View Full Version : Virtumonde infection please help!!
Okay, I have been infected with Virtumonde and Virtumonde Spx? or something like that and some type of firewall bypass i frgot the name, anyways here is the HJT log please help get them out i cant us IE right and it makes my pc freeze alot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:16 PM, on 3/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1071114
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {ffaab799-0354-4a06-9bee-d3dce95e72e9} - C:\WINDOWS\system32\felazako.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [CPM4fb7f5df] Rundll32.exe "C:\WINDOWS\system32\sayawoha.dll",a
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\cssdll32.dll C:\WINDOWS\system32\nebazifi.dll lqhdwk.dll c:\windows\system32\sayawoha.dll
O20 - Winlogon Notify: pmnMCUmj - pmnMCUmj.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sayawoha.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7754 bytes
Hello ace305
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Do this first...Important
Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {ffaab799-0354-4a06-9bee-d3dce95e72e9} - C:\WINDOWS\system32\felazako.dll
O4 - HKLM\..\Run: [CPM4fb7f5df] Rundll32.exe "C:\WINDOWS\system32\sayawoha.dll",a
O20 - Winlogon Notify: pmnMCUmj - pmnMCUmj.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sayawoha.dll (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Hello Ken545, Thanks for helping me out here. I have to mention how ever that I did the system scan just like you said but i couldn't find the on file you had mentioned which is the 02 BHO No name file. I was able to find the rest and fix checked on them. How ever, The thing about copying the qoute never showed up? Did I do something wrong? Or should I continue?
Heres the two logs you requested.
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
3/20/2009 1:53:43 PM
mbam-log-2009-03-20 (13-53-43).txt
Scan type: Quick Scan
Objects scanned: 62182
Time elapsed: 9 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 11
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\rewuvafu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\nubobevu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\erqpou.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\liwoduki.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2042a4a8-4cd5-445a-9f02-606387c9e8d3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2042a4a8-4cd5-445a-9f02-606387c9e8d3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2042a4a8-4cd5-445a-9f02-606387c9e8d3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c84c643 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kazafolipi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm4fb7f5df (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nubobevu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nubobevu.dll -> Delete on reboot.
Folders Infected:
C:\Documents and Settings\Dave\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\erqpou.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\liwoduki.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ikudowil.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rewuvafu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\nubobevu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kamileva.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yireniye.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv241232809190.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv581232809034.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv681232845748.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv821232808964.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:59 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1071114
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\cssdll32.dll lqhdwk.dll c:\windows\system32\sayawoha.dll erqpou.dll c:\windows\system32\tugojogu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7454 bytes
Hi,
Your TeaTimer is Spybot is still enabled, disable it please as per my previous instructions.
Remove these with HJT
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\cssdll32.dll lqhdwk.dll c:\windows\system32\sayawoha.dll erqpou.dll c:\windows\system32\tugojogu.dll
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
Open HJT > Misc Tools > Delete an NT Service
Type in npggsvc
Then click on OK, it will ask you to reboot, do so.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Ken, I did what you just said. I opened up HJT and tried to remove the files like you stated. How ever the second one wont get out like the others did and I tried to type in the npggsvc like you said and it said I cannot remove it because it is still in use. I also tried to download ComboFix from all three location's and it say's I do not have permission to use it? What do I do now? I already believe I disabled my anti virus and firewall?
Go to Start> Run and type in services.msc , when it opens look for nProtect GameGuard Service right click on it and change the startup type to Disabled. Ok your way out
Please download the OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe
:Services
npggsvc
:Files
C:\WINDOWS\system32\GameMon.des.exe
:Commands
[EmptyTemp]
[Start Explorer]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTMoveIt3 log and a new HJT log please
Service\Driver npggsvc deleted successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\GameMon.des.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Dave\LOCALS~1\Temp\etilqs_QnabMhKUqlQ4jgkebd1F scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_108.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Dave\Local Settings\Application Data\Mozilla\Firefox\Profiles\wqcz8nmo.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dave\Local Settings\Application Data\Mozilla\Firefox\Profiles\wqcz8nmo.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dave\Local Settings\Application Data\Mozilla\Firefox\Profiles\wqcz8nmo.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dave\Local Settings\Application Data\Mozilla\Firefox\Profiles\wqcz8nmo.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dave\Local Settings\Application Data\Mozilla\Firefox\Profiles\wqcz8nmo.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dave\Local Settings\Application Data\Mozilla\Firefox\Profiles\wqcz8nmo.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03212009_121104
Just to let you know, I didnt hit reboot when i had asked me because I didnt see that you said it, Plus I rebooted anyways because I know it wnated me to after saying so and the log popped up and I didnt copy it becuz i closed it off to fast sorry. But it said the files were moved? So her the HJT lo and the OTMOVEIT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:51 PM, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1071114
O2 - BHO: {2b4bf8bf-fee4-688a-cd04-a827ea19c820} - {028c91ae-728a-40dc-a886-4eeffb8fb4b2} - C:\WINDOWS\system32\tsuyaq.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {ffaab799-0354-4a06-9bee-d3dce95e72e9} - C:\WINDOWS\system32\totodele.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [kazafolipi] Rundll32.exe "C:\WINDOWS\system32\rewuvafu.dll",s
O4 - HKLM\..\Run: [CPM4fb7f5df] Rundll32.exe "c:\windows\system32\gekuhiri.dll",a
O4 - HKLM\..\Run: [4c84c643] rundll32.exe "C:\WINDOWS\system32\soremeno.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [kazafolipi] Rundll32.exe "C:\WINDOWS\system32\rewuvafu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kazafolipi] Rundll32.exe "C:\WINDOWS\system32\rewuvafu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sidikeyu.dll tsuyaq.dll c:\windows\system32\gekuhiri.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gekuhiri.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gekuhiri.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7942 bytes
Hi,
I'll tell ya, this garbage is getting harder to remove as each day goes by.
Remove these with HJT.
O2 - BHO: {2b4bf8bf-fee4-688a-cd04-a827ea19c820} - {028c91ae-728a-40dc-a886-4eeffb8fb4b2} - C:\WINDOWS\system32\tsuyaq.dll
O2 - BHO: (no name) - {ffaab799-0354-4a06-9bee-d3dce95e72e9} - C:\WINDOWS\system32\totodele.dll
O4 - HKLM\..\Run: [kazafolipi] Rundll32.exe "C:\WINDOWS\system32\rewuvafu.dll",s
O4 - HKLM\..\Run: [CPM4fb7f5df] Rundll32.exe "c:\windows\system32\gekuhiri.dll",a
O4 - HKLM\..\Run: [4c84c643] rundll32.exe "C:\WINDOWS\system32\soremeno.dll",b
O4 - HKUS\S-1-5-19\..\Run: [kazafolipi] Rundll32.exe "C:\WINDOWS\system32\rewuvafu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kazafolipi] Rundll32.exe "C:\WINDOWS\system32\rewuvafu.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\sidikeyu.dll tsuyaq.dll c:\windows\system32\gekuhiri.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gekuhiri.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gekuhiri.dll (file missing)
Its important that you run Combofix, if it still wont run try running it in Safemode.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Delete any Combofixe that you downloaded and grab a fresh copy as its updated daily.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
ComboFix 09-03-19.02 - Dave 2009-03-22 0:31:12.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1652 [GMT -4:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Dave\LOCALS~1\Temp\tmp1.tmp
c:\windows\system32\lqhdwk.dll
c:\windows\system32\onemeros.ini
c:\windows\system32\pabewisa.dll
c:\windows\system32\popiwoba.dll
c:\windows\system32\qxepnl.dll
c:\windows\system32\sidikeyu.dll
c:\windows\system32\sirifiwi.dll
c:\windows\system32\sizugomu.dll
c:\windows\system32\suluyeba.dll
c:\windows\system32\tsuyaq.dll
c:\windows\system32\umoguzis.ini
c:\windows\system32\wogisewo.dll
.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.
2009-03-22 00:09 . 2009-03-22 00:12 <DIR> d-------- C:\32788R22FWJFW.5.tmp
2009-03-21 23:55 . 2009-03-21 23:57 <DIR> d-------- C:\32788R22FWJFW.4.tmp
2009-03-21 19:08 . 2008-04-13 20:12 82,432 ---h---t- c:\windows\system32\8d9c01.dll
2009-03-21 19:08 . 2008-04-13 20:12 82,432 ---h---t- c:\windows\system32\81835da.dll
2009-03-21 12:11 . 2009-03-21 12:11 <DIR> d-------- C:\_OTMoveIt
2009-03-20 20:08 . 2009-03-21 23:55 <DIR> d-------- C:\32788R22FWJFW.3.tmp
2009-03-20 20:07 . 2009-03-20 20:08 <DIR> d-------- C:\32788R22FWJFW.2.tmp
2009-03-20 20:07 . 2009-03-20 20:07 <DIR> d-------- C:\32788R22FWJFW.1.tmp
2009-03-20 20:06 . 2009-03-20 20:07 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-03-20 13:41 . 2009-03-20 13:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 13:41 . 2009-03-20 13:41 <DIR> d-------- c:\documents and settings\Dave\Application Data\Malwarebytes
2009-03-20 13:41 . 2009-03-20 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-20 13:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 13:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-19 12:48 . 2009-03-21 12:10 327 --a------ c:\windows\wininit.ini
2009-03-15 01:49 . 2009-03-15 01:49 268 --ah----- C:\sqmdata10.sqm
2009-03-15 01:49 . 2009-03-15 01:49 268 --ah----- C:\sqmdata09.sqm
2009-03-15 01:49 . 2009-03-15 01:49 244 --ah----- C:\sqmnoopt09.sqm
2009-03-15 01:49 . 2009-03-15 01:49 136 --ah----- C:\sqmnoopt10.sqm
2009-03-15 01:49 . 2009-03-15 01:49 136 --ah----- C:\sqmdata11.sqm
2009-03-15 01:23 . 2009-03-15 13:02 <DIR> d-------- c:\windows\PaltalkScene
2009-03-15 01:23 . 2009-03-15 14:33 <DIR> d-------- c:\program files\Paltalk Messenger
2009-03-14 14:51 . 2009-03-19 15:31 <DIR> d-------- c:\program files\LimeWire
2009-03-12 20:44 . 2009-03-12 21:10 <DIR> d-------- c:\program files\PhotoFiltre
2009-03-12 17:53 . 2009-03-12 17:53 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-03-12 17:48 . 2009-03-12 17:48 <DIR> d-------- c:\program files\Western Digital
2009-03-12 17:47 . 2009-03-12 17:47 <DIR> d-------- c:\program files\Western Digital Technologies
2009-03-12 17:47 . 2009-03-12 19:07 <DIR> d---s---- c:\documents and settings\All Users\Application Data\Memeo
2009-03-12 01:33 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2009-03-12 01:33 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys
2009-03-12 00:25 . 2009-03-12 00:25 419 --a------ c:\windows\BRWMARK.INI
2009-03-12 00:25 . 2009-03-12 00:25 27 --a------ c:\windows\BRPP2KA.INI
2009-03-10 22:34 . 2009-03-10 22:34 <DIR> d-------- c:\program files\RyTech Software
2009-03-10 22:25 . 2009-03-10 22:25 31 --a------ c:\windows\system32\Days5.ini
2009-03-10 21:52 . 2009-03-10 21:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-03-10 21:39 . 2009-03-10 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software
2009-03-10 21:37 . 2009-03-10 22:04 <DIR> d-------- c:\program files\NCH Swift Sound
2009-03-10 18:32 . 2009-03-10 18:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 15:08 . 2009-03-10 15:08 <DIR> d-------- c:\program files\DVDVideoSoft
2009-03-10 15:08 . 2009-03-10 15:09 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft
2009-03-10 03:02 . 2009-03-10 03:02 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-09 23:32 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-09 23:32 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-09 23:32 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-09 21:53 . 2009-02-16 20:39 2,736,890 --a------ c:\windows\system32\GameMon.des
2009-03-09 21:51 . 2003-07-17 05:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-03-09 21:51 . 2004-12-31 20:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-03-09 21:50 . 2009-03-09 21:50 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-03-09 21:24 . 2009-03-09 21:24 <DIR> d-------- c:\program files\Subagames
2009-03-09 19:26 . 2009-03-09 19:26 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-09 02:02 . 2009-03-09 02:02 72,758 --a------ c:\windows\system32\rn.tmp
2009-03-06 10:35 . 2009-03-06 10:35 <DIR> d-------- c:\program files\FaxTools
2009-03-06 10:35 . 2009-03-06 10:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-03-06 10:27 . 2009-03-06 10:50 251 --a------ c:\windows\lexstat.ini
2009-03-06 10:24 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-06 10:24 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-03-06 10:23 . 2009-03-06 10:24 <DIR> d-------- c:\program files\Lexmark X1100 Series
2009-03-06 10:23 . 2001-08-17 23:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2009-03-06 10:23 . 2001-08-17 23:36 87,040 --a------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-03-06 10:23 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-06 10:23 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2009-03-04 19:56 . 2009-03-04 19:56 <DIR> d-------- c:\program files\Avery Dennison
2009-03-04 19:56 . 2009-03-04 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avery
2009-03-01 22:47 . 2005-12-07 21:46 106,496 --a------ c:\windows\system32\jacob.dll
2009-03-01 22:46 . 2009-03-01 23:00 <DIR> d-------- c:\program files\Tune Tools 2
2009-03-01 22:35 . 2009-03-01 22:36 <DIR> d-------- C:\4e3b464d9b5ce38f1627d6db710891
2009-02-25 19:48 . 2009-02-28 01:17 <DIR> d-------- C:\Nexon
2009-02-25 19:44 . 2009-02-25 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\NexonUS
2009-02-25 18:54 . 2009-02-25 18:54 <DIR> d-------- c:\program files\Pando Networks
2009-02-25 18:54 . 2009-02-25 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2009-02-23 17:38 . 2009-02-23 17:38 268 --ah----- C:\sqmdata08.sqm
2009-02-23 17:38 . 2009-02-23 17:38 244 --ah----- C:\sqmnoopt08.sqm
2009-02-23 17:35 . 2009-02-23 17:35 244 --ah----- C:\sqmnoopt07.sqm
2009-02-23 17:35 . 2009-02-23 17:35 232 --ah----- C:\sqmdata07.sqm
2009-02-23 17:34 . 2009-02-23 17:34 244 --ah----- C:\sqmnoopt06.sqm
2009-02-23 17:34 . 2009-02-23 17:34 232 --ah----- C:\sqmdata06.sqm
2009-02-23 17:28 . 2009-02-23 17:28 244 --ah----- C:\sqmnoopt05.sqm
2009-02-23 17:28 . 2009-02-23 17:28 244 --ah----- C:\sqmnoopt04.sqm
2009-02-23 17:28 . 2009-02-23 17:28 232 --ah----- C:\sqmdata05.sqm
2009-02-23 17:28 . 2009-02-23 17:28 232 --ah----- C:\sqmdata04.sqm
2009-02-23 17:26 . 2009-02-23 17:26 244 --ah----- C:\sqmnoopt03.sqm
2009-02-23 17:26 . 2009-02-23 17:26 244 --ah----- C:\sqmnoopt02.sqm
2009-02-23 17:26 . 2009-02-23 17:26 244 --ah----- C:\sqmnoopt01.sqm
2009-02-23 17:26 . 2009-02-23 17:26 232 --ah----- C:\sqmdata03.sqm
2009-02-23 17:26 . 2009-02-23 17:26 232 --ah----- C:\sqmdata02.sqm
2009-02-23 17:26 . 2009-02-23 17:26 232 --ah----- C:\sqmdata01.sqm
2009-02-23 17:24 . 2009-02-23 17:24 244 --ah----- C:\sqmnoopt00.sqm
2009-02-23 17:24 . 2009-02-23 17:24 232 --ah----- C:\sqmdata00.sqm
2009-02-22 16:12 . 2001-08-17 23:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-02-22 16:12 . 2001-08-17 23:36 8,704 --a------ c:\windows\system32\dllcache\kbdjpn.dll
2009-02-22 16:12 . 2001-08-17 23:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-02-22 16:12 . 2001-08-17 23:36 8,192 --a------ c:\windows\system32\dllcache\kbdkor.dll
2009-02-22 16:12 . 2008-04-13 20:09 6,144 --a------ c:\windows\system32\kbd106.dll
2009-02-22 16:12 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-02-22 16:12 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-02-22 16:12 . 2008-04-13 20:09 6,144 --a------ c:\windows\system32\dllcache\kbd106.dll
2009-02-22 16:12 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\dllcache\kbd101c.dll
2009-02-22 16:12 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\dllcache\kbd101b.dll
2009-02-22 16:12 . 2001-08-17 15:55 5,632 --a------ c:\windows\system32\kbd103.dll
2009-02-22 16:12 . 2001-08-17 15:55 5,632 --a------ c:\windows\system32\dllcache\kbd103.dll
2009-02-22 03:44 . 2009-02-22 03:44 3,462 --a------ c:\windows\system32\spupdsvc.inf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 16:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-18 18:23 --------- d-----w c:\program files\Bodog Poker
2009-03-18 03:34 --------- d-----w c:\program files\PokerStars
2009-03-13 14:37 --------- d-----w c:\program files\Google
2009-03-12 22:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 07:01 --------- d-----w c:\program files\Microsoft Works
2009-03-01 13:33 --------- d-----w c:\documents and settings\Dave\Application Data\Apple Computer
2009-02-26 21:44 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-22 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-02-22 06:39 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-22 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\_comodo_
2009-02-19 19:34 --------- d-----w c:\documents and settings\Dave\Application Data\GarageGames
2009-02-19 04:36 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-19 00:47 --------- d-----w c:\program files\ValuSoft
2009-02-14 23:46 286,720 ----a-w c:\windows\iun506.exe
2009-02-14 23:46 --------- d-----w c:\program files\Millennium Gamepak Gold
2009-02-14 23:21 --------- d-----w c:\program files\directx
2009-02-14 23:09 --------- d-----w c:\program files\Motorsims
2009-02-09 06:04 --------- d-----w c:\program files\DellSupport
2009-02-06 00:17 --------- d-----w c:\documents and settings\Dave\Application Data\CyberLink
2009-02-02 18:04 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-02 18:02 --------- d-----w c:\program files\AVS4YOU
2009-01-31 23:55 --------- d-----w c:\program files\Common Files\logishrd
2009-01-29 14:29 --------- d-----w c:\program files\Apple Software Update
2009-01-25 23:28 --------- d-----w c:\program files\Trend Micro
2009-01-25 23:26 --------- d-----w c:\documents and settings\Dave\Application Data\LimeWire
2009-01-23 05:01 --------- d-----w c:\program files\MSN Messenger
2009-01-22 16:38 --------- d-----w c:\program files\QuickTime
2009-01-22 16:38 --------- d-----w c:\program files\iTunes
2009-01-22 16:38 --------- d-----w c:\program files\iPod
2009-01-22 16:38 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-22 16:36 --------- d-----w c:\program files\Common Files\Apple
2009-01-22 16:36 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-22 00:03 --------- d-----w c:\program files\MSXML 4.0
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2009-03-12 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-14 1862144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-14 24576]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57814:TCP"= 57814:TCP:Pando Media Booster
"57814:UDP"= 57814:UDP:Pando Media Booster
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-01-21 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-01-21 24336]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Subagames\CrossFire\GameGuard\dump_wmimmc.sys --> c:\program files\Subagames\CrossFire\GameGuard\dump_wmimmc.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{446325b8-0f4f-11de-9d44-001d09a48193}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{9a85b60a-7b1e-40e3-a100-78a697deaf97} - c:\windows\system32\qxepnl.dll
BHO-{ffaab799-0354-4a06-9bee-d3dce95e72e9} - c:\windows\system32\totodele.dll
HKLM-Run-kazafolipi - c:\windows\system32\rewuvafu.dll
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1071114
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\wqcz8nmo.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 00:37:39
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(904)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-22 0:39:48 - machine was rebooted [Dave]
ComboFix-quarantined-files.txt 2009-03-22 04:39:42
Pre-Run: 40,480,002,048 bytes free
Post-Run: 38,381,572,096 bytes free
274 --- E O F --- 2009-03-11 07:01:51
I disabled the anti virus as much as pssible but was diffucult to disable the firewall even tho i had it off. I couldnt enable the windows recovery machine because i dont have internet in safe mode and I tried running combo fix but wouldnt let me do in regular window. Anyways thats the ComboFix log and this is the new HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:34 AM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1071114
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6736 bytes
Good Morning,
Your doing just fine :bigthumb:
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Delete these files
C:\32788R22FWJFW.5.tmp
C:\32788R22FWJFW.4.tmp
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
c:\windows\system32\8d9c01.dll
The rest of your logs look fine, how are things running now???
Everything seems to be more stable. How ever, It won't let me delete the five files you mentioned to me to delete It says that the file is stil in use and make sure the dis is not full or copyrighted? How do I go about this?
Other than this now, Everything seems to be be quicker and more responding.
Please download the OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Files
C:\32788R22FWJFW.5.tmp
C:\32788R22FWJFW.4.tmp
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
c:\windows\system32\8d9c01.dll <--Did you upload this file to VirusTotal, it may be bad????
This is the Virus Total Report.
MD5: 2ccc474eb85ceaa3e1fa1726580a3e5a
First received: -
Date: 03.18.2009 14:28:44 (CET) [>4D]
Results: 0/37
Permalink: analisis/5a0bcd34750912b4b8bb3d63c05009e2
This is the OTMoveIt report I just did like you had asked.
========== FILES ==========
C:\32788R22FWJFW.5.tmp moved successfully.
C:\32788R22FWJFW.4.tmp moved successfully.
C:\32788R22FWJFW.3.tmp moved successfully.
C:\32788R22FWJFW.2.tmp moved successfully.
C:\32788R22FWJFW.1.tmp moved successfully.
C:\32788R22FWJFW.0.tmp moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03222009_172052
ACE, that can't be the entire VirusTotal log. I need to see the entire log
As soon as I send the file, That is all it showed. How ever, I did notice this and is this the log?
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.18 -
AhnLab-V3 5.0.0.2 2009.03.18 -
AntiVir 7.9.0.116 2009.03.18 -
Authentium 5.1.2.4 2009.03.18 -
Avast 4.8.1335.0 2009.03.17 -
AVG 8.0.0.237 2009.03.18 -
BitDefender 7.2 2009.03.18 -
CAT-QuickHeal 10.00 2009.03.18 -
ClamAV 0.94.1 2009.03.18 -
Comodo 1066 2009.03.18 -
DrWeb 4.44.0.09170 2009.03.18 -
eSafe 7.0.17.0 2009.03.18 -
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.17 -
Fortinet 3.117.0.0 2009.03.18 -
GData 19 2009.03.18 -
Ikarus T3.1.1.45.0 2009.03.18 -
K7AntiVirus 7.10.674 2009.03.17 -
Kaspersky 7.0.0.125 2009.03.18 -
McAfee 5556 2009.03.17 -
McAfee+Artemis 5556 2009.03.17 -
McAfee-GW-Edition 6.7.6 2009.03.18 -
Microsoft 1.4502 2009.03.18 -
NOD32 3944 2009.03.17 -
Norman 6.00.06 2009.03.18 -
nProtect 2009.1.8.0 2009.03.18 -
Panda 10.0.0.10 2009.03.18 -
PCTools 4.4.2.0 2009.03.18 -
Rising 21.21.22.00 2009.03.18 -
Sophos 4.39.0 2009.03.18 -
Sunbelt 3.2.1858.2 2009.03.18 -
Symantec 1.4.4.12 2009.03.18 -
TheHacker 6.3.3.0.283 2009.03.16 -
TrendMicro 8.700.0.1004 2009.03.18 -
VBA32 3.12.10.1 2009.03.17 -
ViRobot 2009.3.18.1654 2009.03.18 -
VirusBuster 4.6.5.0 2009.03.17 -
Additional information
File size: 82432 bytes
MD5...: 2ccc474eb85ceaa3e1fa1726580a3e5a
SHA1..: 7cf3366c68e402eb3678046fe97651a586044560
SHA256: 6e99d2fb4997e54e8b1b7d769cf2c0fae296a6441dc39984850ea26bfeb7e500
SHA512: 158cdba8cda0da68829f30fa8f5b7a0caca90d9a6ca7480a3de7a3a6c0f2f84d
68533d62c5f72c7f332e90a7a916f4b28c49c0841b3bfb0df5a8b63e4ba5426c
ssdeep: 1536:HRqRC/AJcBuyg2q1htxvSrqtkBx5sALnR4lxCyqnelG:HR0TJKBq1hrvSrM
kBx5swR41Mj
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1273
timedatestamp.....: 0x4802a163 (Mon Apr 14 00:12:19 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12153 0x12200 6.48 cb2c4ac799159013b18999c21e2df4f0
.data 0x14000 0x914 0xa00 4.88 704b5717fb2cf3f297691957debc5e92
.rsrc 0x15000 0x3f8 0x400 3.43 5ff68b649c14d167754073f671ef1ef1
.reloc 0x16000 0xdc8 0xe00 6.65 c085926e9053221b19c5e6bcc1c08384
( 5 imports )
> ADVAPI32.dll: RegNotifyChangeKeyValue, RegDeleteKeyA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegEnumKeyExA
> KERNEL32.dll: GetTickCount, QueryPerformanceCounter, lstrcmpA, HeapReAlloc, HeapFree, HeapAlloc, InterlockedCompareExchange, IsBadWritePtr, GetEnvironmentVariableA, GetComputerNameA, GetVersionExA, GetSystemDirectoryA, GetWindowsDirectoryA, WaitForMultipleObjectsEx, ResetEvent, IsBadReadPtr, TlsSetValue, GetHandleInformation, ExpandEnvironmentStringsA, InterlockedExchange, GetCurrentThreadId, TlsAlloc, GetSystemInfo, HeapCreate, GetProcessHeap, HeapDestroy, TlsFree, lstrlenA, lstrcpyA, IsBadCodePtr, GetProcAddress, CreateEventA, GetModuleFileNameA, LoadLibraryA, CreateThread, FreeLibrary, WaitForSingleObject, CloseHandle, FreeLibraryAndExitThread, EnterCriticalSection, SetEvent, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SwitchToThread, SetLastError, DelayLoadFailureHook, TlsGetValue, InterlockedDecrement, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, InterlockedIncrement, LeaveCriticalSection
> msvcrt.dll: __isascii, isspace, _except_handler3, sprintf, _adjust_fdiv, malloc, _initterm, free, _stricmp, fclose, fgets, atoi, strchr, fopen, wcscpy, strtoul, wcscmp, wcslen, wcschr
> ntdll.dll: RtlIpv4StringToAddressW, RtlIpv6StringToAddressExW, RtlIpv4StringToAddressA
> WS2HELP.dll: WahCompleteRequest, WahQueueUserApc, WahEnableNonIFSHandleSupport, WahDisableNonIFSHandleSupport, WahCreateSocketHandle, WahNotifyAllProcesses, WahCreateNotificationHandle, WahWaitForNotification, WahOpenCurrentThread, WahCloseThread, WahInsertHandleContext, WahRemoveHandleContext, WahDestroyHandleContextTable, WahCreateHandleContextTable, WahEnumerateHandleContexts, WahCloseApcHelper, WahCloseHandleHelper, WahCloseNotificationHandleHelper, WahOpenNotificationHandleHelper, WahOpenHandleHelper, WahOpenApcHelper, WahCloseSocketHandle, WahReferenceContextByHandle
( 117 exports )
FreeAddrInfoW, GetAddrInfoW, GetNameInfoW, WEP, WPUCompleteOverlappedRequest, WSAAccept, WSAAddressToStringA, WSAAddressToStringW, WSAAsyncGetHostByAddr, WSAAsyncGetHostByName, WSAAsyncGetProtoByName, WSAAsyncGetProtoByNumber, WSAAsyncGetServByName, WSAAsyncGetServByPort, WSAAsyncSelect, WSACancelAsyncRequest, WSACancelBlockingCall, WSACleanup, WSACloseEvent, WSAConnect, WSACreateEvent, WSADuplicateSocketA, WSADuplicateSocketW, WSAEnumNameSpaceProvidersA, WSAEnumNameSpaceProvidersW, WSAEnumNetworkEvents, WSAEnumProtocolsA, WSAEnumProtocolsW, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAGetQOSByName, WSAGetServiceClassInfoA, WSAGetServiceClassInfoW, WSAGetServiceClassNameByClassIdA, WSAGetServiceClassNameByClassIdW, WSAHtonl, WSAHtons, WSAInstallServiceClassA, WSAInstallServiceClassW, WSAIoctl, WSAIsBlocking, WSAJoinLeaf, WSALookupServiceBeginA, WSALookupServiceBeginW, WSALookupServiceEnd, WSALookupServiceNextA, WSALookupServiceNextW, WSANSPIoctl, WSANtohl, WSANtohs, WSAProviderConfigChange, WSARecv, WSARecvDisconnect, WSARecvFrom, WSARemoveServiceClass, WSAResetEvent, WSASend, WSASendDisconnect, WSASendTo, WSASetBlockingHook, WSASetEvent, WSASetLastError, WSASetServiceA, WSASetServiceW, WSASocketA, WSASocketW, WSAStartup, WSAStringToAddressA, WSAStringToAddressW, WSAUnhookBlockingHook, WSAWaitForMultipleEvents, WSApSetPostRoutine, WSCDeinstallProvider, WSCEnableNSProvider, WSCEnumProtocols, WSCGetProviderPath, WSCInstallNameSpace, WSCInstallProvider, WSCUnInstallNameSpace, WSCUpdateProvider, WSCWriteNameSpaceOrder, WSCWriteProviderOrder, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getprotobyname, getprotobynumber, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
Yep, that its and that file looks ok.:bigthumb:
Any problems please post back
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Okay cool. Lol, I did get the wrong one after all. Anyway's, everything is quite with the system. I have to go into safemode to do the above procedure you mentioned.
I got Spybot and Comodo. So, Im gonna stick with them. Thanks for all the help Ken!
Your very welcome,
Take care,
Ken:)