Pop-ups and reg-keys

Ozerium · Apr 11, 2007

Hello all.

I recently downloaded a file for a game that was full of spy ware, my anti-virus was able to stop the viruses but now I keep getting pop ups. spybot-sd can find and delete them, but they just come back next time in go online. they are as follows,

Bifrose.LA
ErrorSafe
Fake.Wget
MediaPlex
ReliableStats
Smithfraud-C.toolbar888
Winsoftwarw.WinAntiVirusPro2006

There all ether registry keys or tracking cookies, and theres more every few days. i ran both the scans your list said to run,
Panda Active Scan said this,

Incident Status Location

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sh3n1qua.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sh3n1qua.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sh3n1qua.default\cookies.txt[www.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sh3n1qua.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sh3n1qua.default\cookies.txt[.mediaplex.com/]

And HJT siad this,

Logfile of HijackThis v1.99.1
Scan saved at 3:08:50 PM, on 4/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINNT\system32\mljjjif.dll (file missing)
O2 - BHO: (no name) - {28780D21-58B8-B880-F730-017173EB4D37} - C:\WINNT\system32\pkjuoqn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F427AEF-8D6F-41DF-895C-BC38E346A96B} - (no file)
O2 - BHO: (no name) - {7616C79C-D148-4CC8-8337-F1FD656B1481} - (no file)
O2 - BHO: (no name) - {7E5E1EF1-1725-4EE3-98BF-32C832F05C40} - C:\WINNT\system32\xsunyqgj.dll
O2 - BHO: (no name) - {84215CC8-A7F1-4CCC-A148-B9381C18781C} - (no file)
O2 - BHO: (no name) - {AB612876-9C86-4A4D-AE80-C6FC4526E75E} - C:\WINNT\system32\mlljh.dll
O2 - BHO: (no name) - {E9326449-7E34-4FDE-A203-CB69DDC4FAE2} - (no file)
O2 - BHO: (no name) - {FC1DAF89-B65E-400A-87E1-990B9262FF3E} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] f:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{767E957E-6BEB-49CE-88AB-090C116104E1}: NameServer = 85.255.115.35,85.255.112.73
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: mljjjif - mljjjif.dll (file missing)
O20 - Winlogon Notify: mlljh - C:\WINNT\system32\mlljh.dll
O20 - Winlogon Notify: winmfu32 - C:\WINNT\SYSTEM32\winmfu32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

I hope thats enough for you to help me with, if theres anything i missed please tell me, Thanks.

Mr_JAk3 · Apr 16, 2007

Hello Ozerium and welcome to the Forums

Sorry for the delay....

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log (take the log in normal mode) and C:\fixwareout\report.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Ozerium · Apr 18, 2007

I thank you greatly for your help.

heres the VundoFix log,

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:00:32 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\bvyuoqtw.dll
C:\WINNT\system32\glbagjom.dll
C:\WINNT\system32\gountcxv.dll
C:\WINNT\system32\hjllm.bak1
C:\WINNT\system32\hjllm.bak2
C:\WINNT\system32\hjllm.ini
C:\WINNT\system32\hswattlv.dll
C:\WINNT\system32\ilbmdldm.dll
C:\WINNT\system32\jxrjnvrw.dll
C:\WINNT\system32\larxghlf.dll
C:\WINNT\system32\ljxrgelu.dll
C:\WINNT\system32\mbfsyllh.dll
C:\WINNT\system32\mljjjif.dll
C:\WINNT\system32\mljkhhf.dll
C:\WINNT\system32\mlljh.dll
C:\WINNT\system32\niklyrav.dll
C:\WINNT\system32\qniepniq.dll
C:\WINNT\system32\qwriadcq.dll
C:\WINNT\system32\scexlyjl.dll
C:\WINNT\system32\wyksunla.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\bvyuoqtw.dll
C:\WINNT\system32\bvyuoqtw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\glbagjom.dll
C:\WINNT\system32\glbagjom.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gountcxv.dll
C:\WINNT\system32\gountcxv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.bak1
C:\WINNT\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.bak2
C:\WINNT\system32\hjllm.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.ini
C:\WINNT\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ilbmdldm.dll
C:\WINNT\system32\ilbmdldm.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jxrjnvrw.dll
C:\WINNT\system32\jxrjnvrw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\larxghlf.dll
C:\WINNT\system32\larxghlf.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ljxrgelu.dll
C:\WINNT\system32\ljxrgelu.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mbfsyllh.dll
C:\WINNT\system32\mbfsyllh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mljkhhf.dll
C:\WINNT\system32\mljkhhf.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mlljh.dll
C:\WINNT\system32\mlljh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\niklyrav.dll
C:\WINNT\system32\niklyrav.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qniepniq.dll
C:\WINNT\system32\qniepniq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qwriadcq.dll
C:\WINNT\system32\qwriadcq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\scexlyjl.dll
C:\WINNT\system32\scexlyjl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\wyksunla.dll
C:\WINNT\system32\wyksunla.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:12:05 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\awvtr.dll
C:\WINNT\system32\rtvwa.bak1
C:\WINNT\system32\rtvwa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\awvtr.dll
C:\WINNT\system32\awvtr.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rtvwa.bak1
C:\WINNT\system32\rtvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\rtvwa.ini
C:\WINNT\system32\rtvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:22:57 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\cxpqwksl.dll
C:\WINNT\system32\igawnkxj.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\WINNT\system32\cxpqwksl.dll
C:\WINNT\system32\cxpqwksl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\igawnkxj.dll
C:\WINNT\system32\igawnkxj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:39:24 PM 4/18/2007

Listing files found while scanning....

No infected files were found.

I had to run it three times, and i got this error, "Cannot import C:\VundoFix.reg: Error opening the file. There may be a disk or file system error." but it says it got them all so.

Heres the HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 8:50:41 PM, on 4/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\TEMP\win147E.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\vwsrv.exe
C:\WINNT\svchost.exe
C:\Program Files\Common Files\{3070289F-0A65-1033-0203-051111040001}\Update.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\CURITY~1\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\webHancer\Programs\whagent.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10B3AF35-3C87-3F5C-A74D-66E34B95F999} - C:\WINNT\system32\qatbnspe.dll
O2 - BHO: (no name) - {18061373-868D-DA8C-A7BD-03D34C1693CC} - C:\WINNT\system32\xgyyxlf.dll
O2 - BHO: (no name) - {1A57388A-E9D4-A0C2-992C-054C68EAD915} - C:\WINNT\system32\wivppec.dll
O2 - BHO: (no name) - {28780D21-58B8-B880-F730-017173EB4D37} - C:\WINNT\system32\pkjuoqn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\cxpqwksl.dll (file missing)
O2 - BHO: (no name) - {6F427AEF-8D6F-41DF-895C-BC38E346A96B} - (no file)
O2 - BHO: (no name) - {715067CF-DCCC-414F-AF76-AB13256D2301} - C:\WINNT\system32\yntpdssf.dll
O2 - BHO: (no name) - {7616C79C-D148-4CC8-8337-F1FD656B1481} - (no file)
O2 - BHO: (no name) - {7E5E1EF1-1725-4EE3-98BF-32C832F05C40} - C:\WINNT\system32\yntpdssf.dll
O2 - BHO: (no name) - {84215CC8-A7F1-4CCC-A148-B9381C18781C} - (no file)
O2 - BHO: (no name) - {B670073F-6174-488C-B5B5-3A471C6240E8} - C:\WINNT\system32\rqrrron.dll
O2 - BHO: (no name) - {C004AE5B-F2FF-4DD3-9EE5-93924C5978D9} - C:\WINNT\system32\mlljh.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {D50F2A23-6FE1-4EB1-86EB-0C14BFB13C1F} - C:\WINNT\system32\awvtr.dll (file missing)
O2 - BHO: (no name) - {E9326449-7E34-4FDE-A203-CB69DDC4FAE2} - (no file)
O2 - BHO: (no name) - {FC1DAF89-B65E-400A-87E1-990B9262FF3E} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [wivppec.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\wivppec.dll,cetqhce
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\system32\drvpem.dll,startup
O4 - HKLM\..\Run: [{3070289F-0A65-1033-0203-051111040001}] "C:\Program Files\Common Files\{3070289F-0A65-1033-0203-051111040001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [Ntht] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\CURITY~1\iexplore.exe" -vt yazb
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{767E957E-6BEB-49CE-88AB-090C116104E1}: NameServer = 85.255.115.35,85.255.112.73
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: mljjjif - mljjjif.dll (file missing)
O20 - Winlogon Notify: rqrrron - C:\WINNT\SYSTEM32\rqrrron.dll
O20 - Winlogon Notify: winmfu32 - C:\WINNT\SYSTEM32\winmfu32.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: vwservice - Unknown owner - C:\WINNT\system32\vwsrv.exe

