New to these issues, I am trying to do this right.

**blikblik** · 2008-05-13, 19:45

OK, yesterday I leaped into a post from someone else with similar problems, and tried the fix listed there.

Today I read the sticky and am doing this again.

I am not sure what I have. I get the occasional explorer or firefox window opening by itself to random websites. Every so often spybot will start opening little windows advising my of a Web Helper Object being changed. This happens about every 2 seconds.

Finally what ever this is has reset my windows update utility to disabled and I cannot seem to renable it.

From the sticky, I hit the link to the Kapernsky site, hit the accept button and nothing much happens, so I cannot at this time print a log from there.

If there is a way to make this work please let me know.

I went to the HiJackThis link and this is the log it gave me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:21 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Brian\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...N=PLHS&O=I&UT=
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\ramjbsgl.dll",s
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\swevdgiy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4910 bytes

Now, I am including the files from the fix I visisted too. Just in case it might help.

First from fixware:

Username "Brian" - 05/13/2008 11:34:10 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BM2741a295"="Rundll32.exe \"C:\\WINDOWS\\system32\\ysdqtawl.dll\",s"
"24729109"="rundll32.exe \"C:\\WINDOWS\\system32\\swevdgiy.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Next from ComboFix

Username "Brian" - 05/13/2008 11:34:10 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BM2741a295"="Rundll32.exe \"C:\\WINDOWS\\system32\\ysdqtawl.dll\",s"
"24729109"="rundll32.exe \"C:\\WINDOWS\\system32\\swevdgiy.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Thank you for any help here.

**pskelley** · 2008-05-13, 23:17

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I will take just a moment to tell you that sooner or later you are going to damage your computer running tools you are not sure you need. Just because it sounds like your problem, does not mean it is. We train for years to recognize the malware so we do not (hopefully) run a tool that will damage your system.

I would still like the Kaspsersky Online Scan, but wait until I give you more instructions a little later.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1) C:\Documents and Settings\Brian\Desktop\HiJackThis.exe <<< return here and create a folder called HJT, then move the log and the HJT.ext into that folder.
Now rename the HJT.exe, call it blikblik.exe, that will work. The hackers hide their junk from HJT and this may help us see it after a restart. Because two moves were required due to the location you placed HJT, this is what it will look like if you did it as instructed.
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks

**blikblik** · 2008-05-14, 00:29

I followed your instructions. I have the HJT log on the other computer, and will get it to you.

For now, I ran a new copy of combofix and it did fine, rebooted, and is now telling me that it is preparing a report, and not to do anything till it is finished.

It seems to have hung up at this point.

**blikblik** · 2008-05-14, 01:03

OK, it worked.

Here are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:51 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...N=PLHS&O=I&UT=
O2 - BHO: (no name) - {2BD8E7E2-E68E-4C6C-AFDF-8FC9C43AAC4A} - C:\WINDOWS\system32\ssqPigee.dll
O2 - BHO: {cad89d81-4bfa-4809-01a4-4fb654304fd6} - {6df40345-6bf4-4a10-9084-afb418d98dac} - C:\WINDOWS\system32\ujhjnjyb.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {C4C6D994-A81C-495A-B8EE-1D32A93D26EF} - C:\WINDOWS\system32\ljJARiiH.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\xciomsir.dll",s
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\jljjwpuy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5389 bytes

And the combofix log:

