Random pop-ups. Any help greatly appreciated!

Status
Not open for further replies.
J

JL1985

New member
I get random pop-ups every couple of minutes or so. This has been going on for the past few days and I'm not sure what to do. If anyone has any advice on how to fix this I would be very thankful!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:01 PM, on 9/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Owner\MYDOCU~1\PPPATC~1\msconfig.exe
C:\Documents and Settings\Owner\Application Data\?racle\l?ass.exe
C:\Program Files\VnrBlock\VnrBlock21.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BM33ee24e9] Rundll32.exe "C:\WINDOWS\System32\jlabiocl.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\PPPATC~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Onxcek] "C:\Documents and Settings\Owner\Application Data\?racle\l?ass.exe"
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: RtlWake.lnk = C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220073932656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222049814656
O20 - AppInit_DLLs: zazlzh.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

You have several infections including Vundo, let's see what combofix can do with it.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
 
Thank you for your help!

Here are the logs:

ComboFix 08-09-30.03 - Owner 2008-09-30 19:21:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.456 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix3.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\nsv
C:\Documents and Settings\All Users\Application Data\nsv\cache\538.dfn
C:\Documents and Settings\All Users\Application Data\nsv\cache\545.dfn
C:\Documents and Settings\All Users\Application Data\nsv\keys.dat
C:\Documents and Settings\All Users\Application Data\nsv\wmv0104.dbd
C:\Documents and Settings\All Users\Application Data\nsv\wmv0106.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0204.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0315.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0412.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0504.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0904.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1125.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1204.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1215.dbd
C:\Documents and Settings\All Users\Application Data\nsv\wmv1909.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1920.dbd
C:\Documents and Settings\All Users\Application Data\nsv\wmv2007.dbd
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\Owner\Application Data\RACLE~1
C:\Documents and Settings\Owner\Application Data\RACLE~1\l?ass.exe
C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\Owner\My Documents\CURITY~1
C:\Documents and Settings\Owner\My Documents\PPPATC~1
C:\Documents and Settings\Owner\My Documents\PPPATC~1\?ppPatch\
C:\Documents and Settings\Owner\My Documents\PPPATC~1\msconfig.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\lswmv.ini
C:\Program Files\Common Files\uninstall information
C:\Program Files\Common Files\uninstall information\RemoveDisplayUtility.exe
C:\Program Files\Common Files\Yazzle1554OinAdmin.exe
C:\Program Files\Common Files\Yazzle1554OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\VnrBlock
C:\Program Files\VnrBlock\VnrBlock21.exe
C:\Program Files\VnrBlock\xoffdic.gz
C:\Program Files\VnrBlock\xtarga.gz
C:\WINDOWS\BM33ee24e9.txt
C:\WINDOWS\BM33ee24e9.xml
C:\WINDOWS\faceback.exe
C:\WINDOWS\jestertb.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\cbXpnNef.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Ssk.log
C:\WINDOWS\system32\dfadyntb.ini
C:\WINDOWS\system32\ffxgbdni.ini
C:\WINDOWS\system32\geBrpoPi.dll
C:\WINDOWS\system32\jkkJbxuR.dll
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\nsvsvc\License.txt
C:\WINDOWS\system32\nsvsvc\nsv.ocx
C:\WINDOWS\system32\nsvsvc\nsvs.dll
C:\WINDOWS\system32\sAIknqss.ini
C:\WINDOWS\system32\sAIknqss.ini2
C:\WINDOWS\System32\ssqnkIAs.dll
C:\WINDOWS\system32\urqOIbAq.dll
C:\WINDOWS\system32\usttrbyj.ini
C:\WINDOWS\system32\vidctrl
C:\WINDOWS\system32\vtmijapb.ini
C:\WINDOWS\system32\wiwd.dll
C:\WINDOWS\system32\wnstssv.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-30 19:08 . 2008-09-30 19:08 67,072 --a------ C:\WINDOWS\system32\jybrttsu.dll
2008-09-30 19:05 . 2008-09-30 19:05 123,904 --a------ C:\WINDOWS\system32\twwweh.dll
2008-09-30 19:05 . 2008-09-30 19:05 123,904 --a------ C:\WINDOWS\system32\ouhngafv.dll
2008-09-30 19:03 . 2008-09-30 19:03 101,888 --a------ C:\WINDOWS\system32\atdgsigj.dll
2008-09-29 19:00 . 2008-09-29 19:01 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-O0KWKW9JWC
2008-09-29 18:49 . 2008-09-29 18:49 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-09-29 02:11 . 2008-09-29 02:11 71,168 --a------ C:\WINDOWS\system32\btnydafd.dll
2008-09-29 02:09 . 2008-09-29 02:09 128,000 --a------ C:\WINDOWS\system32\zazlzh.dll
2008-09-29 02:09 . 2008-09-29 02:09 128,000 --a------ C:\WINDOWS\system32\iwjgxeep.dll
2008-09-29 02:09 . 2008-09-29 02:09 105,984 --a------ C:\WINDOWS\system32\jlabiocl.dll
2008-09-28 00:05 . 2008-09-28 00:05 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-27 21:20 . 2008-09-27 21:20 <DIR> d-------- C:\WINDOWS\5DF3D1BB894E4DCD8275159AC9829B43.TMP
2008-09-27 17:06 . 2008-09-27 17:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-27 16:59 . 2008-09-27 16:59 128,000 --a------ C:\WINDOWS\system32\svmscwmt.dll