and the fixwareout report

Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSnD"="\"F:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"Synchronization Manager"="mobsync.exe /logon"
"msvb32"="C:\\WINNT\\system32\\msvb.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msvb32"="C:\\WINNT\\system32\\msvb.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

I must say i greatly appreciate what you guys are doing here, God bless you all.:bigthumb:

Mr_JAk3 · Apr 18, 2007

Hello

Some new infections have found a way to your computer

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

You don't seem to have a third-party firewall installed. You must install one firewall.

These are good (free) firewalls:

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Please post an uninstall list to here.

Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.

:bigthumb:

Ozerium · Apr 19, 2007

SDFix report,

SDFix: Version 1.79

Run by Administrator - Thu 04/19/2007 - 21:40:40.00

Microsoft Windows 2000 [Version 5.00.2195]

Running From: F:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 11:03:56 PM, on 4/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\vwsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{767E957E-6BEB-49CE-88AB-090C116104E1}: NameServer = 85.255.115.35,85.255.112.73
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: vwservice - Unknown owner - C:\WINNT\system32\vwsrv.exe

And when ever i try to save a uninstall list HJT just crashes.:sad:

Mr_JAk3 · Apr 19, 2007

Ok let's forget the uninstall list for now...

Rename HijackThis.exe to Scanner.exe

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

J2SE Runtime Environment 5.0 Update 3

and any other programs you didn't install or don't recognize - if your not sure please ask first

We'll install the latest version later.

Run VundoFix again and then post a fresh HijackThis (scanner.exe) log along with the C:\vundofix.txt

:bigthumb:

Ozerium · Apr 19, 2007

Found and uninstalled java as well as two others i didn't trust and i'm not sure about this one "IpWins"

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:33:53 PM, on 4/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchosts.exe
C:\WINNT\system32\svchost.exe
F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\vwsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\WINNT\system32\v7.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\{3070289F-0A64-1033-0203-051111040001}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINNT\svchost.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10B3AF35-3C87-3F5C-A74D-66E34B95F999} - C:\WINNT\system32\qatbnspe.dll (file missing)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\exwjbbup.dll
O2 - BHO: (no name) - {18061373-868D-DA8C-A7BD-03D34C1693CC} - C:\WINNT\system32\xgyyxlf.dll
O2 - BHO: (no name) - {1A57388A-E9D4-A0C2-992C-054C68EAD915} - C:\WINNT\system32\wivppec.dll
O2 - BHO: (no name) - {28780D21-58B8-B880-F730-017173EB4D37} - C:\WINNT\system32\pkjuoqn.dll
O2 - BHO: (no name) - {3CBE951E-539D-4C53-B669-DD0A192B7A0B} - C:\WINNT\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {3F7A881B-3770-4142-80AA-FB9F14C0C791} - C:\WINNT\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {4DD1BA92-B6FF-A3A8-2F71-03C659DB3B9F} - C:\WINNT\system32\zlvkybb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F427AEF-8D6F-41DF-895C-BC38E346A96B} - (no file)
O2 - BHO: (no name) - {715067CF-DCCC-414F-AF76-AB13256D2301} - C:\WINNT\system32\oxtghdjm.dll
O2 - BHO: (no name) - {7616C79C-D148-4CC8-8337-F1FD656B1481} - (no file)
O2 - BHO: (no name) - {7E5E1EF1-1725-4EE3-98BF-32C832F05C40} - C:\WINNT\system32\oxtghdjm.dll
O2 - BHO: (no name) - {84215CC8-A7F1-4CCC-A148-B9381C18781C} - (no file)
O2 - BHO: (no name) - {B06930FE-CD1A-457F-892A-E439ED5219FE} - (no file)
O2 - BHO: (no name) - {B670073F-6174-488C-B5B5-3A471C6240E8} - C:\WINNT\system32\rqrrron.dll
O2 - BHO: (no name) - {C004AE5B-F2FF-4DD3-9EE5-93924C5978D9} - C:\WINNT\system32\mlljh.dll (file missing)
O2 - BHO: (no name) - {D50F2A23-6FE1-4EB1-86EB-0C14BFB13C1F} - C:\WINNT\system32\awvtr.dll (file missing)
O2 - BHO: (no name) - {E9326449-7E34-4FDE-A203-CB69DDC4FAE2} - (no file)
O2 - BHO: (no name) - {FC1DAF89-B65E-400A-87E1-990B9262FF3E} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Outpost Firewall] F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [kntwwdl.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\kntwwdl.dll,ujqqarc
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\system32\drvtak.dll,startup
O4 - HKLM\..\Run: [{3070289F-0A64-1033-0203-051111040001}] "C:\Program Files\Common Files\{3070289F-0A64-1033-0203-051111040001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{3070289F-0A65-1033-0203-051111040001}] "C:\Program Files\Common Files\{3070289F-0A65-1033-0203-051111040001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [OutpostFeedBack] F:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump

s_startup
O4 - HKCU\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{767E957E-6BEB-49CE-88AB-090C116104E1}: NameServer = 85.255.115.35,85.255.112.73
O20 - AppInit_DLLs: F:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: mljjjif - mljjjif.dll (file missing)
O20 - Winlogon Notify: mlljh - C:\WINNT\
O20 - Winlogon Notify: rqrrron - C:\WINNT\SYSTEM32\rqrrron.dll
O20 - Winlogon Notify: winmfu32 - C:\WINNT\SYSTEM32\winmfu32.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: vwservice - Unknown owner - C:\WINNT\system32\vwsrv.exe

