Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: virtumondu again (different computer)

  1. #1
    Junior Member
    Join Date
    Aug 2007
    Posts
    11

    Default virtumondu again (different computer)

    I have another nasty virsus on another computer.
    I was not able to run the Kaspersky online scanner. was able to goto the site downloaded the active x but it did not install all the way I believe and the def. did not download. (zonealarm is running on this machine, tried to see what was possibly blocking but no avail. tried from IE 6.0.2 sp2. I put kaspersky.com in the trusted sites, still no luck.)

    I also ran spybot 1.5 with all the updates in safemode. it found 125 problems. fixed them. when reran scan it found 30, and fixed them. did this three times. (have not run it until it does not find any anything yet)

    On this computer all that was installed was zonealarm firewall. went and brought the full (antivirus) package and installed it, because we were getting popups etc.

    I see winfixer, smitfraud-c.
    Zone alarm sees virtumude.azt and is trying to clean/delete/rename/ quartine (sp?) and nothing works.

    this is the HJT logfile.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:19:19 PM, on 12/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\spoolcv.exe
    C:\WINDOWS\system32\lpcywinp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\146b8.exe
    C:\Program Files\QdrPack\QdrPack10.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmr...0&bm=bz_search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...2.0&bm=bz_home
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Haca] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" -vt yazb
    O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\Policies\Explorer\Run: [7R37Gscq70] rundll32.exe "C:\WINDOWS\KBOpt\kjezmxup.dll",DllCleanServer
    O4 - Startup: Spruce - Auto Update.lnk.disabled
    O4 - Startup: TA_Start.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.kaspersky.com
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

    --
    End of file - 4731 bytes


    I would greatly appreciate any help you could give me. you guys were a great help one other time, please and thank you at the same time.

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> getitdone.exe. Post a fresh hjt log after renaming is done.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Aug 2007
    Posts
    11

    Default repost of HJT

    Here is the requested log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:01:53 PM, on 12/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\spoolcv.exe
    C:\WINDOWS\system32\lpcywinp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\QdrPack\QdrPack10.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBLPSWX.EXE
    C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBLJSWX.EXE
    C:\Program Files\Trend Micro\HijackThis\getitdone.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmr...0&bm=bz_search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...2.0&bm=bz_home
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
    O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
    O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
    O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
    O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
    O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
    O2 - BHO: (no name) - {2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC} - C:\Program Files\Common Files\hokev4444.dll (file missing)
    O2 - BHO: (no name) - {2D4559CD-588E-42A4-88F6-DEEFADA4AB24} - (no file)
    O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
    O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
    O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
    O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
    O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
    O2 - BHO: (no name) - {6b3eb38a-0c58-4d5f-a86b-70e17b2906b2} - C:\WINDOWS\system32\nqtlgbd.dll (file missing)
    O2 - BHO: (no name) - {7127E8FC-218B-4A82-A766-11F4BA791B64} - C:\Program Files\Common Files\hokev83122.dll (file missing)
    O2 - BHO: (no name) - {7F9EBA3D-84B9-43D0-8338-AB2D5F722497} - C:\WINDOWS\system32\jkklm.dll
    O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
    O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\jkkiffg.dll
    O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
    O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
    O2 - BHO: (no name) - {B5ACAD68-438D-3B20-DA28-4FE604855EE5} - C:\WINDOWS\system32\ilrhvzhw.dll (file missing)
    O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
    O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
    O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
    O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
    O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
    O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
    O2 - BHO: 0 - {D7CBE96C-D706-4510-C8A4-450D5583C1DA} - C:\Program Files\Internet Explorer\lavupah.dll (file missing)
    O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
    O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
    O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
    O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
    O2 - BHO: (no name) - {F42D43E3-67A1-45C3-A642-2E48101514FC} - C:\Program Files\Common Files\hokev555077.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Haca] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" -vt yazb
    O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\Policies\Explorer\Run: [7R37Gscq70] rundll32.exe "C:\WINDOWS\KBOpt\kjezmxup.dll",DllCleanServer
    O4 - Startup: Spruce - Auto Update.lnk.disabled
    O4 - Startup: TA_Start.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.kaspersky.com
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O20 - Winlogon Notify: jkkiffg - C:\WINDOWS\SYSTEM32\jkkiffg.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

    --
    End of file - 8257 bytes

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    1. Download this file -
    combofix.exe to your desktop.
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your
    next reply with a fresh hjt log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause
    it to stall
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Aug 2007
    Posts
    11