2008-09-27 16:59 . 2008-09-27 16:59 128,000 --a------ C:\WINDOWS\system32\riuumk.dll
2008-09-27 16:59 . 2008-09-27 16:59 105,984 --a------ C:\WINDOWS\system32\sgflsxsi.dll
2008-09-23 20:47 . 2004-08-20 15:50 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-23 19:28 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-09-23 19:28 . 2002-08-29 02:01 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-09-23 19:28 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-09-23 19:28 . 2002-08-29 01:32 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-09-22 00:02 . 2005-10-20 18:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-09-21 22:21 . 2004-07-01 18:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-09-21 22:21 . 2004-07-01 18:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-21 22:21 . 2004-07-01 18:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-09-21 22:21 . 2004-07-01 18:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-21 22:21 . 2004-07-01 18:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-09-21 22:21 . 2004-07-01 18:08 7,680 --a--c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-09-21 22:21 . 2004-07-01 18:08 7,168 --a--c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-09-21 22:19 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-21 22:19 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-21 22:03 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-14 11:52 . 2008-09-14 11:52 <DIR> d-------- C:\Program Files\Real Alternative
2008-08-30 15:53 . 2008-08-30 16:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-08-30 15:53 . 2007-03-07 19:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-08-30 15:53 . 2007-03-07 19:51 9,464 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-30 15:53 . 2007-03-07 19:51 9,336 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-27 23:38 . 2008-08-27 23:38 3,958 -rahs---- C:\WINDOWS\system32\drivers\HP_DK390A-ABA 526X_YC_Pavi_QMXK332_E33NAheBLU4_4_IP4G533LA_SASUSTeK Computer INC._VREV 1.xx_B3.16_T030805_WXH1_L409_M760_J60_7Intel_8Celeron_92.39_1_N10EC8139_P_Z_K_A808624C5_U808624C2_G80862562.MRK
2008-08-27 22:40 . 2006-06-19 11:22 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\OngameNetwork
2008-08-27 22:40 . 2006-01-22 16:58 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Incomplete
2008-08-27 22:40 . 2006-01-20 16:28 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\.limewire
2008-08-27 22:39 . 2002-08-29 02:06 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-08-27 22:39 . 2002-08-29 01:27 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2008-08-27 21:02 . 2006-06-19 11:22 <DIR> d-------- C:\Documents and Settings\Default User\OngameNetwork
2008-08-27 21:02 . 2006-01-22 16:58 <DIR> d-------- C:\Documents and Settings\Default User\Incomplete
2008-08-27 21:02 . 2006-01-20 16:28 <DIR> d-------- C:\Documents and Settings\Default User\.limewire
2008-08-27 20:53 . 2002-08-29 05:01 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-08-27 20:53 . 2001-08-17 16:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-08-27 20:53 . 2002-08-29 04:32 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-08-26 22:28 . 2008-08-26 22:28 115,712 --a------ C:\WINDOWS\system32\ychhyg.dll
2008-08-26 22:28 . 2008-08-26 22:28 115,712 --a------ C:\WINDOWS\system32\uwjystmw.dll
2008-08-26 22:26 . 2008-08-26 22:26 82,944 --a------ C:\WINDOWS\system32\bpajimtv.dll
2008-08-26 20:18 . 2008-08-26 20:18 312,832 --a------ C:\WINDOWS\system32\mlJYpOed.dll
2008-08-26 20:18 . 2008-08-26 22:54 35,431 --ahs---- C:\WINDOWS\system32\deOpYJlm.ini
2008-08-26 20:18 . 2008-08-26 22:52 33,212 --ahs---- C:\WINDOWS\system32\deOpYJlm.ini2
2008-08-26 19:22 . 2008-08-26 20:05 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-21 19:43 . 2008-08-21 19:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-21 19:43 . 2008-08-21 19:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 23:11 . 2008-08-13 23:12 <DIR> d-------- C:\Program Files\The Weather Channel FW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 01:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-28 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-28 01:18 --------- d-----w C:\Program Files\Symantec
2008-09-28 00:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\Winff
2008-09-08 01:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-31 20:56 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-31 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-31 20:47 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-30 19:55 --------- d-----w C:\Program Files\Winamp
2008-08-27 03:15 98,304 ----a-w C:\WINDOWS\DUMP50fe.tmp
2008-08-27 03:14 98,304 ----a-w C:\WINDOWS\DUMPb3ee.tmp
2008-08-27 03:12 98,304 ----a-w C:\WINDOWS\DUMPb277.tmp
2008-08-27 03:11 98,304 ----a-w C:\WINDOWS\DUMP736a.tmp
2008-08-19 03:53 --------- d-----w C:\Program Files\PeerGuardian2
2005-06-01 23:06 145,672,169 -c--a-w C:\Program Files\WC_GIS_400_back.exe
2004-07-19 19:11 67 -c--a-w C:\WINDOWS\system32\config\systemprofile\x.bat
2004-07-19 19:11 67 -c--a-w C:\Documents and Settings\Owner\x.bat
2004-07-19 19:11 67 -c--a-w C:\Documents and Settings\Default User\x.bat
2001-02-21 19:44 1,963,518 -c--a-w C:\Program Files\traktor.idf
2005-08-21 23:41 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-08-14 03:55 272,580 -csha-r C:\WINDOWS\system32\oe8o305.exe
2005-08-08 13:25 401,408 -csha-r C:\WINDOWS\system32\w?auboot.exe
2005-08-08 13:28 401,408 -csha-r C:\WINDOWS\system32\??chost.exe
.