VundoFix log

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:00:32 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\bvyuoqtw.dll
C:\WINNT\system32\glbagjom.dll
C:\WINNT\system32\gountcxv.dll
C:\WINNT\system32\hjllm.bak1
C:\WINNT\system32\hjllm.bak2
C:\WINNT\system32\hjllm.ini
C:\WINNT\system32\hswattlv.dll
C:\WINNT\system32\ilbmdldm.dll
C:\WINNT\system32\jxrjnvrw.dll
C:\WINNT\system32\larxghlf.dll
C:\WINNT\system32\ljxrgelu.dll
C:\WINNT\system32\mbfsyllh.dll
C:\WINNT\system32\mljjjif.dll
C:\WINNT\system32\mljkhhf.dll
C:\WINNT\system32\mlljh.dll
C:\WINNT\system32\niklyrav.dll
C:\WINNT\system32\qniepniq.dll
C:\WINNT\system32\qwriadcq.dll
C:\WINNT\system32\scexlyjl.dll
C:\WINNT\system32\wyksunla.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\bvyuoqtw.dll
C:\WINNT\system32\bvyuoqtw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\glbagjom.dll
C:\WINNT\system32\glbagjom.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gountcxv.dll
C:\WINNT\system32\gountcxv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.bak1
C:\WINNT\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.bak2
C:\WINNT\system32\hjllm.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.ini
C:\WINNT\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ilbmdldm.dll
C:\WINNT\system32\ilbmdldm.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jxrjnvrw.dll
C:\WINNT\system32\jxrjnvrw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\larxghlf.dll
C:\WINNT\system32\larxghlf.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ljxrgelu.dll
C:\WINNT\system32\ljxrgelu.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mbfsyllh.dll
C:\WINNT\system32\mbfsyllh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mljkhhf.dll
C:\WINNT\system32\mljkhhf.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mlljh.dll
C:\WINNT\system32\mlljh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\niklyrav.dll
C:\WINNT\system32\niklyrav.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qniepniq.dll
C:\WINNT\system32\qniepniq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qwriadcq.dll
C:\WINNT\system32\qwriadcq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\scexlyjl.dll
C:\WINNT\system32\scexlyjl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\wyksunla.dll
C:\WINNT\system32\wyksunla.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:12:05 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\awvtr.dll
C:\WINNT\system32\rtvwa.bak1
C:\WINNT\system32\rtvwa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\awvtr.dll
C:\WINNT\system32\awvtr.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rtvwa.bak1
C:\WINNT\system32\rtvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\rtvwa.ini
C:\WINNT\system32\rtvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:22:57 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\cxpqwksl.dll
C:\WINNT\system32\igawnkxj.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\WINNT\system32\cxpqwksl.dll
C:\WINNT\system32\cxpqwksl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\igawnkxj.dll
C:\WINNT\system32\igawnkxj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:39:24 PM 4/18/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 10:06:17 PM 4/18/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:20:34 PM 4/19/2007

Listing files found while scanning....

C:\WINNT\system32\accdd.bak1
C:\WINNT\system32\accdd.bak2
C:\WINNT\system32\accdd.ini
C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\hmdushhp.dll
C:\WINNT\system32\jujmlnoe.dll
C:\WINNT\system32\ohavugkr.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\accdd.bak1
C:\WINNT\system32\accdd.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\accdd.bak2
C:\WINNT\system32\accdd.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\accdd.ini
C:\WINNT\system32\accdd.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\ddcca.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\hmdushhp.dll
C:\WINNT\system32\hmdushhp.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jujmlnoe.dll
C:\WINNT\system32\jujmlnoe.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ohavugkr.dll
C:\WINNT\system32\ohavugkr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\accdd.ini
C:\WINNT\system32\accdd.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\ddcca.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:43:24 PM 4/19/2007

Listing files found while scanning....

C:\WINNT\system32\accdd.ini
C:\WINNT\system32\ddcca.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\accdd.ini
C:\WINNT\system32\accdd.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\ddcca.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:56:11 PM 4/19/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 1:14:58 PM 4/20/2007

Listing files found while scanning....

C:\WINNT\system32\ihkmp.bak1
C:\WINNT\system32\ihkmp.ini
C:\WINNT\system32\jcbqhvku.dll
C:\WINNT\system32\pmkhi.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\ihkmp.bak1
C:\WINNT\system32\ihkmp.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\ihkmp.ini
C:\WINNT\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jcbqhvku.dll
C:\WINNT\system32\jcbqhvku.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pmkhi.dll
C:\WINNT\system32\pmkhi.dll Has been deleted!

Performing Repairs to the registry.
Done!

Mr_JAk3 · Apr 21, 2007

Hi again and sorry for the huge delay

Loads of infections there...

Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINNT\system32\exwjbbup.dll
C:\WINNT\system32\xgyyxlf.dll
C:\WINNT\system32\wivppec.dll
C:\WINNT\system32\pkjuoqn.dll
C:\WINNT\system32\zlvkybb.dll
C:\WINNT\system32\oxtghdjm.dll
C:\WINNT\system32\rqrrron.dll
C:\WINNT\SYSTEM32\winmfu32.dll

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please go here to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
- Click "Browse" on the 1. field.
  Browse to the cab file on your desktop and click the file with your mouse, press "Open"
In the comments, please mention that I asked you to upload this file
Click on Send File

Thank you :waytogo:

We'll run VundoFix again

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINNT\SYSTEM32\rqrrron.dll
C:\WINNT\system32\norrrqr.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Ozerium · Apr 22, 2007

"Administrator" - Mon 04/23/2007 1:50:23 Service Pack 4 [SAFE MODE]
ComboFix 07-04-21.2V - Running from: F:\

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\exwjbbup.dll
C:\WINNT\system32\plbborqs.dll
C:\WINNT\system32\mljgfgd.dll
C:\WINNT\system32\nnnopqn.dll
C:\WINNT\system32\opnklig.dll
C:\WINNT\system32\nrysnwro.dll
C:\WINNT\system32\oxtghdjm.dll
C:\WINNT\system32\ppjfownr.dll
C:\WINNT\system32\yntpdssf.dll
C:\WINNT\system32\winmfu32.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\{30702~1\system.dll
C:\Program Files\Common Files\{30702~2\system.dll
C:\WINNT\system32\unsvchosts.lzma
C:\WINNT\system32\v7.exe
C:\WINNT\system32\wapisvcc.exe
C:\WINNT\svchost.exe
C:\Program Files\ipwindows
C:\Program Files\Common Files\{30702~1
C:\Program Files\Common Files\{30702~2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\WINNT\PPATCH~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((((((((( Files Created from 2002-01-07 to 20/23/2007 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2012/30/03 09:14p 68736 -ra------ C:\WINNT\system32\drivers\Rtlnic5.sys
2012/14/05 03:51p 3580480 --a------ C:\WINNT\system32\drivers\nv4_mini.sys
2012/12/02 01:14a 7424 --a------ C:\WINNT\system32\drivers\mskssrv.sys
2012/12/02 01:14a 5504 --a------ C:\WINNT\system32\drivers\mstee.sys
2012/12/02 01:14a 5248 --a------ C:\WINNT\system32\drivers\mspclock.sys
2012/12/02 01:14a 4096 --a------ C:\WINNT\system32\drivers\swenum.sys
2012/12/02 01:14a 130304 --a------ C:\WINNT\system32\drivers\ks.sys
2012/02/04 06:07a 89328 --a------ C:\WINNT\system32\drivers\mup.sys
2012/02/04 06:07a 63280 --a------ C:\WINNT\system32\drivers\udfs.sys
2012/02/04 06:00a 116400 --a------ C:\WINNT\system32\drivers\ftdisk.sys
2010/28/99 04:24p 51152 --a------ C:\WINNT\system32\drivers\DMusic.sys
2010/23/99 06:01a 413712 --a------ C:\WINNT\system32\drivers\ltmdmnt.sys
2009/25/99 11:36a 4816 --a------ C:\WINNT\system32\drivers\MSPQM.sys
2009/25/99 03:35a 2896 --a------ C:\WINNT\system32\drivers\audstub.sys
2009/24/99 12:17p 18704 --a------ C:\WINNT\system32\drivers\RTL8139.sys
2009/20/03 03:02a 71888 --a------ C:\WINNT\system32\drivers\ksecdd.sys
2008/31/06 09:57p 161520 --a------ C:\WINNT\system32\drivers\nwrdr.sys
2008/24/06 08:47p 36528 --------- C:\WINNT\system32\drivers\PxHelp20.sys
2008/24/06 08:47p 2560 --------- C:\WINNT\system32\drivers\cdralw2k.sys
2008/24/06 08:47p 2432 --------- C:\WINNT\system32\drivers\cdr4_2k.sys
2008/22/06 01:48p 136912 --a------ C:\WINNT\system32\drivers\fltmgr.sys
2008/16/05 01:40a 30160 --a------ C:\WINNT\system32\drivers\mountmgr.sys
2008/11/06 07:17a 239280 --a------ C:\WINNT\system32\drivers\SRV.SYS
2008/11/04 03:42p 67344 --a------ C:\WINNT\system32\drivers\ipnat.sys
2007/19/05 03:44a 142288 --a------ C:\WINNT\system32\drivers\fastfat.sys
2007/18/05 10:42p 170800 --a------ C:\WINNT\system32\drivers\rdbss.sys
2007/16/04 03:20p 69632 --a------ C:\WINNT\system32\drivers\Rtlnic.sys
2007/14/05 05:24a 74384 --a------ C:\WINNT\system32\drivers\SCSIPORT.SYS
2007/14/03 05:00a 9680 --a------ C:\WINNT\system32\drivers\netdtect.sys
2007/14/03 05:00a 93360 --a------ C:\WINNT\system32\drivers\ndiswan.sys
2007/14/03 05:00a 9200 --a------ C:\WINNT\system32\drivers\ndistapi.sys
2007/14/03 05:00a 91408 --a------ C:\WINNT\system32\drivers\nwlnkipx.sys
2007/14/03 05:00a 88816 --a------ C:\WINNT\system32\drivers\lvcam.sys
2007/14/03 05:00a 8016 --a------ C:\WINNT\system32\drivers\rasacd.sys
2007/14/03 05:00a 79120 --a------ C:\WINNT\system32\drivers\lvcodek.sys
2007/14/03 05:00a 7728 --a------ C:\WINNT\system32\drivers\diskperf.sys
2007/14/03 05:00a 7600 --a------ C:\WINNT\system32\drivers\fs_rec.sys
2007/14/03 05:00a 7312 --a------ C:\WINNT\system32\drivers\dmload.sys
2007/14/03 05:00a 65520 --a------ C:\WINNT\system32\drivers\nwlnknb.sys
2007/14/03 05:00a 6512 --a------ C:\WINNT\system32\drivers\parvdm.sys
2007/14/03 05:00a 62736 --a------ C:\WINNT\system32\drivers\serial.sys
2007/14/03 05:00a 60496 --a------ C:\WINNT\system32\drivers\psched.sys
2007/14/03 05:00a 6032 --a------ C:\WINNT\system32\drivers\rootmdm.sys
2007/14/03 05:00a 60208 --a------ C:\WINNT\system32\drivers\parallel.sys
2007/14/03 05:00a 59280 --a------ C:\WINNT\system32\drivers\vdmindvd.sys
2007/14/03 05:00a 58480 --a------ C:\WINNT\system32\drivers\nwlnkspx.sys
2007/14/03 05:00a 57904 --a------ C:\WINNT\system32\drivers\atmarpc.sys
2007/14/03 05:00a 57296 --a------ C:\WINNT\system32\drivers\irda.sys
2007/14/03 05:00a 57264 --a------ C:\WINNT\system32\drivers\mf.sys
2007/14/03 05:00a 56112 --a------ C:\WINNT\system32\drivers\dlc.sys
2007/14/03 05:00a 52112 --a------ C:\WINNT\system32\drivers\rasl2tp.sys
2007/14/03 05:00a 52048 --a------ C:\WINNT\system32\drivers\tosdvd.sys
2007/14/03 05:00a 50640 --a------ C:\WINNT\system32\drivers\videoprt.sys
2007/14/03 05:00a 48496 --a------ C:\WINNT\system32\drivers\atmlane.sys
2007/14/03 05:00a 48464 --a------ C:\WINNT\system32\drivers\raspptp.sys
2007/14/03 05:00a 46992 --a------ C:\WINNT\system32\drivers\i8042prt.sys
2007/14/03 05:00a 4240 --a------ C:\WINNT\system32\drivers\wmilib.sys
2007/14/03 05:00a 4240 --a------ C:\WINNT\system32\drivers\mnmdd.sys
2007/14/03 05:00a 4080 --a------ C:\WINNT\system32\drivers\beep.sys
2007/14/03 05:00a 40432 --a------ C:\WINNT\system32\drivers\ndproxy.sys
2007/14/03 05:00a 37552 --a------ C:\WINNT\system32\drivers\nmnt.sys
2007/14/03 05:00a 37040 --a------ C:\WINNT\system32\drivers\npfs.sys
2007/14/03 05:00a 369104 --a------ C:\WINNT\system32\drivers\dmboot.sys
2007/14/03 05:00a 35344 --a------ C:\WINNT\system32\drivers\nwlnkfwd.sys
2007/14/03 05:00a 35024 --a------ C:\WINNT\system32\drivers\rawwan.sys
2007/14/03 05:00a 34832 --a------ C:\WINNT\system32\drivers\classpnp.sys
2007/14/03 05:00a 34704 --a------ C:\WINNT\system32\drivers\msgpc.sys
2007/14/03 05:00a 34416 --a------ C:\WINNT\system32\drivers\ipfltdrv.sys
2007/14/03 05:00a 33616 --a------ C:\WINNT\system32\drivers\fips.sys
2007/14/03 05:00a 33456 --a------ C:\WINNT\system32\drivers\netbios.sys
2007/14/03 05:00a 331088 --a------ C:\WINNT\system32\drivers\atmuni.sys
2007/14/03 05:00a 32272 --a------ C:\WINNT\system32\drivers\wanarp.sys
2007/14/03 05:00a 30768 --a------ C:\WINNT\system32\drivers\disk.sys
2007/14/03 05:00a 29168 --a------ C:\WINNT\system32\drivers\modem.sys
2007/14/03 05:00a 2800 --a------ C:\WINNT\system32\drivers\null.sys
2007/14/03 05:00a 27984 --a------ C:\WINNT\system32\drivers\cdrom.sys
2007/14/03 05:00a 27440 --a------ C:\WINNT\system32\drivers\efs.sys
2007/14/03 05:00a 272496 --a------ C:\WINNT\system32\drivers\cinemst2.sys
2007/14/03 05:00a 26256 --a------ C:\WINNT\system32\drivers\fdc.sys
2007/14/03 05:00a 25104 --a------ C:\WINNT\system32\drivers\parport.sys
2007/14/03 05:00a 24752 --a------ C:\WINNT\system32\drivers\hidclass.sys
2007/14/03 05:00a 24528 --a------ C:\WINNT\system32\drivers\kbdclass.sys
2007/14/03 05:00a 23888 --a------ C:\WINNT\system32\drivers\usbcamd.sys
2007/14/03 05:00a 23056 --a------ C:\WINNT\system32\drivers\hidparse.sys
2007/14/03 05:00a 22064 --a------ C:\WINNT\system32\drivers\sonydcam.sys
2007/14/03 05:00a 22000 --a------ C:\WINNT\system32\drivers\tsbvcap.sys
2007/14/03 05:00a 21776 --a------ C:\WINNT\system32\drivers\mouclass.sys
2007/14/03 05:00a 21712 --a------ C:\WINNT\system32\drivers\rca.sys
2007/14/03 05:00a 21328 --a------ C:\WINNT\system32\drivers\msfs.sys
2007/14/03 05:00a 20208 --a------ C:\WINNT\system32\drivers\msircomm.sys
2007/14/03 05:00a 19984 --a------ C:\WINNT\system32\drivers\ipinip.sys
2007/14/03 05:00a 19952 --a------ C:\WINNT\system32\drivers\irsir.sys
2007/14/03 05:00a 19920 --a------ C:\WINNT\system32\drivers\rasirda.sys
2007/14/03 05:00a 19312 --a------ C:\WINNT\system32\drivers\flpydisk.sys
2007/14/03 05:00a 19088 --a------ C:\WINNT\system32\drivers\cdaudio.sys
2007/14/03 05:00a 17840 --a------ C:\WINNT\system32\drivers\asyncmac.sys
2007/14/03 05:00a 17680 --a------ C:\WINNT\system32\drivers\ptilink.sys
2007/14/03 05:00a 17424 --a------ C:\WINNT\system32\drivers\lvsound.sys
2007/14/03 05:00a 173232 --a------ C:\WINNT\system32\drivers\update.sys
2007/14/03 05:00a 170928 --a------ C:\WINNT\system32\drivers\ndis.sys
2007/14/03 05:00a 16880 --a------ C:\WINNT\system32\drivers\raspti.sys
2007/14/03 05:00a 163120 --a------ C:\WINNT\system32\drivers\acpi.sys
2007/14/03 05:00a 16240 --a------ C:\WINNT\system32\drivers\tdi.sys
2007/14/03 05:00a 15120 --a------ C:\WINNT\system32\drivers\usbintel.sys
2007/14/03 05:00a 148400 --a------ C:\WINNT\system32\drivers\sfmatalk.sys
2007/14/03 05:00a 14832 --a------ C:\WINNT\system32\drivers\smclib.sys
2007/14/03 05:00a 14288 --a------ C:\WINNT\system32\drivers\diskdump.sys
2007/14/03 05:00a 14160 --a------ C:\WINNT\system32\drivers\serenum.sys
2007/14/03 05:00a 13968 --a------ C:\WINNT\system32\drivers\vga.sys
2007/14/03 05:00a 137936 --a------ C:\WINNT\system32\drivers\dmio.sys
2007/14/03 05:00a 12880 --a------ C:\WINNT\system32\drivers\class2.sys
2007/14/03 05:00a 12560 --a------ C:\WINNT\system32\drivers\nwlnkflt.sys
2007/14/03 05:00a 12368 --a------ C:\WINNT\system32\drivers\fsvga.sys
2007/14/03 05:00a 12016 --a------ C:\WINNT\system32\drivers\ws2ifsl.sys
2007/14/03 05:00a 11984 --a------ C:\WINNT\system32\drivers\ndisuio.sys
2007/14/03 05:00a 11792 --a------ C:\WINNT\system32\drivers\partmgr.sys
2007/14/03 05:00a 11536 --a------ C:\WINNT\system32\drivers\acpiec.sys
2007/14/03 05:00a 109584 --a------ C:\WINNT\system32\drivers\pcmcia.sys
2007/14/03 05:00a 10928 --a------ C:\WINNT\system32\drivers\tape.sys
2007/14/03 05:00a 105840 --a------ C:\WINNT\system32\drivers\streams.sys
2007/14/03 05:00a 10384 --a------ C:\WINNT\system32\drivers\sfloppy.sys
2007/14/03 05:00a 10288 --a------ C:\WINNT\system32\drivers\irenum.sys
2007/14/03 05:00a 102160 --a------ C:\WINNT\system32\drivers\nbf.sys
2007/14/03 05:00a 10064 --a------ C:\WINNT\system32\drivers\dxapi.sys
2007/09/04 05:27a 48512 --a------ C:\WINNT\system32\drivers\stream.sys
2007/09/04 03:58a 83968 --a------ C:\WINNT\system32\drivers\nabtsfec.sys
2007/09/04 03:58a 56832 --a------ C:\WINNT\system32\drivers\msdv.sys
2007/09/04 03:58a 18688 --a------ C:\WINNT\system32\drivers\wstcodec.sys
2007/09/04 03:58a 16384 --a------ C:\WINNT\system32\drivers\ccdecode.sys
2007/09/04 03:58a 15104 --a------ C:\WINNT\system32\drivers\mpe.sys
2007/09/04 03:58a 14976 --a------ C:\WINNT\system32\drivers\streamip.sys
2007/09/04 03:58a 11392 --a------ C:\WINNT\system32\drivers\bdasup.sys
2007/09/04 03:58a 10880 --a------ C:\WINNT\system32\drivers\slip.sys
2007/09/04 03:58a 10112 --a------ C:\WINNT\system32\drivers\ndisip.sys
2006/19/03 05:05a 4624 --a------ C:\WINNT\system32\drivers\intelide.sys
2006/19/03 05:05a 35344 --a------ C:\WINNT\system32\drivers\redbook.sys
2006/19/03 01:05p 86672 --a------ C:\WINNT\system32\drivers\atapi.sys
2006/19/03 01:05p 73872 --a------ C:\WINNT\system32\drivers\wdmaud.sys
2006/19/03 01:05p 59312 --a------ C:\WINNT\system32\drivers\pci.sys
2006/19/03 01:05p 53552 --a------ C:\WINNT\system32\drivers\swmidi.sys
2006/19/03 01:05p 49776 --a------ C:\WINNT\system32\drivers\usbhub20.sys
2006/19/03 01:05p 47568 --a------ C:\WINNT\system32\drivers\sysaudio.sys
2006/19/03 01:05p 46992 --a------ C:\WINNT\system32\drivers\isapnp.sys
2006/19/03 01:05p 40176 --a------ C:\WINNT\system32\drivers\usbhub.sys
2006/19/03 01:05p 32848 --a------ C:\WINNT\system32\drivers\uhcd.sys
2006/19/03 01:05p 3088 --a------ C:\WINNT\system32\drivers\pciide.sys
2006/19/03 01:05p 22064 --a------ C:\WINNT\system32\drivers\pciidex.sys
2006/19/03 01:05p 21872 --a------ C:\WINNT\system32\drivers\usbprint.sys
2006/19/03 01:05p 21008 --a------ C:\WINNT\system32\drivers\AGP440.SYS
2006/19/03 01:05p 20688 --a------ C:\WINNT\system32\drivers\usbd.sys
2006/19/03 01:05p 19728 --a------ C:\WINNT\system32\drivers\usbehci.sys
2006/19/03 01:05p 148304 --a------ C:\WINNT\system32\drivers\kmixer.sys
2006/19/03 01:05p 148208 --a------ C:\WINNT\system32\drivers\portcls.sys
2006/19/03 01:05p 138288 --a------ C:\WINNT\system32\drivers\usbport.sys
2006/09/06 11:58p 1373120 --a------ C:\WINNT\system32\drivers\cmuda.sys
2005/31/06 12:14a 415536 --a------ C:\WINNT\system32\drivers\mrxsmb.sys
2005/10/05 02:20a 513424 --a------ C:\WINNT\system32\drivers\ntfs.sys
2004/25/06 06:38a 320336 --a------ C:\WINNT\system32\drivers\tcpip.sys
2004/21/05 01:03a 127568 --a------ C:\WINNT\system32\drivers\AFD.SYS
2004/21/03 12:19p 80848 --a------ C:\WINNT\system32\drivers\ipsec.sys
2004/13/04 08:20p 15781 -ra------ C:\WINNT\system32\drivers\mdc8021x.sys
2004/09/99 04:17p 21840 --a------ C:\WINNT\system32\drivers\cxlpt.sys
2004/08/05 04:51a 63248 --a------ C:\WINNT\system32\drivers\cdfs.sys
2004/08/05 04:51a 175632 --a------ C:\WINNT\system32\drivers\netbt.sys
2003/25/05 12:04a 2314560 --a------ C:\WINNT\system32\drivers\ALCXWDM.SYS
2003/16/04 07:53p 72024 --a------ C:\WINNT\system32\drivers\toywdm.sys
2002/24/07 08:39p 639224 --a------ C:\WINNT\system32\drivers\sptd.sys
2002/22/06 10:50a 70656 --a------ C:\WINNT\system32\drivers\PAVDRV50.SYS

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{10B3AF35-3C87-3F5C-A74D-66E34B95F999} C:\WINNT\system32\qatbnspe.dll [x]
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINNT\system32\exwjbbup.dll [x]
{18061373-868D-DA8C-A7BD-03D34C1693CC} C:\WINNT\system32\xgyyxlf.dll
{1A57388A-E9D4-A0C2-992C-054C68EAD915} C:\WINNT\system32\wivppec.dll
{28780D21-58B8-B880-F730-017173EB4D37} C:\WINNT\system32\pkjuoqn.dll
{3CBE951E-539D-4C53-B669-DD0A192B7A0B} C:\WINNT\system32\pmkhi.dll [x]
{3F7A881B-3770-4142-80AA-FB9F14C0C791} C:\WINNT\system32\ddcca.dll [x]
{4DD1BA92-B6FF-A3A8-2F71-03C659DB3B9F} C:\WINNT\system32\zlvkybb.dll
{715067CF-DCCC-414F-AF76-AB13256D2301} C:\WINNT\system32\oxtghdjm.dll [x]
{7E5E1EF1-1725-4EE3-98BF-32C832F05C40} C:\WINNT\system32\oxtghdjm.dll [x]
{B670073F-6174-488C-B5B5-3A471C6240E8} C:\WINNT\system32\rqrrron.dll [x]
{C004AE5B-F2FF-4DD3-9EE5-93924C5978D9} C:\WINNT\system32\mlljh.dll [x]
{D50F2A23-6FE1-4EB1-86EB-0C14BFB13C1F} C:\WINNT\system32\awvtr.dll [x]

Ozerium · Apr 22, 2007

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"Synchronization Manager"="mobsync.exe /logon"
"msvb32"="C:\\WINNT\\system32\\msvb.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"Outpost Firewall"="F:\\PROGRA~1\\Agnitum\\OUTPOS~1.0\\outpost.exe /waitservice"
"OutpostFeedBack"="F:\\PROGRA~1\\Agnitum\\OUTPOS~1.0\\feedback.exe /dump

s_startup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msvb32"="C:\\WINNT\\system32\\msvb.exe"
"SpybotSD TeaTimer"="F:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/Documents%20and%20Settings/Administrator/Desktop/disco_ball_lg_nwm.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/disco_ball_lg_nwm.gif

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B670073F-6174-488C-B5B5-3A471C6240E8}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjjif
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljh

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="F:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msvb32"="C:\\WINNT\\system32\\msvb.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"msvb32"="C:\\WINNT\\system32\\msvb.exe"
"{3070289F-0A65-1033-0203-051111040001}"="\"C:\\Program Files\\Common Files\\{3070289F-0A65-1033-0203-051111040001}\\Update.exe\" mc-110-12-0000272"
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="APVXDWIN"
"hkey"="HKLM"
"command"="\"f:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvb32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msvb"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\msvb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pccguide"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PRISMSVR"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\system32\\PRISMSVR.EXE\" /APPLY"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mobsync"
"hkey"="HKLM"
"command"="mobsync.exe /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xcplipc.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xcplipc"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\rundll32.exe C:\\WINNT\\system32\\xcplipc.dll,lnxbnyf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=dword:00000002
"dmadmin"=dword:00000003
"PSIMSVC"=dword:00000002
"PAVSRV"=dword:00000002
"IDriverT"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Disk Cleanup.job
C:\WINNT\tasks\Spybot - Search & Destroy - Scheduled Task.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 01:52:49
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Mon 04/23/2007 1:52:50
C:\ComboFix-quarantined-files.txt ... 04/23/07 01:52a

It was to long i had to cut it in half

Ozerium · Apr 22, 2007

And HJT,

Logfile of HijackThis v1.99.1
Scan saved at 2:02:01 AM, on 4/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\vwsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10B3AF35-3C87-3F5C-A74D-66E34B95F999} - C:\WINNT\system32\qatbnspe.dll (file missing)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\exwjbbup.dll (file missing)
O2 - BHO: (no name) - {18061373-868D-DA8C-A7BD-03D34C1693CC} - C:\WINNT\system32\xgyyxlf.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - (no file)
O2 - BHO: (no name) - {1A57388A-E9D4-A0C2-992C-054C68EAD915} - C:\WINNT\system32\wivppec.dll
O2 - BHO: (no name) - {28780D21-58B8-B880-F730-017173EB4D37} - C:\WINNT\system32\pkjuoqn.dll
O2 - BHO: (no name) - {3CBE951E-539D-4C53-B669-DD0A192B7A0B} - C:\WINNT\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {3F7A881B-3770-4142-80AA-FB9F14C0C791} - C:\WINNT\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {4DD1BA92-B6FF-A3A8-2F71-03C659DB3B9F} - C:\WINNT\system32\zlvkybb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {6F427AEF-8D6F-41DF-895C-BC38E346A96B} - (no file)
O2 - BHO: (no name) - {715067CF-DCCC-414F-AF76-AB13256D2301} - C:\WINNT\system32\oxtghdjm.dll (file missing)
O2 - BHO: (no name) - {7616C79C-D148-4CC8-8337-F1FD656B1481} - (no file)
O2 - BHO: (no name) - {7E5E1EF1-1725-4EE3-98BF-32C832F05C40} - C:\WINNT\system32\oxtghdjm.dll (file missing)
O2 - BHO: (no name) - {84215CC8-A7F1-4CCC-A148-B9381C18781C} - (no file)
O2 - BHO: (no name) - {8F8C42A4-4B4B-4AD2-96D2-906456752D21} - (no file)
O2 - BHO: (no name) - {B06930FE-CD1A-457F-892A-E439ED5219FE} - (no file)
O2 - BHO: (no name) - {B670073F-6174-488C-B5B5-3A471C6240E8} - C:\WINNT\system32\rqrrron.dll (file missing)
O2 - BHO: (no name) - {C004AE5B-F2FF-4DD3-9EE5-93924C5978D9} - C:\WINNT\system32\mlljh.dll (file missing)
O2 - BHO: (no name) - {D50F2A23-6FE1-4EB1-86EB-0C14BFB13C1F} - C:\WINNT\system32\awvtr.dll (file missing)
O2 - BHO: (no name) - {E9326449-7E34-4FDE-A203-CB69DDC4FAE2} - (no file)
O2 - BHO: (no name) - {FC1DAF89-B65E-400A-87E1-990B9262FF3E} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Outpost Firewall] F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] F:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump

s_startup
O4 - HKCU\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{767E957E-6BEB-49CE-88AB-090C116104E1}: NameServer = 85.255.115.35,85.255.112.73
O20 - AppInit_DLLs: F:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: ddcca - C:\WINNT\
O20 - Winlogon Notify: mljjjif - mljjjif.dll (file missing)
O20 - Winlogon Notify: mlljh - C:\WINNT\
O20 - Winlogon Notify: rqrrron - C:\WINNT\
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: vwservice - Unknown owner - C:\WINNT\system32\vwsrv.exe

And Vundofix

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:00:32 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\bvyuoqtw.dll
C:\WINNT\system32\glbagjom.dll
C:\WINNT\system32\gountcxv.dll
C:\WINNT\system32\hjllm.bak1
C:\WINNT\system32\hjllm.bak2
C:\WINNT\system32\hjllm.ini
C:\WINNT\system32\hswattlv.dll
C:\WINNT\system32\ilbmdldm.dll
C:\WINNT\system32\jxrjnvrw.dll
C:\WINNT\system32\larxghlf.dll
C:\WINNT\system32\ljxrgelu.dll
C:\WINNT\system32\mbfsyllh.dll
C:\WINNT\system32\mljjjif.dll
C:\WINNT\system32\mljkhhf.dll
C:\WINNT\system32\mlljh.dll
C:\WINNT\system32\niklyrav.dll
C:\WINNT\system32\qniepniq.dll
C:\WINNT\system32\qwriadcq.dll
C:\WINNT\system32\scexlyjl.dll
C:\WINNT\system32\wyksunla.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\bvyuoqtw.dll
C:\WINNT\system32\bvyuoqtw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\glbagjom.dll
C:\WINNT\system32\glbagjom.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gountcxv.dll
C:\WINNT\system32\gountcxv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.bak1
C:\WINNT\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.bak2
C:\WINNT\system32\hjllm.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\hjllm.ini
C:\WINNT\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ilbmdldm.dll
C:\WINNT\system32\ilbmdldm.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jxrjnvrw.dll
C:\WINNT\system32\jxrjnvrw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\larxghlf.dll
C:\WINNT\system32\larxghlf.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ljxrgelu.dll
C:\WINNT\system32\ljxrgelu.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mbfsyllh.dll
C:\WINNT\system32\mbfsyllh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mljkhhf.dll
C:\WINNT\system32\mljkhhf.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mlljh.dll
C:\WINNT\system32\mlljh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\niklyrav.dll
C:\WINNT\system32\niklyrav.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qniepniq.dll
C:\WINNT\system32\qniepniq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qwriadcq.dll
C:\WINNT\system32\qwriadcq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\scexlyjl.dll
C:\WINNT\system32\scexlyjl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\wyksunla.dll
C:\WINNT\system32\wyksunla.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:12:05 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\awvtr.dll
C:\WINNT\system32\rtvwa.bak1
C:\WINNT\system32\rtvwa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\awvtr.dll
C:\WINNT\system32\awvtr.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rtvwa.bak1
C:\WINNT\system32\rtvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\rtvwa.ini
C:\WINNT\system32\rtvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:22:57 PM 4/18/2007

Listing files found while scanning....

C:\WINNT\system32\cxpqwksl.dll
C:\WINNT\system32\igawnkxj.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\WINNT\system32\cxpqwksl.dll
C:\WINNT\system32\cxpqwksl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\igawnkxj.dll
C:\WINNT\system32\igawnkxj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:39:24 PM 4/18/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 10:06:17 PM 4/18/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:20:34 PM 4/19/2007

Listing files found while scanning....

C:\WINNT\system32\accdd.bak1
C:\WINNT\system32\accdd.bak2
C:\WINNT\system32\accdd.ini
C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\hmdushhp.dll
C:\WINNT\system32\jujmlnoe.dll
C:\WINNT\system32\ohavugkr.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\accdd.bak1
C:\WINNT\system32\accdd.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\accdd.bak2
C:\WINNT\system32\accdd.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\accdd.ini
C:\WINNT\system32\accdd.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\ddcca.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\hmdushhp.dll
C:\WINNT\system32\hmdushhp.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jujmlnoe.dll
C:\WINNT\system32\jujmlnoe.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ohavugkr.dll
C:\WINNT\system32\ohavugkr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\accdd.ini
C:\WINNT\system32\accdd.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\ddcca.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:43:24 PM 4/19/2007

Listing files found while scanning....

C:\WINNT\system32\accdd.ini
C:\WINNT\system32\ddcca.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\accdd.ini
C:\WINNT\system32\accdd.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ddcca.dll
C:\WINNT\system32\ddcca.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:56:11 PM 4/19/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 1:14:58 PM 4/20/2007

Listing files found while scanning....

C:\WINNT\system32\ihkmp.bak1
C:\WINNT\system32\ihkmp.ini
C:\WINNT\system32\jcbqhvku.dll
C:\WINNT\system32\pmkhi.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\ihkmp.bak1
C:\WINNT\system32\ihkmp.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\ihkmp.ini
C:\WINNT\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jcbqhvku.dll
C:\WINNT\system32\jcbqhvku.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pmkhi.dll
C:\WINNT\system32\pmkhi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 1:35:42 AM 4/23/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINNT\SYSTEM32\rqrrron.dll
C:\WINNT\SYSTEM32\rqrrron.dll Has been deleted!

Performing Repairs to the registry.
Done!

Mr_JAk3 · Apr 22, 2007

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

vwsrv.exe

Disable the bad service

Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to vwservice
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.

Then, open HijackThis.

Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; vwservice
Answer Yes
Close HIjackThis

Backup your registry:

Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B670073F-6174-488C-B5B5-3A471C6240E8}"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msvb32"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"msvb32"=-
"{3070289F-0A65-1033-0203-051111040001}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvb32]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xcplipc.dll]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 too if you haven't locked Internet Explorer settings on purpose.

O2 - BHO: (no name) - {10B3AF35-3C87-3F5C-A74D-66E34B95F999} - C:\WINNT\system32\qatbnspe.dll (file missing)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\exwjbbup.dll (file missing)
O2 - BHO: (no name) - {18061373-868D-DA8C-A7BD-03D34C1693CC} - C:\WINNT\system32\xgyyxlf.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - (no file)
O2 - BHO: (no name) - {1A57388A-E9D4-A0C2-992C-054C68EAD915} - C:\WINNT\system32\wivppec.dll
O2 - BHO: (no name) - {28780D21-58B8-B880-F730-017173EB4D37} - C:\WINNT\system32\pkjuoqn.dll
O2 - BHO: (no name) - {3CBE951E-539D-4C53-B669-DD0A192B7A0B} - C:\WINNT\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {3F7A881B-3770-4142-80AA-FB9F14C0C791} - C:\WINNT\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {4DD1BA92-B6FF-A3A8-2F71-03C659DB3B9F} - C:\WINNT\system32\zlvkybb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {6F427AEF-8D6F-41DF-895C-BC38E346A96B} - (no file)
O2 - BHO: (no name) - {715067CF-DCCC-414F-AF76-AB13256D2301} - C:\WINNT\system32\oxtghdjm.dll (file missing)
O2 - BHO: (no name) - {7616C79C-D148-4CC8-8337-F1FD656B1481} - (no file)
O2 - BHO: (no name) - {7E5E1EF1-1725-4EE3-98BF-32C832F05C40} - C:\WINNT\system32\oxtghdjm.dll (file missing)
O2 - BHO: (no name) - {84215CC8-A7F1-4CCC-A148-B9381C18781C} - (no file)
O2 - BHO: (no name) - {8F8C42A4-4B4B-4AD2-96D2-906456752D21} - (no file)
O2 - BHO: (no name) - {B06930FE-CD1A-457F-892A-E439ED5219FE} - (no file)
O2 - BHO: (no name) - {B670073F-6174-488C-B5B5-3A471C6240E8} - C:\WINNT\system32\rqrrron.dll (file missing)
O2 - BHO: (no name) - {C004AE5B-F2FF-4DD3-9EE5-93924C5978D9} - C:\WINNT\system32\mlljh.dll (file missing)
O2 - BHO: (no name) - {D50F2A23-6FE1-4EB1-86EB-0C14BFB13C1F} - C:\WINNT\system32\awvtr.dll (file missing)
O2 - BHO: (no name) - {E9326449-7E34-4FDE-A203-CB69DDC4FAE2} - (no file)
O2 - BHO: (no name) - {FC1DAF89-B65E-400A-87E1-990B9262FF3E} - (no file)
O4 - HKLM\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O4 - HKCU\..\Run: [msvb32] C:\WINNT\system32\msvb.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{767E957E-6BEB-49CE-88AB-090C116104E1}: NameServer = 85.255.115.35,85.255.112.73
O20 - Winlogon Notify: ddcca - C:\WINNT\
O20 - Winlogon Notify: mljjjif - mljjjif.dll (file missing)
O20 - Winlogon Notify: mlljh - C:\WINNT\
O20 - Winlogon Notify: rqrrron - C:\WINNT\
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINNT\system32\vwsrv.exe
C:\WINNT\system32\pkjuoqn.dll
C:\WINNT\system32\xgyyxlf.dll
C:\WINNT\system32\wivppec.dll
C:\WINNT\system32\zlvkybb.dll
C:\WINNT\system32\msvb.exe
C:\WINNT\system32\xcplipc.dll

