trying to clean a friends PC

**FAUST** · 2007-08-17, 13:00

A friend of mind got imfected and i'm trying to help him get clean, but the HJT is making my head hurt.

any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:55, on 16/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\BT Yahoo\BT Yahoo Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Colin Wells\wn0004.exe
C:\Documents and Settings\Colin Wells\us0004.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
F:\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pro...ersion=g_4.4.2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr221.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [bqqzwvm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bqqzwvm.dll,horasxe
O4 - HKLM\..\Run: [yqexox.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yqexox.dll,gtlmqyd
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Colin Wells\Application Data\25965.exe
O4 - HKLM\..\Run: [findfast] C:\Documents and Settings\Colin Wells\Application Data\findfast.exe
O4 - HKLM\..\Run: [svchost] C:\Documents and Settings\Colin Wells\Start Menu\Programs\Startup\svchost.exe
O4 - HKLM\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [findfast] C:\Documents and Settings\Colin Wells\Application Data\findfast.exe
O4 - HKCU\..\Run: [svchost] C:\Documents and Settings\Colin Wells\Start Menu\Programs\Startup\svchost.exe
O4 - HKCU\..\Run: [LaserJet] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: .protected
O4 - Startup: findfast.lnk = C:\Documents and Settings\Colin Wells\Local Settings\Temp\us9999.exe
O4 - Startup: svchost.exe
O4 - Startup: system.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {184FA151-FC4D-4B73-84BE-290B1ABAB081} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {19E5509B-2F28-4652-ABAA-2A8BCB20FF91} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: {00000000-0000-0000-0000-000020000000} - http://www.68737075.com/connect/wla/x/ukgolwla2x.exe
O16 - DPF: {06CB3152-EBD7-3A35-D81C-56A271B04106} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {06EED17F-6F7A-1753-F385-0E383BDEFDB8} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {0A91F218-E2BE-7B83-0495-49B702265F91} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {13E8554B-7C98-6219-62F3-307F502E7B06} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {150A548E-CAB1-6201-EC05-20CA17FDADEE} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {21099740-FFC6-3F8F-C111-0405493B26C8} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {269A596B-754C-54FD-9C30-73A15264DEDC} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {2C2D1DCA-6760-7970-C08E-0114367C736F} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {2CB3A224-80AB-6B75-3C06-60C4716C2690} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {2D1E128E-2361-5A24-90C3-4AFD27F04EE5} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20040728.dll
O16 - DPF: {30DB2681-4168-3354-88F6-7A361C8A03C0} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {31E050BB-2596-64A4-75A7-27CC2B060D92} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {3EB69E85-DE0D-6E2B-4CC1-0A611997A6E4} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {533C8956-A746-24B9-F566-05E75E042B1F} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {57C10625-732C-6D69-5838-42A635462E64} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {614E8DAF-FAA6-2E6F-D9C8-31CF6BA62A81} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {6D4347A0-CAEA-50D8-472F-70B1470A686C} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {7376C0C7-CF57-5BDD-2AC4-1A417F86CDF4} - http://85.255.115.229/1/gdnFR1440.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/minidialler/mddl/NX/220100__.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.broadbandassist.com...ivePreQual.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/gba1440.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B18570C9-E03F-4FCC-ADA1-C4C1DE2201A1}: NameServer = 194.74.65.69 62.6.40.178
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum221.txt
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - http://sc.groups.msn.com/themes/R9c/pby/img/dlstar.gif
--
End of file - 13160 bytes

**ken545** · 2007-08-17, 16:08

FAUST,

Welcome to Safer Networking.

Please read Before You Post

We need it to have HJT in its own folder for backup purposes. I would prefer that you delete the older version and install the newer version by Trendmicro.

Download and install Trendmicros Hijackthis

Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Your friends computer is very heavily infected with all kinds of garbage.

Lets do this first.

Your computer has been hijacked by the lovely people in the Ukraine, you are infected with Wareout.

85.255.112.200 - 85.255.127.255
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
FixWareout Subratam
FixWareout Lonny

Save it to your desktop and run it.
Click Next, then Install,
Then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.

Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.

Now lets check some settings on your system. For (2000/XP) Only)

Go to Start > control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl.
Left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems

Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I need to see.
1. Wareout Report
2. Combofix log
3. New HJT log

**FAUST** · 2007-08-17, 17:28

Thanks for your help.
I could see that it was heavily infected but didn't know where to begin as HJT logs give me a headache

I'm working without direct access to this computer so it'll be Monday before I have the information.

I've advised my friend to keep of the net as much as possible and am posting all reports from my own computer, but will pass all the information and relavant progams to my friend.

New HJT? I only downloaded that version Tuesday, was running from a usb stick as my friend doesn't know much about computers and I'd written him a skipt to run HJT along with instrutions on how to do it.

PS had him run RougeRemover first but doesn't seem to have done much good.

I will post back as soon as I have more Info.

**ken545** · 2007-08-17, 18:46

Your HJT program from Trendmicro is current , I just need you to install it in its own folder. The changes we make to your system are related to the registry and we want to be able to access those changes and restore them if there is a problem. It would be easier for you to delete F:\HiJackThis.exe and the installer for the new download will install it in C:\Program Files\Trendmicro\Hijackthis. Another way around it is to go to Program Files and create a new folder and name it Hijackthis and Cut and Paste it into the new folder you just created. Either way, its your call.

See you Monday.

Ken

**FAUST** · 2007-08-21, 10:54

Just to keep you in the picture. My friend seems to be having a run of bad luck at the minute, his ceiling collapsed over the weekend so that's his main priority at the minute.

As soon as he's sorted that he'll give me the info and I'll pass it on.

Sorry for the delay.

**FAUST** · 2007-08-21, 22:28

Originally Posted by ken545

Now lets check some settings on your system. For (2000/XP) Only)

Go to Start > control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl.
Left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems

Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter

My friends PC won't let him do these things it says he needs to contact his administrator even though he is the only user!

He has no control panel on his start menu & I tried to get him to run it manually, "control netcpl.cpl" but it refuses, IPconfig also fails.

**ken545** · 2007-08-22, 01:18

Try this.

It is quite possible that your DNS Service is not "running" (as in "Status" is not "started and running)

Go to Start> Run and type in services.msc then press Enter
Scroll down to DNS Client
Double-Click on DNS Client
Select to change the status to Start
OK your way out of the program.

Now you can run your - ipconfig /flushdns

Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter

This computer sounds like it has some windows issues as well, when you log is clean I will direct you to some windows forums for windows problems.

Post a new HJT log please

**FAUST** · 2007-08-22, 01:34

I wondered if that was the case as it sounds like what my PC does, but I have disabled my DNS sever on purpose. But I doubt if would have as I don't think he'd even know where to find the services (unless it and the control panel where already disabled when he bought the PC from DELL).

I spent an hour on the phone with him tonight working through the problems with him, but as he couldn't get these 2 things working I told him skip them and run the various programs anyway.

I'll have the log files when I see him in the morning (at least these worked, except he now gets a runDLL error startup, unfortunatly he only gave me sketchy details about this but I asume it's something that has been removed that windows is still looking for).

OFFTOPIC: I hate not being able to edit these posts my spelling sucks.

**ken545** · 2007-08-22, 02:24

Get the name of the file he is getting the error for and let me know what it is.

**FAUST** · 2007-08-23, 10:47

here are the log files sorry I didn't post them yesterday I was in bed all day sick. :(

fixwareout:
Username "Colin Wells" - 21/08/2007 20:59:34 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
Could not flush the DNS Resolver Cache: Function failed during execution.

System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
C:\Documents and Settings\Colin Wells\Application Data\Install.dat Deleted
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"P2P Networking"="C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"funk"="funk.exe"
"bqqzwvm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\bqqzwvm.dll,horasxe"
"yqexox.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\yqexox.dll,gtlmqyd"
"gwiz"="C:\\Documents and Settings\\Colin Wells\\Application Data\\25965.exe"
"findfast"="C:\\Documents and Settings\\Colin Wells\\Application Data\\findfast.exe"
"svchost"="C:\\Documents and Settings\\Colin Wells\\Start Menu\\Programs\\Startup\\svchost.exe"
"LaserJet"="C:\\WINDOWS\\system32\\spoolvs.exe"
"WinAVX"="C:\\WINDOWS\\system32\\WinAvXX.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe -quiet"
"findfast"="C:\\Documents and Settings\\Colin Wells\\Application Data\\findfast.exe"
"svchost"="C:\\Documents and Settings\\Colin Wells\\Start Menu\\Programs\\Startup\\svchost.exe"
"LaserJet"="C:\\WINDOWS\\system32\\spoolvs.exe"
"WinAVX"="C:\\WINDOWS\\system32\\WinAvXX.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
Rustock pe386 is present
»»»»» End report »»»»»