    Default combo fix log part 1

    ComboFix 07-12-17.1 - Owner 2007-12-17 12:27:54.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1493 [GMT -8:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data.\exglujov.dll
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
    C:\Documents and Settings\LocalService\Application Data\NetMon
    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
    C:\Documents and Settings\Owner\Application Data\PPPATC~1
    C:\Documents and Settings\Owner\Application Data\PPPATC~1\?ppPatch\
    C:\Documents and Settings\Owner\Application Data\PPPATC~1\dvdplay.exe.vzr
    C:\Documents and Settings\Owner\Application Data\SMANTE~1
    C:\Documents and Settings\Owner\Application Data\SMANTE~1\r?gedit.exe
    C:\Documents and Settings\Owner\Desktop\searchus.exe
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
    C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
    C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
    C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
    C:\Program Files\3721
    C:\Program Files\3721\assist\asbar.dll
    C:\Program Files\3721\helper.dll
    C:\Program Files\Accoona
    C:\Program Files\Accoona\ASearchAssist.dll
    C:\Program Files\akl
    C:\Program Files\akl\akl.dll
    C:\Program Files\akl\akl.exe
    C:\Program Files\akl\curlog.htm
    C:\Program Files\akl\keylog.txt
    C:\Program Files\akl\readme.txt
    C:\Program Files\akl\uninstall.exe
    C:\Program Files\akl\unsetup.dat
    C:\Program Files\akl\unsetup.exe
    C:\Program Files\amsys
    C:\Program Files\amsys\awmsg.dat
    C:\Program Files\amsys\guid.dat
    C:\Program Files\amsys\ijl15.dll
    C:\Program Files\amsys\mfc42.dll
    C:\Program Files\amsys\msvcrt.dll
    C:\Program Files\amsys\unins000.dat
    C:\Program Files\amsys\unis000.exe
    C:\Program Files\amsys\winam.dat
    C:\Program Files\e-zshopper
    C:\Program Files\e-zshopper\BarLcher.dll
    C:\Program Files\ISM
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\FF\chrome.manifest
    C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
    C:\Program Files\outerinfo\FF\install.rdf
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\p2pnetworks
    C:\Program Files\p2pnetworks\amp2pl.exe
    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\QdrPack
    C:\Program Files\QdrPack\dicts.gz
    C:\Program Files\QdrPack\QdrPack10.exe
    C:\Program Files\QdrPack\trgts.gz
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\bkR11
    C:\Temp\bkR11\ftCa.log
    C:\temp\tn3
    C:\WINDOWS\764.exe
    C:\WINDOWS\7search.dll
    C:\WINDOWS\absolute key logger.lnk
    C:\WINDOWS\aconti.exe
    C:\WINDOWS\aconti.ini
    C:\WINDOWS\aconti.log
    C:\WINDOWS\aconti.sdb
    C:\WINDOWS\acontidialer.txt
    C:\WINDOWS\adbar.dll
    C:\WINDOWS\cbinst$.exe
    C:\WINDOWS\daxtime.dll
    C:\WINDOWS\default.htm
    C:\WINDOWS\dp0.dll
    C:\WINDOWS\eventlowg.dll
    C:\WINDOWS\fhfmm-Uninstaller.exe
    C:\WINDOWS\fhfmm.exe
    C:\WINDOWS\flt.dll
    C:\WINDOWS\hcwprn.exe
    C:\WINDOWS\hotporn.exe
    C:\WINDOWS\IA
    C:\WINDOWS\IA\KE.vbs
    C:\WINDOWS\ie_32.exe
    C:\WINDOWS\iexplorr23.dll
    C:\WINDOWS\jd2002.dll
    C:\WINDOWS\kkcomp$.exe
    C:\WINDOWS\kkcomp.dll
    C:\WINDOWS\kkcomp.exe
    C:\WINDOWS\kvnab$.exe
    C:\WINDOWS\kvnab.dll
    C:\WINDOWS\kvnab.exe