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Ozerium · Apr 24, 2007

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:34:03 PM 4/25/2007

+ Scan result:

F:\SDFix\backups_old1\win1489.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winDED.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE3C.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE8A.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF25.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF50.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF77.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winFAA.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winFF7.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\win148B.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winDEF.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE3E.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE8C.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF27.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF52.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF79.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winFAC.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winFF9.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\v7.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINNT\system32\v7.exe.vir -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winDE1.tmp.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE29.tmp.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE7A.tmp.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF19.tmp.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF9F.tmp.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winFEB.tmp.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINNT\svchost.exe.vir -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\win1487.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winDEA.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE39.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winE87.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF22.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF4E.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winF75.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winFA8.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\SDFix\backups_old1\winFF5.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\WINNT\system32\drvjib.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvmob.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvmom.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvsac.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvsuc.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvtak.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvtup.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvzop.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINNT\system32\drvzox.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINNT\system32\wapisvcc.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\TWF0dGhldyBKYXJyZXR0\nqIXx315xV14srLVtrlX.vbs -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

And HJT

Logfile of HijackThis v1.99.1
Scan saved at 1:44:05 PM, on 4/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Outpost Firewall] F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] F:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump

s_startup
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: F:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - c:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

Mr_JAk3 · Apr 26, 2007

Hello

Looks much better now. How is the computer running?
Is Panda Antivirus running ok?

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

:bigthumb:

Ozerium · Apr 26, 2007

My computer is running much better, thanks.

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-27 11:27:22
Windows 5.0.2195 Service Pack 4

---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\c:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\F:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS ZwTerminateProcess
SSDT \??\F:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINNT\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload BF9C19FA 5 Bytes JMP 81F9F1B8

---- User code sections - GMER 1.0.12 ----

.text F:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe[636] SHELL32.dll!ShellExecuteExW 7CF5205D 5 Bytes JMP 016C4D10 F:\PROGRA~1\Agnitum\OUTPOS~1.0\engine.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 820B41D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 820B41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 820B71D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 820B71D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 820B71D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 820B71D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 820B71D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CREATE 81F9E1D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CLOSE 81F9E1D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 81F9E1D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F9E1D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_POWER 81F9E1D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 81F9E1D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_PNP 81F9E1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 820631D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 820631D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81F89918

Ozerium · Apr 26, 2007

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81F89918
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81F89918
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81F89918
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 IRP_MJ_CREATE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 IRP_MJ_CLOSE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 IRP_MJ_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 IRP_MJ_POWER 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 IRP_MJ_SYSTEM_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 IRP_MJ_PNP 820B61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 820B61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 820B61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 820B61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 820B61D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 820B61D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 820B61D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 820B61D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-a IRP_MJ_CREATE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-a IRP_MJ_CLOSE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-a IRP_MJ_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-a IRP_MJ_INTERNAL_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-a IRP_MJ_POWER 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-a IRP_MJ_SYSTEM_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-a IRP_MJ_PNP 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1c IRP_MJ_CREATE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1c IRP_MJ_CLOSE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1c IRP_MJ_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1c IRP_MJ_INTERNAL_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1c IRP_MJ_POWER 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1c IRP_MJ_SYSTEM_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1c IRP_MJ_PNP 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-14 IRP_MJ_CREATE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-14 IRP_MJ_CLOSE 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-14 IRP_MJ_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-14 IRP_MJ_INTERNAL_DEVICE_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-14 IRP_MJ_POWER 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-14 IRP_MJ_SYSTEM_CONTROL 820B61D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-14 IRP_MJ_PNP 820B61D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 81CC3838
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 81CC3838
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 81CC3838
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_SYSTEM_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 81CC3838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 81CC3838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 81CC3838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 81CC3838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_SYSTEM_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 81CC3838
Device \Driver\NetBT \Device\NetBT_Tcpip_{A9B5F642-F112-4FEF-B162-AC19EFEFE1AB} IRP_MJ_CREATE 81CC3838
Device \Driver\NetBT \Device\NetBT_Tcpip_{A9B5F642-F112-4FEF-B162-AC19EFEFE1AB} IRP_MJ_CLOSE 81CC3838
Device \Driver\NetBT \Device\NetBT_Tcpip_{A9B5F642-F112-4FEF-B162-AC19EFEFE1AB} IRP_MJ_DEVICE_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetBT_Tcpip_{A9B5F642-F112-4FEF-B162-AC19EFEFE1AB} IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetBT_Tcpip_{A9B5F642-F112-4FEF-B162-AC19EFEFE1AB} IRP_MJ_CLEANUP 81CC3838
Device \Driver\NetBT \Device\NetBT_Tcpip_{A9B5F642-F112-4FEF-B162-AC19EFEFE1AB} IRP_MJ_SYSTEM_CONTROL 81CC3838
Device \Driver\NetBT \Device\NetBT_Tcpip_{A9B5F642-F112-4FEF-B162-AC19EFEFE1AB} IRP_MJ_PNP 81CC3838
Device \Driver\usbehci \Device\USBFDO-0 IRP_MJ_CREATE 81F9E1D8
Device \Driver\usbehci \Device\USBFDO-0 IRP_MJ_CLOSE 81F9E1D8
Device \Driver\usbehci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 81F9E1D8
Device \Driver\usbehci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F9E1D8
Device \Driver\usbehci \Device\USBFDO-0 IRP_MJ_POWER 81F9E1D8
Device \Driver\usbehci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 81F9E1D8
Device \Driver\usbehci \Device\USBFDO-0 IRP_MJ_PNP 81F9E1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL

Ozerium · Apr 26, 2007

81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 81C7F798
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 81C7F798
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 820631D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 820631D8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 81A835F8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 81A835F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 81C581D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 81C581D8

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-1390067357-57989841-839522115-500\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xC2 0xAA 0x08 0x2F ...
Reg \Registry\USER\S-1-5-21-1390067357-57989841-839522115-500\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xE5 0x9D 0xCF 0x59 ...

---- EOF - GMER 1.0.12 ----

Sorry about the it being in pieces, i hope you can still read it:lip:

Mr_JAk3 · Apr 27, 2007

Ok looking good now

Delete this folder if found:
C:\WINNT\TWF0dGhldyBKYXJyZXR0

You should do a repair installation to Panda antivirus.

Now you can clean AVG's Quarantine:

Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program

You can remove the tools we used.

Now you can make your hidden files hidden again.

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly. How to enable Automatic Updates?
Keep your antivirus and firewall up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

Ozerium · Apr 28, 2007

Well thank you for all your help, Farwell and i hope i never need to come back.

thanks again and god bless

Mr_JAk3 · Apr 29, 2007

You're very welcome

:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb:

Pop-ups and reg-keys

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus