and Settings\Steve\Application Data\LimeWire
2008-03-08 20:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 17:56 --------- d-----w C:\Program Files\AOD
2008-03-04 17:56 --------- d-----w C:\Program Files\AIM
2008-02-26 21:07 --------- d-----w C:\Program Files\Java
2008-02-24 23:29 --------- d-----w C:\Documents and Settings\Steve\Application Data\Apple Computer
2008-02-24 20:43 --------- d-----w C:\Program Files\EA GAMES
2008-02-13 22:18 --------- d-----w C:\Program Files\Google
2008-01-18 18:25 --------- d-----w C:\Program Files\LimeWire
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37F736FA-95AC-47D9-92FD-7ACAA53D6712}]
C:\WINDOWS\System32\ddaaa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D65B4659-E583-4767-BAA3-53A7CC239EE2}]
C:\WINDOWS\System32\ursst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB4A879B-69E6-4F11-8F6C-9AA2AA4CD3FE}]
C:\WINDOWS\System32\nnnnl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-13 17:19 171448]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-10 13:08:24 147456]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"3HJfb9LKRn"= rundll32.exe "C:\WINDOWS\zwrubcpm.dll",DllCleanServer

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\System32\DRIVERS\SI3112r.sys [2005-11-10 17:00]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\System32\drivers\Envy24HF.sys [2004-11-25 21:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 21:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 16:58:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-03-15 17:01:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 22:01:20
.
2008-01-26 19:05:46 --- E O F ---



And heres Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:14 PM, on 3/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {37F736FA-95AC-47D9-92FD-7ACAA53D6712} - C:\WINDOWS\System32\ddaaa.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D65B4659-E583-4767-BAA3-53A7CC239EE2} - C:\WINDOWS\System32\ursst.dll (file missing)
O2 - BHO: (no name) - {DB4A879B-69E6-4F11-8F6C-9AA2AA4CD3FE} - C:\WINDOWS\System32\nnnnl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\Policies\Explorer\Run: [3HJfb9LKRn] rundll32.exe "C:\WINDOWS\zwrubcpm.dll",DllCleanServer
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4388 bytes

ken545
2008-03-16, 02:16
Hello,

Things are looking so much better, a bit more to do.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::



File::
C:\WINDOWS\didduid.ini
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\system32\gquetado.tmp
C:\WINDOWS\system32\L3D18.tmp
C:\WINDOWS\system32\L2347.tmp
C:\WINDOWS\kpdvkkqv
C:\WINDOWS\zwrubcpm.dll
C:\WINDOWS\dejwnkjw.exe
C:\WINDOWS\opavutkr.exe
C:\WINDOWS\system32\L25B7.tmp
C:\WINDOWS\system32\L1EFD.tmp
C:\WINDOWS\zwrubcpm.dll
C:\WINDOWS\System32\ddaaa.dll
C:\WINDOWS\System32\ursst.dll
C:\WINDOWS\System32\nnnnl.dll

Folder::
C:\VundoFix Backups
C:\Program Files\180search assistant

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37F736FA-95AC-47D9-92FD-7ACAA53D6712}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D65B4659-E583-4767-BAA3-53A7CC239EE2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB4A879B-69E6-4F11-8F6C-9AA2AA4CD3FE}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"3HJfb9LKRn"=-


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Then do this please
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\WINDOWS\3HJfb9LKRn.exe

trezz1324
2008-03-16, 03:54
ok here is the combofix logfile:

ComboFix 08-03-14.4 - Steve 2008-03-15 20:35:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.668 [GMT -5:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\dejwnkjw.exe
C:\WINDOWS\didduid.ini
C:\WINDOWS\kpdvkkqv
C:\WINDOWS\opavutkr.exe
C:\WINDOWS\System32\ddaaa.dll
C:\WINDOWS\system32\gquetado.tmp
C:\WINDOWS\system32\L1EFD.tmp
C:\WINDOWS\system32\L2347.tmp
C:\WINDOWS\system32\L25B7.tmp
C:\WINDOWS\system32\L3D18.tmp
C:\WINDOWS\System32\nnnnl.dll
C:\WINDOWS\System32\ursst.dll
C:\WINDOWS\zwrubcpm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\VundoFix Backups
C:\VundoFix Backups\tustq.dll.bad
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\dejwnkjw.exe
C:\WINDOWS\didduid.ini
C:\WINDOWS\opavutkr.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\3HJfb9LKRnwp.exe.bak
C:\WINDOWS\system32\gquetado.tmp
C:\WINDOWS\system32\L1EFD.tmp
C:\WINDOWS\system32\L2347.tmp
C:\WINDOWS\system32\L25B7.tmp
C:\WINDOWS\system32\L3D18.tmp
C:\WINDOWS\zwrubcpm.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Malwarebytes
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-15 14:37 . 2008-03-15 14:37 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-12 23:20 . 2008-03-12 23:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-12 23:20 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-12 23:18 . 2008-03-12 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 16:46 . 2008-03-15 14:40 483 --a------ C:\WINDOWS\wininit.ini
2008-03-08 15:28 . 2008-03-08 15:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-08 15:28 . 2008-03-08 15:28 2,550 --a------ C:\WINDOWS\unins000.dat
2008-03-08 15:27 . 2008-03-08 15:27 <DIR> d-------- C:\Program Files\stc
2008-03-08 15:26 . 2008-03-09 13:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-08 15:17 . 2008-03-08 15:17 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:00 . 2008-03-08 16:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rabio
2008-03-08 15:00 . 2008-03-08 15:00 3,805,830 --a------ C:\WINDOWS\3HJfb9LKRn.exe
2008-03-08 14:59 . 2008-03-08 14:59 <DIR> d-------- C:\WINDOWS\kpdvkkqv
2008-03-08 14:28 . 2008-03-08 14:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-08 14:28 . 2008-03-08 14:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 12:56 . 2008-03-04 12:56 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Aim
2008-03-04 12:56 . 2008-03-04 12:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-03-04 12:56 . 2004-02-25 13:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-02-27 14:57 . 2008-02-27 14:57 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-27 14:57 . 2008-02-27 14:57 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-27 14:56 . 2008-02-27 14:57 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-24 15:31 . 2004-11-25 21:55 577,664 -ra------ C:\WINDOWS\system32\drivers\Envy24HF.sys
2008-02-24 15:31 . 2004-11-16 04:29 254,000 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-02-24 15:31 . 2004-11-16 04:29 254,000 -ra------ C:\WINDOWS\system32\A3D.dll
2008-02-24 15:30 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-02-24 15:30 . 2002-08-29 02:01 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-02-24 15:30 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-02-24 15:30 . 2002-08-29 01:32 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-02-24 15:21 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-17 15:35 . 2004-08-17 21:14 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 00:10 --------- d-----w C:\Documents and Settings\Steve\Application Data\LimeWire
2008-03-08 20:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 17:56 --------- d-----w C:\Program Files\AOD
2008-03-04 17:56 --------- d-----w C:\Program Files\AIM
2008-02-26 21:07 --------- d-----w C:\Program Files\Java
2008-02-24 23:29 --------- d-----w C:\Documents and Settings\Steve\Application Data\Apple Computer
2008-02-24 20:43 --------- d-----w C:\Program Files\EA GAMES
2008-02-13 22:18 --------- d-----w C:\Program Files\Google
2008-01-18 18:25 --------- d-----w C:\Program Files\LimeWire
.

