New to these issues, I am trying to do this right.

**blikblik** · 2008-05-14, 18:56

OK, I ran all the files through http://virusscan.jotti.org/ and saved them as a text file. Do you want that posted? Most were infected, many did not have the note saying that these were previously viewed files, and would not be saved.

I tried putting the CFSscript.txt into ComboFix, and pretty early on got a computer shutdown, and memory dump.

I am trying that again.

From that point should I continue with the other steps, or just post the HJT and ComboFix logs?

**pskelley** · 2008-05-14, 19:06

I was fairly sure those files were bad and I was also concerned about the reason combofix did not find them in the first scan. If you are having problems running CFScript, try deleting combofix completely and downloading it again, from the link I provided and starting from the first scan to see what happens. I think something unusual happened the first scan, and I don't believe it is combofix, since I use it all of the time.

Once you have the new copy and try the CFScript again, if it does not work, continue until you finish. We are running out of tools to remove the Vundofix, but it can be done manually, one file at a time if need be.

Thanks

**blikblik** · 2008-05-14, 22:51

Sorry about the delay.

I ran the second Combofix, and it made it to printing the log file, I saw it and then the system went down.

While trying to do it again I lost internet. (the joys of satellite)

Anyway, here is the Combo fix log (third time was the charm, and it went much faster too):

ComboFix 08-05-12.1 - Brian 2008-05-14 15:33:27.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.697 [GMT -5:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\anvudxaq.dll
C:\WINDOWS\system32\byXPFwtR.dll
C:\WINDOWS\SYSTEM32\cuecvhsx.dll
C:\WINDOWS\SYSTEM32\eegiPqss.ini
C:\WINDOWS\system32\envchjra.dll
C:\WINDOWS\SYSTEM32\fisrxabs.dll
C:\WINDOWS\SYSTEM32\hlgccqru.exe
C:\WINDOWS\SYSTEM32\ktemiahs.dll
C:\WINDOWS\SYSTEM32\liykayqu.dll
C:\WINDOWS\SYSTEM32\ljJARiiH.dll
C:\WINDOWS\SYSTEM32\nkbetitq.exe
C:\WINDOWS\SYSTEM32\orssulxn.exe
C:\WINDOWS\SYSTEM32\ramjbsgl.dll
C:\WINDOWS\system32\rljsxsfr.dll
C:\WINDOWS\SYSTEM32\shaimetk.ini
C:\WINDOWS\SYSTEM32\ssqPigee.dll
C:\WINDOWS\SYSTEM32\ugblvkjs.dll
C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
C:\WINDOWS\SYSTEM32\vcoxmsck.exe
C:\WINDOWS\SYSTEM32\vgvpndpp.dll
C:\WINDOWS\SYSTEM32\vholikur.dll
C:\WINDOWS\SYSTEM32\xciomsir.dll
C:\WINDOWS\SYSTEM32\xeppqalk.exe
C:\WINDOWS\SYSTEM32\xwfkepuw.dll
C:\WINDOWS\SYSTEM32\yigdvews.ini
C:\WINDOWS\system32\yjhmtoyh.dll
C:\WINDOWS\SYSTEM32\ysdqtawl.dll
C:\WINDOWS\SYSTEM32\yupwjjlj.ini
.

((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 19:02 . 2008-05-13 19:02 <DIR> d-------- C:\VundoFix Backups
2008-05-13 18:01 . 2008-05-13 18:01 2,112 --a------ C:\WINDOWS\SYSTEM32\rvomhbtw.exe
2008-05-13 12:53 . 2008-05-13 12:53 <DIR> d-------- C:\Deckard
2008-05-13 09:57 . 2008-05-14 11:48 109,849 --a------ C:\WINDOWS\BM2741a295.xml
2008-05-12 20:32 . 2008-05-12 20:32 23,981 --a------ C:\WINDOWS\SYSTEM32\datmps.dll
2008-05-12 20:32 . 2008-05-12 20:32 8,816 --a------ C:\WINDOWS\SYSTEM32\wlite.sys
2008-05-12 18:33 . 2008-05-12 18:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-12 17:13 . 2008-05-12 21:11 525 --a------ C:\WINDOWS\wininit.ini
2008-05-12 17:09 . 2008-05-12 17:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-05-12 17:09 . 2008-05-12 17:21 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\StumbleUpon
2008-05-12 16:45 . 2008-05-12 16:45 <DIR> d-------- C:\My Video
2008-05-12 14:40 . 2008-05-12 16:46 56 --a------ C:\WINDOWS\cryavitompeg.ini
2008-05-12 14:39 . 2008-05-12 16:46 5 --a------ C:\WINDOWS\SYSTEM32\SySavitompeg.dat
2008-05-12 14:38 . 2008-05-12 14:38 <DIR> d-------- C:\Program Files\Crystal Software
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\winRem
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\spoolX
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\MUI2
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\dFrnx05
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\1036a
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\Temp\tmpvc14
2008-05-12 14:24 . 2008-05-12 14:25 <DIR> d-------- C:\Program Files\winvi
2008-05-12 14:24 . 2008-05-12 14:24 493,862 --a------ C:\Temp\dUbc1002.exe
2008-05-04 13:09 . 2008-05-04 13:10 <DIR> d-------- C:\Program Files\WordBiz
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSScanAppDataDir
2008-05-02 17:15 . 2008-05-02 17:15 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Hewlett-Packard
2008-05-02 17:14 . 2008-05-12 17:19 <DIR> d-------- C:\Documents and Settings\Admin
2008-05-02 17:14 . 2008-05-14 15:30 1,024 --ah----- C:\Documents and Settings\Admin\NTUSER.dat.LOG
2008-04-17 15:10 . 2008-04-17 15:10 107,888 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-04-17 13:53 . 2008-04-17 13:53 <DIR> d-------- C:\Program Files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 16:29 --------- d-----w C:\Program Files\LimeWire
2008-05-12 23:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-12 22:12 --------- d-----w C:\Program Files\4U Computing
2008-05-12 22:11 --------- d-----w C:\Program Files\StumbleUpon
2008-05-12 19:40 --------- d-----w C:\Program Files\Incomplete
2008-05-12 19:09 --------- d-----w C:\Documents and Settings\Brian\Application Data\LimeWire
2008-05-11 15:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-04-17 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 17:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-12 17:42 --------- d-----w C:\Program Files\Safer Networking
2008-04-08 20:37 --------- d-----w C:\Program Files\Scholastic
2008-04-04 22:11 --------- d-----w C:\Program Files\QuickTime
2008-03-31 15:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-20 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 23:47 --------- d-----w C:\Documents and Settings\Brian\Application Data\Netscape
2008-03-19 17:26 --------- d-----w C:\Program Files\Java
2008-03-19 16:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-03-19 15:47 --------- d-----w C:\Program Files\MSBuild
2008-03-19 15:45 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2007-01-30 23:38 194,376 -c--a-w C:\Documents and Settings\Brian\Application Data\shb.dat
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2005-04-20 00:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_21.55.18.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 02:46:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 20:30:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 20:30:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_548.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5b90d1a5-1d99-4c96-9262-c79080d7879f}]
C:\WINDOWS\system32\envchjra.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7580F730-9EE7-45BF-9D0F-70C619FFD9E4}]
C:\WINDOWS\system32\urqOIXQH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
C:\WINDOWS\system32\byXPFwtR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 04:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 04:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 12:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-30 21:57 77824]
"24729109"="C:\WINDOWS\system32\yjhmtoyh.dll" [ ]
"BM2741a295"="C:\WINDOWS\system32\rljsxsfr.dll" [ ]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\byXPFwtR.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPFwtR]
byXPFwtR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wlite.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 wlite;WMV9 Codec;C:\WINDOWS\system32\wlite.sys [2008-05-12 20:32]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;C:\WINDOWS\system32\DRIVERS\HIDKbFlt.sys [2005-07-25 05:13]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 15:38:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 15:43:24
ComboFix-quarantined-files.txt 2008-05-14 20:43:22
ComboFix2.txt 2008-05-14 17:32:42
ComboFix3.txt 2008-05-13 22:50:27
ComboFix4.txt 2008-05-13 22:30:16
ComboFix5.txt 2008-05-13 17:03:30

Pre-Run: 68,030,021,632 bytes free
Post-Run: 68,017,913,856 bytes free

168 --- E O F --- 2008-04-09 08:03:29

And the resulting HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:50 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...N=PLHS&O=I&UT=
O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll (file missing)
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll (file missing)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: byXPFwtR - byXPFwtR.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5039 bytes

I am proceding to the next step and will get back to you soon.

Thank you.

**blikblik** · 2008-05-14, 23:04

I used HiJackThis to fix the boxes you asked for and ran the ATF cleaner that went really fast.

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:32 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...N=PLHS&O=I&UT=
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4449 bytes

I hope some if this is helping.

As a side note, way back when, one of the first things I noticed was wrong was that the little red shield showed up saying auto-updates was off and I could not get it restarted. The shield is now gone, and auto-updates shows as being back on again.

My first attempt to fix this was trying to go back to sysstem restore point which failed in the sense that they were all gone.

I have not checked to see if they are back.

**pskelley** · 2008-05-14, 23:32

Thanks for the feedback, malware can sure mess up a computer, and many trojans corrupt your setting, turn off your antivirus and firewall, etc.
Some of the damage can only be repaired by a reformat or at the least a repair or reinstallation of the operating system. We do what we can.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:54:32 PM, on 5/14/2008

This HJT log looks good, but HJT can only show so much and the hackers do all they can to hide from HJT, they know our tools.
I will know more when I get a look at a Kaspersky Online Scan and in order to get to that poiint, we need to cross this bridge.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

http://www.bleepingcomputer.com/comb...o-use-combofix

Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

Keep an eye on how the computer runs, record any error messages word for word and post them, once you install RC, we can remove the tools we used and run a scan to see what is left.

Thanks

**blikblik** · 2008-05-14, 23:43

OK, I would like to reinstall the recovery console. I have used it in the past and it is helpful.

I do not have the rescue disks for the infected computer, but do have them for two different laptops. Can I use those to put the recovery console back?

If not is is possible to do it another way.

Thank you.

It may be a little bit before I can get back so no rush.

**pskelley** · 2008-05-14, 23:49

You need to slow a little and take the time to read the directions so you understand them:

From the link I provided:

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:

If you have more questions, ask them...

**blikblik** · 2008-05-15, 00:31

I installed the recovery console. My fault that I did not read past the link in the site you sent.

Here is the log from that:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

**pskelley** · 2008-05-15, 00:58

Thanks for the feedback, you may keep ATF-Cleaner if you wish, but delete combofix, C:\Qoobox\Quarantine\ folder, Vundofix and the C:\Vundofix Backups\ folder.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

**blikblik** · 2008-05-15, 01:46

It now goes much farther. It asked about the active x control and I allowed that. It initialized and performed an update. The up date bar made it to 100% as it filled the dialog box below listed:

Please wait to update the virus definitions...
Downloading from url: ftp://downloads4.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: http://downloads2.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: ftp://downloads1.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: ftp://downloads2.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: http://downloads1.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: http://downloads4.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: ftp://downloads2.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Update process FAILED. No further antivirus actions can be performed!

Attention, you must be online to activate Kaspersky Online Scanner, since the latest Anti-Virus bases version must be downloaded prior to scan. Otherwise we cannot guarantee detection of latest viruses. [21]

I do not know if I am missing something, I am definitely on-line.

Thread: New to these issues, I am trying to do this right.

Thread Tools

Display

Update.

I'm back.

And the rest of it.

Thank you

Console is in.

Kaspersky still doesn't like me.

Posting Permissions