------- Sigcheck -------

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fbb92d6a-8b55-405e-99ab-2b7ed7e8f10b}]
2008-09-30 19:05 123904 --a------ C:\WINDOWS\System32\twwweh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Onxcek"="C:\Documents and Settings\Owner\Application Data\?racle\l?ass.exe" [?]
"AIM"="C:\Program Files\AIM\aim.exe" [2003-08-01 61440]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2003-01-22 835584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2003-02-22 212992]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 7618560]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 81920]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2002-11-23 733184]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-06-01 86016]
"30dd1775"="C:\WINDOWS\System32\jybrttsu.dll" [2008-09-30 67072]
"BM33ee24e9"="C:\WINDOWS\System32\atdgsigj.dll" [2008-09-30 101888]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-28 113664]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 53248]
RtlWake.lnk - C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe [2008-08-28 774144]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=twwweh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 19:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2002-11-22 8849]
R3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;C:\WINDOWS\System32\DRIVERS\Bel6001.sys [2003-07-10 168448]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 13532]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{1FA4CD1C-04A9-572D-8A3F-2BC00A5387BC} - C:\WINDOWS\System32\wiwd.dll
BHO-{47C3E1DA-B843-499A-9A4B-00B238F0D642} - C:\WINDOWS\System32\ssqnkIAs.dll
HKCU-Run-Notn - C:\DOCUME~1\Owner\MYDOCU~1\PPPATC~1\msconfig.exe
HKCU-Run-VnrBlock21 - C:\Program Files\VnrBlock\VnrBlock21.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k2timvck.Default User\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint_03050024.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 19:45:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\BM33ee24e9.txt 1558 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Panicware\Pop-Up Stopper\DPHOOK32.DLL
-> C:\WINDOWS\PANICNT.dll
-> C:\WINDOWS\System32\jybrttsu.dll
-> C:\WINDOWS\System32\atdgsigj.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-09-30 20:07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 00:07:48

Pre-Run: 2,245,836,800 bytes free
Post-Run: 2,627,649,536 bytes free

290 --- E O F --- 2008-10-01 00:03:40



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:43 PM, on 9/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {b01f8e7d-e7b2-ba99-e504-55b8a6d29bbf} - {fbb92d6a-8b55-405e-99ab-2b7ed7e8f10b} - C:\WINDOWS\System32\twwweh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [30dd1775] rundll32.exe "C:\WINDOWS\System32\jybrttsu.dll",b
O4 - HKLM\..\Run: [BM33ee24e9] Rundll32.exe "C:\WINDOWS\System32\atdgsigj.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Onxcek] "C:\Documents and Settings\Owner\Application Data\?racle\l?ass.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: RtlWake.lnk = C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220073932656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222049814656
O20 - AppInit_DLLs: twwweh.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

--
End of file - 5435 bytes


Please let me know if there are any other things I have to do.
 
Thanks for returning your information, my first questions is why are you still running Service Pack One (1) when Service Pack three (3) is released and you cannot get critical updates without being updated to at least SP2? Do not attempt to update until we finish cleaning the computer but at that point you need to visit Windows Updates then download and install all critical updates for your system! If you have problems with Service Pack Three (3) you can get that free help: Microsoft Windows XP Service Pack 3 (All Languages)
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131

Please read and follow all directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\System32\twwweh.dll
C:\WINDOWS\System32\jybrttsu.dll
C:\WINDOWS\System32\atdgsigj.dll
C:\WINDOWS\system32\ouhngafv.dll
C:\WINDOWS\system32\btnydafd.dll
C:\WINDOWS\system32\zazlzh.dll
C:\WINDOWS\system32\iwjgxeep.dll
C:\WINDOWS\system32\jlabiocl.dll
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\svmscwmt.dll
C:\WINDOWS\system32\riuumk.dll
C:\WINDOWS\system32\sgflsxsi.dll
C:\WINDOWS\system32\igfxres.dll
C:\WINDOWS\system32\ychhyg.dll
C:\WINDOWS\system32\uwjystmw.dll
C:\WINDOWS\system32\bpajimtv.dll
C:\WINDOWS\system32\mlJYpOed.dll
C:\WINDOWS\system32\deOpYJlm.ini
C:\WINDOWS\system32\deOpYJlm.ini2
C:\WINDOWS\DUMP50fe.tmp
C:\WINDOWS\DUMPb3ee.tmp
C:\WINDOWS\DUMPb277.tmp
C:\WINDOWS\DUMP736a.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fbb92d6a-8b55-405e-99ab-2b7ed7e8f10b}]

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone, removed by CFScript)

O2 - BHO: {b01f8e7d-e7b2-ba99-e504-55b8a6d29bbf} - {fbb92d6a-8b55-405e-99ab-2b7ed7e8f10b} - C:\WINDOWS\System32\twwweh.dll
O4 - HKLM\..\Run: [30dd1775] rundll32.exe "C:\WINDOWS\System32\jybrttsu.dll",b
O4 - HKLM\..\Run: [BM33ee24e9] Rundll32.exe "C:\WINDOWS\System32\atdgsigj.dll",s
O4 - HKCU\..\Run: [Onxcek] "C:\Documents and Settings\Owner\Application Data\?racle\l?ass.exe"
(the next two are resource waster related to Alexa, unless you use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: twwweh.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running?

Thanks...Phil
 
Last edited:
Hi Phil,

Thanks for all of your help. My computer seems to be back to normal now. No more pop-ups or slowness. Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:06 PM, on 10/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: RtlWake.lnk = C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220073932656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222049814656
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

--
End of file - 4622 bytes



ComboFix 08-09-30.03 - Owner 2008-10-01 18:20:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.456 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix3.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\DUMP50fe.tmp
C:\WINDOWS\DUMP736a.tmp
C:\WINDOWS\DUMPb277.tmp
C:\WINDOWS\DUMPb3ee.tmp
C:\WINDOWS\System32\atdgsigj.dll
C:\WINDOWS\system32\bpajimtv.dll
C:\WINDOWS\system32\btnydafd.dll
C:\WINDOWS\system32\deOpYJlm.ini
C:\WINDOWS\system32\deOpYJlm.ini2
C:\WINDOWS\system32\igfxres.dll
C:\WINDOWS\system32\iwjgxeep.dll
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jlabiocl.dll
C:\WINDOWS\System32\jybrttsu.dll
C:\WINDOWS\system32\mlJYpOed.dll
C:\WINDOWS\system32\ouhngafv.dll
C:\WINDOWS\system32\riuumk.dll
C:\WINDOWS\system32\sgflsxsi.dll
C:\WINDOWS\system32\svmscwmt.dll
C:\WINDOWS\System32\twwweh.dll
C:\WINDOWS\system32\uwjystmw.dll
C:\WINDOWS\system32\ychhyg.dll
C:\WINDOWS\system32\zazlzh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM33ee24e9.txt
C:\WINDOWS\BM33ee24e9.xml
C:\WINDOWS\DUMP50fe.tmp
C:\WINDOWS\DUMP736a.tmp
C:\WINDOWS\DUMPb277.tmp
C:\WINDOWS\DUMPb3ee.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\System32\atdgsigj.dll
C:\WINDOWS\system32\bpajimtv.dll
C:\WINDOWS\system32\btnydafd.dll
C:\WINDOWS\system32\deOpYJlm.ini
C:\WINDOWS\system32\deOpYJlm.ini2
C:\WINDOWS\system32\igfxres.dll
C:\WINDOWS\system32\iwjgxeep.dll
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jlabiocl.dll
C:\WINDOWS\System32\jybrttsu.dll
C:\WINDOWS\system32\mlJYpOed.dll
C:\WINDOWS\system32\ouhngafv.dll
C:\WINDOWS\system32\riuumk.dll
C:\WINDOWS\system32\sgflsxsi.dll
C:\WINDOWS\system32\svmscwmt.dll
C:\WINDOWS\System32\twwweh.dll
C:\WINDOWS\system32\uwjystmw.dll
C:\WINDOWS\system32\ychhyg.dll
C:\WINDOWS\system32\zazlzh.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-10-01 18:28 . 2008-10-01 18:28 <DIR> d----c--- C:\Intel
2008-10-01 18:28 . 2004-08-20 15:50 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-30 20:07 . 2008-09-30 20:07 121 ---hs---- C:\WINDOWS\system32\usttrbyj.ini
2008-09-29 19:00 . 2008-09-29 19:01 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-O0KWKW9JWC
2008-09-29 18:49 . 2008-09-29 18:49 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-09-27 21:20 . 2008-09-27 21:20 <DIR> d-------- C:\WINDOWS\5DF3D1BB894E4DCD8275159AC9829B43.TMP
2008-09-27 17:06 . 2008-09-27 17:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-23 19:28 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-09-23 19:28 . 2002-08-29 02:01 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-09-23 19:28 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-09-23 19:28 . 2002-08-29 01:32 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-09-22 00:02 . 2005-10-20 18:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-09-21 22:21 . 2004-07-01 18:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-09-21 22:21 . 2004-07-01 18:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-21 22:21 . 2004-07-01 18:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-09-21 22:21 . 2004-07-01 18:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-21 22:21 . 2004-07-01 18:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-09-21 22:21 . 2004-07-01 18:08 7,680 --a--c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-09-21 22:21 . 2004-07-01 18:08 7,168 --a--c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-09-21 22:19 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-21 22:19 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-21 22:03 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-14 11:52 . 2008-09-14 11:52 <DIR> d-------- C:\Program Files\Real Alternative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 01:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-28 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-28 01:18 --------- d-----w C:\Program Files\Symantec
2008-09-28 00:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\Winff
2008-09-08 01:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-31 20:56 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-31 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-31 20:47 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-30 20:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Winamp
2008-08-30 19:55 --------- d-----w C:\Program Files\Winamp
2008-08-28 03:38 3,958 --sha-r C:\WINDOWS\system32\drivers\HP_DK390A-ABA 526X_YC_Pavi_QMXK332_E33NAheBLU4_4_IP4G533LA_SASUSTeK Computer INC._VREV 1.xx_B3.16_T030805_WXH1_L409_M760_J60_7Intel_8Celeron_92.39_1_N10EC8139_P_Z_K_A808624C5_U808624C2_G80862562.MRK
2008-08-19 03:53 --------- d-----w C:\Program Files\PeerGuardian2
2008-08-14 03:12 --------- d-----w C:\Program Files\The Weather Channel FW
2005-06-01 23:06 145,672,169 -c--a-w C:\Program Files\WC_GIS_400_back.exe
2004-07-19 19:11 67 -c--a-w C:\WINDOWS\system32\config\systemprofile\x.bat
2004-07-19 19:11 67 -c--a-w C:\Documents and Settings\Owner\x.bat
2004-07-19 19:11 67 -c--a-w C:\Documents and Settings\Default User\x.bat
2001-02-21 19:44 1,963,518 -c--a-w C:\Program Files\traktor.idf
2005-08-21 23:41 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-08-14 03:55 272,580 -csha-r C:\WINDOWS\system32\oe8o305.exe
2005-08-08 13:25 401,408 -csha-r C:\WINDOWS\system32\w?auboot.exe
2005-08-08 13:28 401,408 -csha-r C:\WINDOWS\system32\??chost.exe
.

------- Sigcheck -------

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2008-04-13 14:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-30_20.07.17.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-30 23:44:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-01 22:27:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-30 23:44:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-01 22:27:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-30 23:44:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-01 22:27:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Onxcek"="C:\Documents and Settings\Owner\Application Data\?racle\l?ass.exe" [?]
"AIM"="C:\Program Files\AIM\aim.exe" [2003-08-01 61440]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2003-01-22 835584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2003-02-22 212992]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 7618560]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 81920]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2002-11-23 733184]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-06-01 86016]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-28 113664]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 53248]
RtlWake.lnk - C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe [2008-08-28 774144]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 19:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2002-11-22 8849]
R3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;C:\WINDOWS\System32\DRIVERS\Bel6001.sys [2003-07-10 168448]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 13532]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-30dd1775 - C:\WINDOWS\System32\jybrttsu.dll
HKLM-Run-BM33ee24e9 - C:\WINDOWS\System32\atdgsigj.dll



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 18:28:34
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-01 18:47:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 22:47:29
ComboFix2.txt 2008-10-01 00:07:59

Pre-Run: 3,018,502,144 bytes free
Post-Run: 3,031,343,104 bytes free

202 --- E O F --- 2008-10-01 22:18:53



Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 1

10/2/2008 9:10:24 PM
mbam-log-2008-10-02 (21-10-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 186557
Time elapsed: 2 hour(s), 34 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\faceback.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\geBrpoPi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\btnydafd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqnkIAs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\svmscwmt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\twwweh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\urqOIbAq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\zazlzh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iwjgxeep.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jybrttsu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ouhngafv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\riuumk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP186\A0006040.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP187\A0006130.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP187\A0006133.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP188\A0006349.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP188\A0006547.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP188\A0006636.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP189\A0006751.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP190\A0006764.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP190\A0006782.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP190\A0006784.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP190\A0006785.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006969.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006958.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006961.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006964.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006966.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006967.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006970.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197\A0006973.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\00ce3a40.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Real Music Ringtones.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Internet Security Suite.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Application Data\Sskknwrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Thanks again, let me know if there is anything else.
 
Sounds good, thanks for returning your information and the feedback. Let's wind down like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, no need to post a clean scan result.

I am not seeing an antivirus program? Going online without one anymore is cyber-suicide. If you need a free on here are three to choose from.

http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

http://www.avast.com/eng/avast_4_home.html

http://www.free-av.com/

Download and install ONLY one, update and scan your system. If all is well at this point, let mw know and I will close your topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Status
Not open for further replies.
Back
Top