    C:\WINDOWS\liqad$.exe
    C:\WINDOWS\liqad.dll
    C:\WINDOWS\liqad.exe
    C:\WINDOWS\liqui-Uninstaller.exe
    C:\WINDOWS\liqui.dll
    C:\WINDOWS\liqui.exe
    C:\WINDOWS\mrofinu1000106.exe
    C:\WINDOWS\mrofinu77.exe
    C:\WINDOWS\ngd.dll
    C:\WINDOWS\pbar.dll
    C:\WINDOWS\pbsysie.dll
    C:\WINDOWS\PerfInfo
    C:\WINDOWS\PerfInfo\7R37Gscq70.exe
    C:\WINDOWS\settn.dll
    C:\WINDOWS\spredirect.dll
    C:\WINDOWS\system32\ace16win.dll
    C:\WINDOWS\system32\acespy
    C:\WINDOWS\system32\acespy\__acelog.ndx
    C:\WINDOWS\system32\acespy\systune.exe
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\system32\daSgo02
    C:\WINDOWS\system32\daSgo02\daSgo021099.exe
    C:\WINDOWS\system32\din.ip
    C:\WINDOWS\system32\dpqaqlqx.bin
    C:\WINDOWS\system32\drivers\blank.gif
    C:\WINDOWS\system32\drivers\box_2.gif
    C:\WINDOWS\system32\drivers\button_buynow.gif
    C:\WINDOWS\system32\drivers\button_freescan.gif
    C:\WINDOWS\system32\drivers\cell_bg.gif
    C:\WINDOWS\system32\drivers\cell_footer.gif
    C:\WINDOWS\system32\drivers\cell_header_block.gif
    C:\WINDOWS\system32\drivers\cell_header_remove.gif
    C:\WINDOWS\system32\drivers\cell_header_scan.gif
    C:\WINDOWS\system32\drivers\download_btn.jpg
    C:\WINDOWS\system32\drivers\download_now_btn.gif
    C:\WINDOWS\system32\drivers\footer_back.jpg
    C:\WINDOWS\system32\drivers\header_1.gif
    C:\WINDOWS\system32\drivers\header_2.gif
    C:\WINDOWS\system32\drivers\header_3.gif
    C:\WINDOWS\system32\drivers\header_4.gif
    C:\WINDOWS\system32\drivers\header_red_bg.gif
    C:\WINDOWS\system32\drivers\header_red_free_scan.gif
    C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
    C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
    C:\WINDOWS\system32\drivers\infected.gif
    C:\WINDOWS\system32\drivers\main_back.gif
    C:\WINDOWS\system32\drivers\product_2_header.gif
    C:\WINDOWS\system32\drivers\product_2_name_small.gif
    C:\WINDOWS\system32\drivers\product_features.gif
    C:\WINDOWS\system32\drivers\rating.gif
    C:\WINDOWS\system32\drivers\screenshot.jpg
    C:\WINDOWS\system32\drivers\sep_hor.gif
    C:\WINDOWS\system32\drivers\sep_vert.gif
    C:\WINDOWS\system32\drivers\shadow.jpg
    C:\WINDOWS\system32\drivers\shadow_bg.gif
    C:\WINDOWS\system32\drivers\spacer.gif
    C:\WINDOWS\system32\drivers\star.gif
    C:\WINDOWS\system32\drivers\star_gray.gif
    C:\WINDOWS\system32\drivers\star_gray_small.gif
    C:\WINDOWS\system32\drivers\star_small.gif
    C:\WINDOWS\system32\drivers\style.css
    C:\WINDOWS\system32\drivers\symavc32.sys
    C:\WINDOWS\system32\drivers\warning_icon.gif
    C:\WINDOWS\system32\drivers\win_logo.gif
    C:\WINDOWS\system32\drivers\YET31.sys
    C:\WINDOWS\system32\ESHOPEE.exe
    C:\WINDOWS\system32\jkklm.dll
    C:\WINDOWS\system32\ldinfo.ldr
    C:\WINDOWS\system32\lpcywinp.exe
    C:\WINDOWS\system32\mlkkj.ini
    C:\WINDOWS\system32\mlkkj.ini2
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\sznf.ascii
    C:\WINDOWS\system32\vxddsk.exe
    C:\WINDOWS\system32\wcpicomsv32.exe
    C:\WINDOWS\system32\wml.exe
    C:\WINDOWS\system32\x64
    C:\WINDOWS\vxddsk.exe
    C:\WINDOWS\wbeCheck.exe
    C:\WINDOWS\wbeInst$.exe
    C:\WINDOWS\wml.exe
    C:\WINDOWS\xadbrk.dll
    C:\WINDOWS\xadbrk.exe
    C:\WINDOWS\xadbrk_.exe
    C:\WINDOWS\xxxvideo.exe