((((((((((((((((((((((((((((( snapshot@2008-03-15_17.01.02.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-15 21:57:52 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-16 00:10:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-15 21:57:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-16 00:10:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-15 21:57:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-16 00:10:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-11 22:38:18 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-15 21:59:29 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-02-11 22:38:18 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-15 21:59:29 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-13 17:19 171448]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-10 13:08:24 147456]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\System32\DRIVERS\SI3112r.sys [2005-11-10 17:00]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\System32\drivers\Envy24HF.sys [2004-11-25 21:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 21:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 20:38:12
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-15 20:38:58
ComboFix-quarantined-files.txt 2008-03-16 01:38:49
ComboFix2.txt 2008-03-15 22:01:24
.
2008-01-26 19:05:46 --- E O F ---


Here is the Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:19 PM, on 3/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4015 bytes


Heres the results of that file:
Antivirus Version Last Update Result
AhnLab-V3 2008.3.15.0 2008.03.14 -
AntiVir 7.6.0.73 2008.03.14 -
Authentium 4.93.8 2008.03.14 -
Avast 4.7.1098.0 2008.03.15 -
AVG 7.5.0.516 2008.03.15 Adware Generic2.ABYE
BitDefender 7.2 2008.03.16 -
CAT-QuickHeal 9.50 2008.03.14 -
ClamAV 0.92.1 2008.03.15 -
DrWeb 4.44.0.09170 2008.03.15 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5616 2008.03.14 -
Ewido 4.0 2008.03.15 -
F-Prot 4.4.2.54 2008.03.15 -
F-Secure 6.70.13260.0 2008.03.14 -
FileAdvisor 1 2008.03.16 -
Fortinet 3.14.0.0 2008.03.15 -
Ikarus T3.1.1.20 2008.03.16 Trojan-Downloader.Win32.Adload.ma
Kaspersky 7.0.0.125 2008.03.16 not-a-virus:FraudTool.Win32.XPdefender
McAfee 5252 2008.03.14 -
Microsoft 1.3301 2008.03.15 -
NOD32v2 2949 2008.03.15 Win32/Adware.UltimateDefender
Norman 5.80.02 2008.03.14 -
Panda 9.0.0.4 2008.03.15 -
Prevx1 V2 2008.03.16 Heuristic: Suspicious File With Bad Parent Associations
Rising 20.35.51.00 2008.03.15 -
Sophos 4.27.0 2008.03.16 -
Sunbelt 3.0.963.0 2008.03.14 -
Symantec 10 2008.03.16 XPdefender
TheHacker 6.2.92.247 2008.03.15 -
VBA32 3.12.6.2 2008.03.13 Win32.Adware.UltimateDefender
VirusBuster 4.3.26:9 2008.03.15 -
Webwasher-Gateway 6.6.2 2008.03.14 -
Additional information
File size: 3805830 bytes
MD5: 7698a49bf6aeabc4dfe4df6c1d6281ee
SHA1: 27080047add734c15bd1dd62168c3857b0b7fefe
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=3F2EDE2386D11F5412223A361B57EB00DF2426C4

(hope i copied and pasted that right)

ken545
2008-03-16, 12:07
Hello,

(hope i copied and pasted that right) :bigthumb: You have done very well and your log looks fine .

Lets delete this file
C:\WINDOWS\3HJfb9LKRn.exe


Let me tell you about programs like Limewire and all the other file and music sharing programs, the program themselves are safe but what comes with the downloads is anyones guess, I would never allow any programs like this on any of my own computers so its your call if you want to keep it or not.



Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
**Note** Go to Options> Cookies and any you want to keep move them to The Keep window





Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 5 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future

Let me know how your system is running now and if you where able to delete that file ??

trezz1324
2008-03-16, 18:57
Everything looks great, i was able to delete the file through search. CCleaner worked good. I uninstalled/installed java things look good!

ken545
2008-03-16, 23:59
Thats great Trezz, glad things are working well for you :bigthumb:

Ken:)