ComboFix 08-05-12.1 - Brian 2008-05-13 17:38:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.597 [GMT -5:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\HiiRAJjl.ini
C:\WINDOWS\SYSTEM32\HiiRAJjl.ini2
C:\WINDOWS\SYSTEM32\shaimetk.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 17:43 . 2008-05-13 17:43 294 ---hs---- C:\WINDOWS\SYSTEM32\shaimetk.ini
2008-05-13 17:42 . 2008-05-13 17:42 22 --a------ C:\WINDOWS\pskt.ini
2008-05-13 17:35 . 2008-05-13 17:35 93,248 --a------ C:\WINDOWS\SYSTEM32\ktemiahs.dll
2008-05-13 17:33 . 2008-05-13 17:33 115,776 --a------ C:\WINDOWS\SYSTEM32\anvudxaq.dll
2008-05-13 17:33 . 2008-05-13 17:33 109,632 --a------ C:\WINDOWS\SYSTEM32\liykayqu.dll
2008-05-13 17:33 . 2008-05-13 17:33 2,112 --a------ C:\WINDOWS\SYSTEM32\vcoxmsck.exe
2008-05-13 17:32 . 2008-05-13 17:32 347 --ahs---- C:\WINDOWS\SYSTEM32\eegiPqss.ini
2008-05-13 17:30 . 2008-05-13 17:30 294 ---hs---- C:\WINDOWS\SYSTEM32\yupwjjlj.ini
2008-05-13 17:28 . 2008-05-13 17:28 109,632 --a------ C:\WINDOWS\SYSTEM32\vholikur.dll
2008-05-13 17:07 . 2008-05-13 17:07 115,776 --a------ C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
2008-05-13 17:05 . 2008-05-13 17:05 109,632 --a------ C:\WINDOWS\SYSTEM32\xciomsir.dll
2008-05-13 17:05 . 2008-05-13 17:05 2,112 --a------ C:\WINDOWS\SYSTEM32\hlgccqru.exe
2008-05-13 16:50 . 2008-05-13 16:50 115,776 --a------ C:\WINDOWS\SYSTEM32\xwfkepuw.dll
2008-05-13 16:48 . 2008-05-13 16:48 2,112 --a------ C:\WINDOWS\SYSTEM32\orssulxn.exe
2008-05-13 13:40 . 2008-05-13 13:40 109,632 --a------ C:\WINDOWS\SYSTEM32\cuecvhsx.dll
2008-05-13 12:53 . 2008-05-13 12:53 <DIR> d-------- C:\Deckard
2008-05-13 12:06 . 2008-05-13 12:06 93,248 --a------ C:\WINDOWS\SYSTEM32\fisrxabs.dll
2008-05-13 12:03 . 2008-05-13 12:03 115,776 --a------ C:\WINDOWS\SYSTEM32\vgvpndpp.dll
2008-05-13 12:03 . 2008-05-13 12:03 2,112 --a------ C:\WINDOWS\SYSTEM32\xeppqalk.exe
2008-05-13 12:01 . 2008-05-13 12:01 109,632 --a------ C:\WINDOWS\SYSTEM32\ramjbsgl.dll
2008-05-13 11:59 . 2008-05-13 12:00 370,688 --a------ C:\WINDOWS\SYSTEM32\ljJARiiH.dll
2008-05-13 11:55 . 2008-05-13 14:46 654 ---hs---- C:\WINDOWS\SYSTEM32\yigdvews.ini
2008-05-13 10:00 . 2008-05-13 10:00 115,776 --a------ C:\WINDOWS\SYSTEM32\ugblvkjs.dll
2008-05-13 10:00 . 2008-05-13 10:00 2,112 --a------ C:\WINDOWS\SYSTEM32\nkbetitq.exe
2008-05-13 09:57 . 2008-05-13 17:43 109,803 --a------ C:\WINDOWS\BM2741a295.xml
2008-05-13 09:57 . 2008-05-13 09:57 108,608 --a------ C:\WINDOWS\SYSTEM32\ysdqtawl.dll
2008-05-12 21:52 . 2008-05-12 21:52 370,688 --a------ C:\WINDOWS\SYSTEM32\ssqPigee.dll
2008-05-12 21:05 . 2008-05-13 11:41 <DIR> d-------- C:\fixwareout
2008-05-12 20:32 . 2008-05-12 20:32 23,981 --a------ C:\WINDOWS\SYSTEM32\datmps.dll
2008-05-12 20:32 . 2008-05-12 20:32 8,816 --a------ C:\WINDOWS\SYSTEM32\wlite.sys
2008-05-12 18:33 . 2008-05-12 18:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-12 17:13 . 2008-05-12 21:11 525 --a------ C:\WINDOWS\wininit.ini
2008-05-12 17:09 . 2008-05-12 17:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-05-12 17:09 . 2008-05-12 17:21 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\StumbleUpon
2008-05-12 16:45 . 2008-05-12 16:45 <DIR> d-------- C:\My Video
2008-05-12 14:40 . 2008-05-12 16:46 56 --a------ C:\WINDOWS\cryavitompeg.ini
2008-05-12 14:39 . 2008-05-12 16:46 5 --a------ C:\WINDOWS\SYSTEM32\SySavitompeg.dat
2008-05-12 14:38 . 2008-05-12 14:38 <DIR> d-------- C:\Program Files\Crystal Software
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\winRem
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\spoolX
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\MUI2
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\dFrnx05
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\1036a
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\Temp\tmpvc14
2008-05-12 14:24 . 2008-05-12 14:25 <DIR> d-------- C:\Program Files\winvi
2008-05-12 14:24 . 2008-05-12 14:24 493,862 --a------ C:\Temp\dUbc1002.exe
2008-05-12 14:23 . 2008-05-12 14:23 28,672 --a------ C:\WINDOWS\SYSTEM32\byXPFwtR.dll
2008-05-04 13:09 . 2008-05-04 13:10 <DIR> d-------- C:\Program Files\WordBiz
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSScanAppDataDir
2008-05-02 17:15 . 2008-05-02 17:15 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Hewlett-Packard
2008-05-02 17:14 . 2008-05-12 17:19 <DIR> d-------- C:\Documents and Settings\Admin
2008-05-02 17:14 . 2008-05-13 17:42 1,024 --ah----- C:\Documents and Settings\Admin\NTUSER.dat.LOG
2008-04-17 15:10 . 2008-04-17 15:10 107,888 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-04-17 13:53 . 2008-04-17 13:53 <DIR> d-------- C:\Program Files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 16:29 --------- d-----w C:\Program Files\LimeWire
2008-05-12 23:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-12 22:12 --------- d-----w C:\Program Files\4U Computing
2008-05-12 22:11 --------- d-----w C:\Program Files\StumbleUpon
2008-05-12 19:40 --------- d-----w C:\Program Files\Incomplete
2008-05-12 19:09 --------- d-----w C:\Documents and Settings\Brian\Application Data\LimeWire
2008-05-11 15:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-04-17 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 17:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-12 17:42 --------- d-----w C:\Program Files\Safer Networking
2008-04-08 20:37 --------- d-----w C:\Program Files\Scholastic
2008-04-04 22:11 --------- d-----w C:\Program Files\QuickTime
2008-03-31 15:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-20 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 23:47 --------- d-----w C:\Documents and Settings\Brian\Application Data\Netscape
2008-03-19 17:26 --------- d-----w C:\Program Files\Java
2008-03-19 16:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-03-19 15:47 --------- d-----w C:\Program Files\MSBuild
2008-03-19 15:45 --------- d-----w C:\Program Files\Reference Assemblies
2007-01-30 23:38 194,376 -c--a-w C:\Documents and Settings\Brian\Application Data\shb.dat
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2005-04-20 00:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_21.55.18.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 02:46:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 22:41:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 22:42:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_584.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BD8E7E2-E68E-4C6C-AFDF-8FC9C43AAC4A}]
2008-05-12 21:52 370688 --a------ C:\WINDOWS\system32\ssqPigee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6ca7d47b-09a9-4ee1-a833-0cda564568b0}]
2008-05-13 17:33 115776 --a------ C:\WINDOWS\system32\anvudxaq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7580F730-9EE7-45BF-9D0F-70C619FFD9E4}]
C:\WINDOWS\system32\urqOIXQH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
2008-05-12 14:23 28672 --a------ C:\WINDOWS\system32\byXPFwtR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9BDC073-C661-420E-804B-37DE47749842}]
2008-05-13 12:00 370688 --a------ C:\WINDOWS\system32\ljJARiiH.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 04:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 04:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 12:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-30 21:57 77824]
"24729109"="C:\WINDOWS\system32\ktemiahs.dll" [2008-05-13 17:35 93248]
"BM2741a295"="C:\WINDOWS\system32\liykayqu.dll" [2008-05-13 17:33 109632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\byXPFwtR.dll [2008-05-12 14:23 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPFwtR]
byXPFwtR.dll 2008-05-12 14:23 28672 C:\WINDOWS\SYSTEM32\byXPFwtR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wlite.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 wlite;WMV9 Codec;C:\WINDOWS\system32\wlite.sys [2008-05-12 20:32]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;C:\WINDOWS\system32\DRIVERS\HIDKbFlt.sys [2005-07-25 05:13]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 17:43:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\shaimetk.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\byXPFwtR.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ktemiahs.dll
-> C:\WINDOWS\system32\liykayqu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-13 17:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 22:50:19
ComboFix2.txt 2008-05-13 22:30:16
ComboFix3.txt 2008-05-13 17:03:30
ComboFix4.txt 2008-05-13 02:56:05

Pre-Run: 68,186,636,288 bytes free
Post-Run: 68,177,149,952 bytes free

194 --- E O F --- 2008-04-09 08:03:29

Hope this helps, and thank you.

I am shutting this computer down and will monitor responses on the laptop.

Thank you again.

**pskelley** · 2008-05-14, 01:24

Thanks for returning your logs, I have a problem, I believe. I need to see HJT after combofix so I can see what the tool did. If I am correct:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:51 PM, on 5/13/2008
(17:09)

ComboFix 08-05-12.1 - Brian 2008-05-13 17:38:32.4

I will need a new HJT log, always run HJT after all the tools as it is our picture of what has been accomplished. Now having said that, I see a load of files I believe are Vundo files.
Files Created from 2008-04-13 to 2008-05-13 <<< you can see them in this area of the combofix log. We can remove them manually with a script, but I would like to see if another Vundo removal tool will find and remove any of them first. Looks like the hackers have changed their junk again.

I can see a lot of the junk in the log now, let's see if Vundofix will find any of it. I should mention that you can remove Fixwareout from your computer, there appears to have been no wareout infection.

Thanks to Atribune and any others who helped with this fix.

Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Follow these directions starting at: Normal Usage for Removal
http://vundofix.atribune.org/

Post the Vundofix.txt and a new HJT log
Vundofix.txt will be on the C:\

Thanks...Phil

(likely my last post tonight, I start early and shutdown about 8:00 PM EST)

**blikblik** · 2008-05-14, 16:52

I made a HJT log just before I ran the VundoFix program.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:51 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfru07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...N=PLHS&O=I&UT=
O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {A2E572E9-B077-4BB6-B170-C505362615D2} - C:\WINDOWS\system32\ljJARiiH.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5335 bytes

Then I installed and ran VundoFix. It did not find or fix anything, but here is the log it created:

VundoFix V7.0.3

Scan started at 7:02:47 PM 5/13/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

Then I ran a second HJT log just a few minutes ago and this is what we have:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:05 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...N=PLHS&O=I&UT=
O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {8CB49199-1BA8-43EF-A28C-E8DBA4195F79} - C:\WINDOWS\system32\ljJARiiH.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5328 bytes

I hope this helps.

Thank you.

Once again I am shutting down and monitoring this on another computer.

**pskelley** · 2008-05-14, 17:34

Ok and thanks for trying, let's communciate a little.
I do not need a HJT log prior to running a tool, only after. The more information posted that is not needed, the harder the topic is to work with. With Vundofix finding nothing I will need to Google each file that looks bad, Then I will ask you to scan a few at random prior to removing them all, looks like the hackers are trying something new so we may be the first to run into it, and combofix does not have the data yet, nor Vundofix. What you can do on your end is check each file:: in the "code box" for the CFSript or check them randomly if you wish. I am fairly certain they were put there by the infection, but it does not hurt to check. Here are free online scanners you can use:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Once you see enough to be satisfied, then go for it.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\SYSTEM32\shaimetk.ini
C:\WINDOWS\SYSTEM32\ktemiahs.dll
C:\WINDOWS\SYSTEM32\anvudxaq.dll
C:\WINDOWS\SYSTEM32\liykayqu.dll
C:\WINDOWS\SYSTEM32\vcoxmsck.exe
C:\WINDOWS\SYSTEM32\eegiPqss.ini
C:\WINDOWS\SYSTEM32\yupwjjlj.ini
C:\WINDOWS\SYSTEM32\vholikur.dll
C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
C:\WINDOWS\SYSTEM32\xciomsir.dll
C:\WINDOWS\SYSTEM32\hlgccqru.exe
C:\WINDOWS\SYSTEM32\xwfkepuw.dll
C:\WINDOWS\SYSTEM32\orssulxn.exe
C:\WINDOWS\SYSTEM32\cuecvhsx.dll
C:\WINDOWS\SYSTEM32\fisrxabs.dll
C:\WINDOWS\SYSTEM32\vgvpndpp.dll
C:\WINDOWS\SYSTEM32\xeppqalk.exe
C:\WINDOWS\SYSTEM32\ramjbsgl.dll
C:\WINDOWS\SYSTEM32\ljJARiiH.dll
C:\WINDOWS\SYSTEM32\yigdvews.ini
C:\WINDOWS\SYSTEM32\ugblvkjs.dll
C:\WINDOWS\SYSTEM32\nkbetitq.exe
C:\WINDOWS\SYSTEM32\ysdqtawl.dll
C:\WINDOWS\SYSTEM32\ssqPigee.dll
C:\WINDOWS\system32\envchjra.dll
C:\WINDOWS\system32\byXPFwtR.dll
C:\WINDOWS\system32\yjhmtoyh.dll
C:\WINDOWS\system32\rljsxsfr.dll


Folder::
C:\fixwareout

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {8CB49199-1BA8-43EF-A28C-E8DBA4195F79} - C:\WINDOWS\system32\ljJARiiH.dll
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix report, a new HJT log and some feedback from you. This one is tough and very, very time consuming.

Thanks

**blikblik** · 2008-05-14, 17:49

You wrote:

What you can do on your end is check each file:: in the "code box" for the CFSript or check them randomly if you wish. I am fairly certain they were put there by the infection, but it does not hurt to check. Here are free online scanners you can use:

I am sorry, but I am not an expert here. What is the code box for the CFS script?

I currently have the Kaspersky lab check running.

The virus total one seems to want me to send it individual files.

And should I just go ahead, and start with your step one and contiue from there also?

**blikblik** · 2008-05-14, 17:52

I still cannot get Kaspersky to work.

It goes to the page where I have an accept/decline option and when I hit accept it shows about 2-3 brief communications between my computer and Kaspersky and then says done without actually doing anything.

Thank you again.

**pskelley** · 2008-05-14, 18:09

Code:
File::
C:\WINDOWS\SYSTEM32\shaimetk.ini
C:\WINDOWS\SYSTEM32\ktemiahs.dll
C:\WINDOWS\SYSTEM32\anvudxaq.dll
C:\WINDOWS\SYSTEM32\liykayqu.dll
C:\WINDOWS\SYSTEM32\vcoxmsck.exe
C:\WINDOWS\SYSTEM32\eegiPqss.ini
C:\WINDOWS\SYSTEM32\yupwjjlj.ini
C:\WINDOWS\SYSTEM32\vholikur.dll
C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
C:\WINDOWS\SYSTEM32\xciomsir.dll
C:\WINDOWS\SYSTEM32\hlgccqru.exe
C:\WINDOWS\SYSTEM32\xwfkepuw.dll
C:\WINDOWS\SYSTEM32\orssulxn.exe
C:\WINDOWS\SYSTEM32\cuecvhsx.dll
C:\WINDOWS\SYSTEM32\fisrxabs.dll
C:\WINDOWS\SYSTEM32\vgvpndpp.dll
C:\WINDOWS\SYSTEM32\xeppqalk.exe
C:\WINDOWS\SYSTEM32\ramjbsgl.dll
C:\WINDOWS\SYSTEM32\ljJARiiH.dll
C:\WINDOWS\SYSTEM32\yigdvews.ini
C:\WINDOWS\SYSTEM32\ugblvkjs.dll
C:\WINDOWS\SYSTEM32\nkbetitq.exe
C:\WINDOWS\SYSTEM32\ysdqtawl.dll
C:\WINDOWS\SYSTEM32\ssqPigee.dll
C:\WINDOWS\system32\envchjra.dll
C:\WINDOWS\system32\byXPFwtR.dll
C:\WINDOWS\system32\yjhmtoyh.dll
C:\WINDOWS\system32\rljsxsfr.dll

I still cannot get Kaspersky to work.
It goes to the page where I have an accept/decline option and when I hit accept it shows about 2-3 brief communications between my computer and Kaspersky and then says done without actually doing anything.

All you do is open the link and browse to the files, then submit it. In a few minutes you should get a report. There is no way I can do this for you, the files are on your computer.

If Kaspersky does not work, try one of the other two.

this is fairly basic computing and far from needing expert knowledge.

Thanks

Thread: New to these issues, I am trying to do this right.

Thread Tools

Display

New to these issues, I am trying to do this right.

I am hung up on combofix.

Now it worked

OK new info.

Quick question.

Oops went too soon.

Posting Permissions