combofix:
ComboFix 07-08-14.4 - "Colin Wells" 2007-08-21 21:31:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.30 [GMT 1:00]
* Created a new restore point
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 66600 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\.protected
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\.protected
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\COLINW~1\APPLIC~1.\Ultimate Cleaner
C:\DOCUME~1\COLINW~1\APPLIC~1\..\err.log
C:\DOCUME~1\COLINW~1\APPLIC~1\..\ResErrors.log
C:\DOCUME~1\COLINW~1\APPLIC~1\44360.exe
C:\DOCUME~1\COLINW~1\APPLIC~1\winantiviruspro2006freeinstall[1].exe
C:\DOCUME~1\COLINW~1\STARTM~1\Programs\Startup.\.protected
C:\DOCUME~1\COLINW~1\STARTM~1\Programs\Startup.\system.exe
C:\Documents and Settings\COLINW~1.\us0004.exe
C:\Documents and Settings\COLINW~1.\wn0004.exe
C:\Program Files\FunWebProducts
C:\UWA7P
C:\WINDOWS\.protected
C:\WINDOWS\DOWNLO~1\WinAntiSpyware2007FreeInstall.exe
C:\WINDOWS\system32\append.dll
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\WinAvXX.exe

((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))

2007-08-21 21:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 20:59 7,162 --a------ C:\dnsbak.reg
2007-08-16 21:29 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-13 07:28 74,752 --a------ C:\WINDOWS\invoice.exe
2007-08-12 14:54 8,192 --a------ C:\WINDOWS\SYSTEM32\arpl.exe
2007-08-12 14:40 51,206 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\spoolsv.dll
2007-08-12 01:25 37,376 --a------ C:\WINDOWS\SYSTEM32\vtr221.dll
2007-08-11 10:03 122,648 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\drvcleaner.exe
2007-08-10 22:29 6,144 --a------ C:\WINDOWS\SYSTEM32\spoolvs.exe
2007-08-10 22:29 6,144 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\findfast.exe
2007-08-10 07:35 95,696 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\sysdoctor.exe
2007-08-08 07:30 87,760 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\errsafer.exe
2007-08-07 01:10 92,880 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\errprotec.exe
2007-08-05 15:23 14 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\update9999.exe
2007-08-04 14:59 74,752 --a------ C:\WINDOWS\duekduac.exe
2007-08-02 07:30 37,376 --a------ C:\WINDOWS\SYSTEM32\vtr135.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-05-27 03:19 19456 --a------ C:\WINDOWS\system32\xlibgfl254.dll
2007-08-16 21:28 --------- d-------- C:\Program Files\Winamp
2007-08-12 14:01 87248 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\antivir.exe
2007-08-02 07:30 --------- d-------- C:\DOCUME~1\COLINW~1\APPLIC~1\tiny
2007-07-15 22:06 2 --a------ C:\DOCUME~1\COLINW~1\APPLIC~1\xxx.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{FE6BC4EF-5676-484B-88AE-883323913256}"= C:\PROGRA~1\Comet\Bin\csietb.dll [2003-04-16 10:54 60524]
[HKEY_CLASSES_ROOT\CLSID\{FE6BC4EF-5676-484B-88AE-883323913256}]
[HKEY_CLASSES_ROOT\CometIEToolbar.CometToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{878ACE1B-8DB0-4D75-9034-504756AD4215}]
[HKEY_CLASSES_ROOT\CometIEToolbar.CometToolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05]
"VirusScan"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
"P2P Networking"="C:\WINDOWS\System32\P2P Networking\P2P Networking.exe" [2004-08-21 19:21]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-11 20:34]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-09-02 15:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-22 14:37]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 13:02]
"funk"="funk.exe" [2006-05-16 16:05 C:\WINDOWS\SYSTEM32\funk.exe]
"bqqzwvm.dll"="C:\WINDOWS\system32\bqqzwvm.dll" []
"yqexox.dll"="C:\WINDOWS\system32\yqexox.dll" []
"findfast"="C:\Documents and Settings\Colin Wells\Application Data\findfast.exe" [2007-08-16 22:35]
"svchost"="C:\Documents and Settings\Colin Wells\Start Menu\Programs\Startup\svchost.exe" [2007-08-16 22:35]
"LaserJet"="C:\WINDOWS\system32\spoolvs.exe" [2007-08-10 22:29]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2004-06-15 16:36]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2005-03-18 13:06]
"findfast"="C:\Documents and Settings\Colin Wells\Application Data\findfast.exe" [2007-08-16 22:35]
"LaserJet"="C:\WINDOWS\system32\spoolvs.exe" [2007-08-10 22:29]
"svchost"="C:\Documents and Settings\Colin Wells\Start Menu\Programs\Startup\svchost.exe" [2007-08-16 22:35]
C:\Documents and Settings\Colin Wells\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum221.txt
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 8.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 Rapter2USBConexant;Generic 1.3 CMOS DSC;C:\WINDOWS\system32\DRIVERS\Rapvid.sys

**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 21:39:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-21 21:45:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 21:44
--- E O F ---

Thread: trying to clean a friends PC

Thread Tools

Display

trying to clean a friends PC

Posting Permissions