    .

  6. #6
    Junior Member
    Join Date
    Aug 2007
    Posts
    11

    Default combofix log part 2

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_CORE
    -------\LEGACY_NETWORK_MONITOR
    -------\LEGACY_YET31
    -------\nm


    ((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
    .

    2007-12-17 12:48 . 2007-12-17 12:48 <DIR> d-------- C:\WINDOWS\PerfInfo
    2007-12-17 12:31 . 2007-12-17 12:31 37,376 --a------ C:\WINDOWS\system32\jkkiffg.dll.vir
    2007-12-14 15:17 . 2004-08-27 01:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-12-14 15:17 . 2004-11-15 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2007-12-14 15:17 . 2004-11-15 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
    2007-12-14 14:40 . 2007-12-14 16:12 1,109 --a------ C:\WINDOWS\wininit.ini
    2007-12-14 12:53 . 2007-12-14 12:53 <DIR> d-------- C:\WINDOWS\uuqdfudn
    2007-12-14 12:53 . 2007-12-14 12:53 <DIR> d-------- C:\WINDOWS\KBOpt
    2007-12-14 12:52 . 2007-12-14 12:52 <DIR> d-------- C:\WINDOWS\system32\ineWc13
    2007-12-14 12:52 . 2007-12-14 12:52 80,896 --a------ C:\WINDOWS\hchajghs.dll
    2007-12-14 12:52 . 2007-12-14 12:52 3,638 --a------ C:\winbhwb.exe
    2007-12-14 12:42 . 2007-12-14 12:42 <DIR> d-------- C:\Program Files\Trend Micro
    2007-12-14 12:41 . 2007-12-14 12:41 679,424 --a------ C:\WINDOWS\isRS-000.tmp
    2007-12-13 09:56 . 2007-12-14 16:28 1,122 --a------ C:\rollback.ini
    2007-12-12 19:13 . 2007-12-14 17:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MailFrontier
    2007-12-12 19:09 . 2007-12-17 12:47 2,369,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-12-12 19:09 . 2007-12-17 12:45 32,732 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-12-12 19:03 . 2007-12-13 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2007-12-12 14:42 . 2007-12-12 14:42 29 --a------ C:\WINDOWS\system32\typsghrw.tmp
    2007-12-12 14:41 . 2007-12-12 14:41 144,896 --a------ C:\winosmc.exe
    2007-12-12 14:21 . 2007-12-14 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
    2007-12-12 14:20 . 2007-12-12 14:20 <DIR> d-------- C:\WINDOWS\system32\ineWc06
    2007-12-12 14:20 . 2007-12-12 14:20 <DIR> d-------- C:\temp\tpBe12
    2007-12-12 14:20 . 2007-12-12 14:22 <DIR> d-------- C:\Program Files\Spruce
    2007-12-12 14:20 . 2007-12-12 14:20 97,280 -rahs---- C:\WINDOWS\system32\spoolcv.exe
    2007-12-12 14:20 . 2007-12-12 16:10 7,713 --a------ C:\WINDOWS\system32\ldcore.dll.vzr
    2007-12-12 14:20 . 2007-12-12 14:20 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
    2007-12-12 14:20 . 2007-12-12 14:20 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
    2007-12-12 14:19 . 2007-12-12 22:00 <DIR> d-------- C:\WINDOWS\system32\rex2
    2007-12-12 14:19 . 2007-12-13 13:52 <DIR> d-------- C:\WINDOWS\system32\doc4
    2007-12-12 14:19 . 2007-12-12 14:19 <DIR> d-------- C:\WINDOWS\system32\bbc5
    2007-12-12 14:19 . 2007-12-12 14:56 <DIR> d-------- C:\WINDOWS\system32\ashell3
    2007-12-12 14:19 . 2007-12-12 14:19 37,376 --a------ C:\WINDOWS\system32\jkkiffg.dll
    2007-12-05 10:32 . 2003-08-29 09:20 200,192 --a------ C:\WINDOWS\system32\lexlmpm.dll
    2007-11-27 14:57 . 2007-12-14 12:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-11-27 14:57 . 2007-11-27 14:57 1,409 --a------ C:\WINDOWS\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-14 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-05 21:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
    2007-11-15 00:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
    2007-11-09 17:50 --------- d-----w C:\Program Files\Intel
    2007-11-09 17:33 --------- d-----w C:\Program Files\Analog Devices
    2007-11-09 17:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-08 15:42 37,027 ----a-w C:\WINDOWS\atmoUn.exe
    2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
    2005-12-14 21:12 266 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2005-05-27 21:37 561,152 ----a-w C:\Documents and Settings\Owner\chatlnk.exe
    2005-04-04 23:55 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC}]
    C:\Program Files\Common Files\hokev4444.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
    2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6b3eb38a-0c58-4d5f-a86b-70e17b2906b2}]
    C:\WINDOWS\system32\nqtlgbd.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7127E8FC-218B-4A82-A766-11F4BA791B64}]
    C:\Program Files\Common Files\hokev83122.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
    C:\Program Files\QdrDrive\QdrDrive8.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
    2007-12-12 14:19 37376 --a------ C:\WINDOWS\system32\jkkiffg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5ACAD68-438D-3B20-DA28-4FE604855EE5}]
    C:\WINDOWS\system32\ilrhvzhw.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7CBE96C-D706-4510-C8A4-450D5583C1DA}]
    C:\Program Files\Internet Explorer\lavupah.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F42D43E3-67A1-45C3-A642-2E48101514FC}]
    C:\Program Files\Common Files\hokev555077.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Haca"="C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" []
    "QdrPack10"="C:\Program Files\QdrPack\QdrPack10.exe" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 05:34]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-13 22:39]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-08-13 22:41]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-13 22:38]
    "JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 04:44]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    Spruce - Auto Update.lnk.disabled [2007-12-12 14:20:48]
    TA_Start.lnk.disabled [2007-12-12 16:49:09]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\Program Files\Internet Explorer\profsydyb.html
    FriendlyName=

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\jkkiffg.dll [2007-12-12 14:19 37376]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiffg]
    jkkiffg.dll 2007-12-12 14:19 37376 C:\WINDOWS\system32\jkkiffg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
    backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2006-08-13 22:41 114688 -ra------ C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2006-08-13 22:39 98304 -ra------ C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2006-06-14 15:24 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    2003-12-10 04:21 380928 --a------ C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2006-08-13 22:38 94208 -ra------ C:\WINDOWS\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2002-09-13 12:42 212992 --a------ C:\WINDOWS\SMINST\RECGUARD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-10-31 19:42 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRFirstRun]
    rundll32 srclient.dll,CreateFirstRunRp

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
    2004-10-18 14:05 135168 --a------ C:\Program Files\Digital Media Reader\shwiconem.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "vsmon"=2 (0x2)
    "PrismXL"=2 (0x2)
    "ose"=3 (0x3)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "WebBuying"=C:\Program Files\Web Buying\v1.8.6\webbuying.exe
    "Rquzm"="C:\Documents and Settings\Owner\Application Data\S?mantec\r?gedit.exe"
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "{37-7F-F7-71-ZN}"=C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001.exe CHD001
    "io43mvuiw4kj"=C:\WINDOWS\io43mvuiw4kj.exe
    "runner1"=C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
    "winshow"="C:\WINDOWS\winshow.exe"

    R2 Windows Hosts Plugin;Windows Hosts Plugin;"C:\WINDOWS\system32\spoolcv.exe" [2007-12-12 14:20]
    S3 AFW;AFW;C:\DOCUME~1\Owner\LOCALS~1\Temp\0007af1a.sys []
    S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 04:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
    \Shell\AutoRun\command - J:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25dd7503-8e96-11dc-ad10-806d6172696f}]
    \Shell\AutoRun\command - E:\Bin\Assetup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51b58841-9aae-11db-bb80-001111a6cf2f}]
    \Shell\AutoRun\command - J:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e337a41-3759-11d9-96af-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2005-03-30 21:45:59 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2005-03-30 21:45:59 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-17 12:48:00
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\jkkiffg.dll

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
    -> C:\WINDOWS\KBOpt\kjezmxup.dll
    .
    Completion time: 2007-12-17 12:50:35 - machine was rebooted
    .
    2007-11-10 09:09:09 --- E O F ---

  7. #7
    Junior Member
    Join Date
    Aug 2007
    Posts
    11

    Default HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:34:36 PM, on 12/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\spoolcv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Trend Micro\HijackThis\getitdone.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...2.0&bm=bz_home
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC} - C:\Program Files\Common Files\hokev4444.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
    O2 - BHO: (no name) - {6b3eb38a-0c58-4d5f-a86b-70e17b2906b2} - C:\WINDOWS\system32\nqtlgbd.dll (file missing)
    O2 - BHO: (no name) - {7127E8FC-218B-4A82-A766-11F4BA791B64} - C:\Program Files\Common Files\hokev83122.dll (file missing)
    O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
    O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\jkkiffg.dll
    O2 - BHO: (no name) - {B5ACAD68-438D-3B20-DA28-4FE604855EE5} - C:\WINDOWS\system32\ilrhvzhw.dll (file missing)
    O2 - BHO: 0 - {D7CBE96C-D706-4510-C8A4-450D5583C1DA} - C:\Program Files\Internet Explorer\lavupah.dll (file missing)
    O2 - BHO: (no name) - {F42D43E3-67A1-45C3-A642-2E48101514FC} - C:\Program Files\Common Files\hokev555077.dll (file missing)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Haca] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\dvdplay.exe" -vt yazb
    O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\Policies\Explorer\Run: [7R37Gscq70] rundll32.exe "C:\WINDOWS\KBOpt\kjezmxup.dll",DllCleanServer
    O4 - Startup: Spruce - Auto Update.lnk.disabled
    O4 - Startup: TA_Start.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.kaspersky.com
    O20 - Winlogon Notify: jkkiffg - C:\WINDOWS\SYSTEM32\jkkiffg.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

    --
    End of file - 5508 bytes

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    To make sure TeaTimer won't interfere fixing it's better to disable it until system is clean.

    Disable Spybot's TeaTimer
    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu
      select
      Advanced Mode
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck
      Resident TeaTimer
      and OK any prompts.
    • Restart your computer



    Start hjt, click do a system scan only, check:
    O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsydyb.html

    Close browsers and other windows. Click fix checked.

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    C:\WINDOWS\system32\jkkiffg.dll.vir
    C:\WINDOWS\hchajghs.dll
    C:\winbhwb.exe
    C:\WINDOWS\system32\typsghrw.tmp
    C:\winosmc.exe
    C:\WINDOWS\system32\spoolcv.exe
    C:\WINDOWS\system32\ldcore.dll.vzr
    C:\WINDOWS\plite731_uninstaller_.bat
    C:\WINDOWS\system32\jpewocmz.ini
    C:\WINDOWS\system32\jkkiffg.dll
    C:\Program Files\Common Files\hokev4444.dll
    C:\WINDOWS\system32\nqtlgbd.dll
    C:\Program Files\Common Files\hokev83122.dll
    C:\WINDOWS\system32\jkkiffg.dll
    C:\WINDOWS\system32\ilrhvzhw.dll
    C:\Program Files\Internet Explorer\lavupah.dll
    C:\Program Files\Common Files\hokev555077.dll
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Spruce - Auto Update.lnk.disabled
    C:\Program Files\Internet Explorer\profsydyb.html
    C:\WINDOWS\system32\jkkiffg.dll
    C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001.exe
    C:\WINDOWS\io43mvuiw4kj.exe
    C:\WINDOWS\mrofinu77.exe
    C:\WINDOWS\winshow.exe
    
    Driver::
    "Windows Hosts Plugin"
    AFW
    
    Folder::
    C:\WINDOWS\uuqdfudn
    C:\WINDOWS\KBOpt
    C:\WINDOWS\system32\ineWc13
    C:\WINDOWS\system32\ineWc06
    C:\temp
    C:\WINDOWS\system32\rex2
    C:\WINDOWS\system32\doc4
    C:\WINDOWS\system32\bbc5
    C:\WINDOWS\system32\ashell3
    C:\Program Files\Spruce
    C:\Program Files\Web Buying
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2406DF9E-F84A-4F3D-8BE6-A0CABE8EF4CC}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6b3eb38a-0c58-4d5f-a86b-70e17b2906b2}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7127E8FC-218B-4A82-A766-11F4BA791B64}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5ACAD68-438D-3B20-DA28-4FE604855EE5}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7CBE96C-D706-4510-C8A4-450D5583C1DA}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F42D43E3-67A1-45C3-A642-2E48101514FC}]
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Haca"=-
    "QdrPack10"=-
    
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiffg]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "WebBuying"=-
    "Rquzm"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "{37-7F-F7-71-ZN}"=-
    "io43mvuiw4kj"=-
    "runner1"=-
    "winshow"=-

    Save this as
    CFScript




    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log & a fresh hjt log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Aug 2007
    Posts
    11

    Default on hold

    hello,
    we choose to get a new HD and install a fresh OS etc.

    Is this pretty easily cleaned off? can you tell if there are there any bots?

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Don't see bots there. Cleaning should be highly possible
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •