PDA

View Full Version : I got virtumonde


Setharoth
2008-05-26, 22:48
I have the virtumonde virus and need help to remove it.
(below i have my hijackthis report and in my next post i wwill have my kaspersky report)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:18 PM, on 5/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MICROS~2\WksWP.exe
C:\PROGRA~1\MICROS~2\WkDStore.exe
C:\PROGRA~1\MICROS~2\wkgdcach.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {4A2ACD7F-7FDB-430D-9665-B87F3EED35BA} - C:\WINDOWS\system32\ljJAqRkk.dll (file missing)
O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - C:\WINDOWS\system32\hgGxUMGy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5807] command /c del "C:\WINDOWS\system32\ljJAqRkk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3730] cmd /c del "C:\WINDOWS\system32\ljJAqRkk.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211499135312
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: hgGxUMGy - C:\WINDOWS\SYSTEM32\hgGxUMGy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8564 bytes
Setharoth
2008-05-26, 22:49
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 12:56:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 800955
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 104933
Number of viruses found: 7
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 00:47:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{05DEFD2E-4CF0-4F0E-B713-BA4D9AA55D6E}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR9.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05212008-224626.log Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Application Data\McAfee\MBK\ARBUSFILE.GDB Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Application Data\ApplicationHistory\McAfeeDataBackup.exe.e548c4c.ini.inuse Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Application Data\Last.fm\Client\Last.fm.log Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3AC077D4-07A3-4920-B939-A62F40C79EE8} Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Temp\fb_3640.lck Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Temp\Perflib_Perfdata_b44.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Temp\Perflib_Perfdata_d44.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andres Diaz-Borda\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-1595141840-207639826-1413039416-1005\Dc1.exe Infected: Backdoor.Win32.Rbot.kcp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0006446.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0006583.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsa skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0006628.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP24\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcyaBqr.dll Infected: Trojan-Downloader.Win32.Agent.pys skipped
C:\WINDOWS\system32\ddcyYQIX.dll Infected: Trojan-Downloader.Win32.Agent.pys skipped
C:\WINDOWS\system32\gbwsdwig.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trl skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hgGxUMGy.dll Infected: Trojan-Downloader.Win32.Agent.pys skipped
C:\WINDOWS\system32\iifdabBq.dll Infected: Trojan-Downloader.Win32.Agent.pys skipped
C:\WINDOWS\system32\maerdyes.fxt Infected: not-a-virus:AdWare.Win32.Virtumonde.tsa skipped
C:\WINDOWS\system32\ougypbqv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trc skipped
C:\WINDOWS\system32\sbhfimsr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trv skipped
C:\WINDOWS\system32\urqNEUoM.dll Infected: Trojan-Downloader.Win32.Agent.pna skipped
C:\WINDOWS\system32\urqRIYPG.dll Infected: Trojan-Downloader.Win32.Agent.pys skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\fb_1748.lck Object is locked skipped
C:\WINDOWS\Temp\mcmsc_HhH4hnsdbNieghu Object is locked skipped
C:\WINDOWS\Temp\mcmsc_nsVPZa3TYZeOVUS Object is locked skipped
C:\WINDOWS\Temp\mcmsc_SdYdstxJXhjLn1R Object is locked skipped
C:\WINDOWS\Temp\sqlite_48tamm5NZ5wV6pT Object is locked skipped
C:\WINDOWS\Temp\sqlite_HyLWdtSt4r3QBIc Object is locked skipped
C:\WINDOWS\Temp\sqlite_vkO6SwVBfSdNybh Object is locked skipped

Scan process completed.
Rorschach112
2008-05-27, 03:17
Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\WINDOWS\system32\ddcyaBqr.dll
C:\WINDOWS\system32\ddcyYQIX.dll
C:\WINDOWS\system32\gbwsdwig.dll
C:\WINDOWS\system32\hgGxUMGy.dll
C:\WINDOWS\system32\iifdabBq.dll
C:\WINDOWS\system32\ougypbqv.dll
C:\WINDOWS\system32\sbhfimsr.dll
C:\WINDOWS\system32\urqNEUoM.dll
C:\WINDOWS\system32\urqRIYPG.dll
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Setharoth
2008-05-27, 03:32
I am not sure which log you want for move it so i will paste them both

Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ddcyaBqr.dll
C:\WINDOWS\system32\ddcyaBqr.dll NOT unregistered.
C:\WINDOWS\system32\ddcyaBqr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ddcyYQIX.dll
C:\WINDOWS\system32\ddcyYQIX.dll NOT unregistered.
C:\WINDOWS\system32\ddcyYQIX.dll moved successfully.
File/Folder C:\WINDOWS\system32\gbwsdwig.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGxUMGy.dll
C:\WINDOWS\system32\hgGxUMGy.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\hgGxUMGy.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifdabBq.dll
C:\WINDOWS\system32\iifdabBq.dll NOT unregistered.
C:\WINDOWS\system32\iifdabBq.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ougypbqv.dll
C:\WINDOWS\system32\ougypbqv.dll NOT unregistered.
C:\WINDOWS\system32\ougypbqv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sbhfimsr.dll
C:\WINDOWS\system32\sbhfimsr.dll NOT unregistered.
C:\WINDOWS\system32\sbhfimsr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\urqNEUoM.dll
C:\WINDOWS\system32\urqNEUoM.dll NOT unregistered.
C:\WINDOWS\system32\urqNEUoM.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\urqRIYPG.dll
C:\WINDOWS\system32\urqRIYPG.dll NOT unregistered.
C:\WINDOWS\system32\urqRIYPG.dll moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05262008_202409

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGxUMGy.dll
C:\WINDOWS\system32\hgGxUMGy.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\hgGxUMGy.dll scheduled to be moved on reboot.




--------------------------------------------------------------------------
(other log)
--------------------------------------------------------------------------


Explorer killed successfully
File/Folder C:\WINDOWS\system32\ddcyaBqr.dll not found.
File/Folder C:\WINDOWS\system32\ddcyYQIX.dll not found.
File/Folder C:\WINDOWS\system32\gbwsdwig.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGxUMGy.dll
C:\WINDOWS\system32\hgGxUMGy.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\hgGxUMGy.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\iifdabBq.dll not found.
File/Folder C:\WINDOWS\system32\ougypbqv.dll not found.
File/Folder C:\WINDOWS\system32\sbhfimsr.dll not found.
File/Folder C:\WINDOWS\system32\urqNEUoM.dll not found.
File/Folder C:\WINDOWS\system32\urqRIYPG.dll not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05262008_202503

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGxUMGy.dll
C:\WINDOWS\system32\hgGxUMGy.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\hgGxUMGy.dll scheduled to be moved on reboot.
Rorschach112
2008-05-27, 03:35
Ok go on with the ComboFix step
Rorschach112
2008-06-01, 02:16
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.