Requesting help

B

breakerr

New member
Hi, I'm very very sorry if I'm not posting the way i have to because i can't.

Every time i try to run hijackthis, the program or installer closes,
every time i type hijackthis in google, or go to a section of a webpage that has "hijackthis" my internet closes (firefox, not I.E.). My internet is forced to close.

Please I really need help... once again I'm sorry if the way i posted is wrong
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Tell us a little about your problems, what symptoms are you receiving, any error messages. We need to get a HJT log at least posted, so try this:

Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
(select Download HijackThis Executable)
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply

Thanks
 
i had to do everything in less then 3 sec to get this or else it would close, i went through hell lol.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:50:48 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Documents and Settings\All Users\Application Data\dilqxing.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=219.136.239.51:80
O2 - BHO: (no name) - {11D19478-67B5-4E13-93BB-F7C00D64D07B} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (file missing)
O2 - BHO: (no name) - {696F13FF-D13B-8EC8-4B16-888DCD26D79B} - C:\WINDOWS\system32\rrblbqeb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {89817E61-C155-423A-93B7-4DC9B4435E80} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {C78D8BCB-6F16-43AB-8AFE-77D9F2293BE2} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {D0D1A8BD-8239-4E17-B27F-9A5142C51845} - C:\WINDOWS\system32\awtsp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dilqxing.exe] C:\Documents and Settings\All Users\Application Data\dilqxing.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\ibddouvc.dll",forkonce
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146350447\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\11857203.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aotr] "C:\DOCUME~1\user\MYDOCU~1\YSTEM~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Aenwe] "C:\Documents and Settings\user\Application Data\??sembly\n?lookup.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble.jp/_common/cab/NMStarterJP6.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarble.jp/Control/NMJTransX.cab
O20 - Winlogon Notify: awtsqom - awtsqom.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

--
End of file - 5897 bytes
 
Oh, and i forgot to mention i downloaded the .zip file because the install file would close on me since it took longer to download
 
Thanks for returning your information and you are well infected. This one worries me:
http://research.sunbelt-software.co...ojan-Downloader.Win32.Delf.aeo&threatid=45953
It's running from a new place where I personally have not removed it before, so it could be a challenge. You appear to have partially removed a Vundo infection, so I will start by giving you information about that junk:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter.../getting_the_fix_on_winfixer_aol_network_now/

You are also infected by PurityScan/OIN adware. Let's start like this, and I can not tell you how important it is to read and follow the directions!

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) C:\Program Files\Java\jre1.5.0_06\ <<< out of date, download the newest version and uninstall all old versions in Add Remove programs.

3) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

(hold the logs until you finish. combofix may remove some of the nexxt items, not to be concern just try not to miss any)

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(if you have the start/search set on purpose to blank, you can leave the first four)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll
(Prevx item is damaged)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (file missing)
O2 - BHO: (no name) - {696F13FF-D13B-8EC8-4B16-888DCD26D79B} - C:\WINDOWS\system32\rrblbqeb.dll
O2 - BHO: (no name) - {89817E61-C155-423A-93B7-4DC9B4435E80} - C:\WINDOWS\system32\ddccc.dll (file missing)
(Google item is damaged)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {C78D8BCB-6F16-43AB-8AFE-77D9F2293BE2} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {D0D1A8BD-8239-4E17-B27F-9A5142C51845} - C:\WINDOWS\system32\awtsp.dll (file missing)
(same > reinstall the Google Toolbar when we are done if you use it)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [dilqxing.exe] C:\Documents and Settings\All Users\Application Data\dilqxing.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\ibddouvc.dll",forkonce
O4 - HKCU\..\Run: [Aotr] "C:\DOCUME~1\user\MYDOCU~1\YSTEM~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Aenwe] "C:\Documents and Settings\user\Application Data\??sembly\n?lookup.exe"
O20 - Winlogon Notify: awtsqom - awtsqom.dll (file missing)
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\DOCUMENTS AND SETTINGS~1\user\MYDOCUMENTS~1\YSTEM~1\ <<< delete that folder

C:\Documents and Settings\user\Application Data\??sembly\ <<< delete that folder

C:\Documents and Settings\All Users\Application Data\dilqxing.exe <<< delete that file

C:\WINDOWS\system32\ibddouvc.dll <<< delete that file

(if any of those files gives your problems, use this tool and instructions)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the uninstall list, combofix log and a new HJT log, add any comments you think will help.

Thanks
 
If you read my first post or second, i told you i couldn't run hijackthis for more than 3 seconds, so i couldn't do step 6.
If you read my first post or second, i told you i couldn't run hijackthis for more than 3 seconds, so i couldn't do step 6.

Uninstall List:
Adobe Shockwave Player
ASUS Probe V2.24.03
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
ÅÜÅÜ¿¨¶¡³µ
BitTorrent 5.0.7
DivX Web Player
DJMAX
Google Toolbar for Internet Explorer
GTK+ Runtime 2.10.11 rev b (remove only)
HijackThis 2.0.0
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office XP Professional with FrontPage
mIRC
Mozilla Firefox (2.0.0.3)
Mozilla Firefox (2.0.0.4)
Nero OEM
Pidgin
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)

SiS VGA Utilities
Spybot - Search & Destroy 1.4

Ventrilo Client
VideoLAN VLC media player 0.8.6b
WC3Banlist
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10

WinPcap 3.1
WinRAR archiver
XoftSpySE

"user" - 2007-06-30 11:39:35 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-29 21:50 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\BitTorrent
2007-06-29 19:07 93,696 --a------ C:\WINDOWS\system32\drvsab.dll
2007-06-29 19:07 60,928 --a------ C:\WINDOWS\system32\rrblbqeb.dll
2007-06-29 19:06 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 18:53 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\KillProcess
2007-06-29 17:12 93,696 --a------ C:\WINDOWS\system32\drvmuw.dll
2007-06-29 17:12 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\dilqxing.exe
2007-06-29 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-27 10:50 66,112 --a------ C:\WINDOWS\system32\wghjbhpb.dll
2007-06-26 15:00 93,696 --a------ C:\WINDOWS\system32\drvtut.dll
2007-06-25 22:07 796,672 --a------ C:\WINDOWS\GPInstall.exe
2007-06-22 22:24 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\WinRAR
2007-06-22 16:00 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\gtk-2.0
2007-06-22 15:25 <DIR> d-------- C:\Program Files\Pidgin
2007-06-22 15:25 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\.purple
2007-06-22 15:24 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-06-22 13:21 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-21 21:47 <DIR> d-------- C:\Program Files\TianCity
2007-06-21 17:53 996,872 --a------ C:\WINDOWS\system\CP3240MT.DLL
2007-06-21 17:53 6,656 --a------ C:\WINDOWS\system32\drivers\AsProbe.sys
2007-06-21 17:53 6,272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2007-06-21 17:53 458,752 --a------ C:\WINDOWS\system\COMCTL32.DLL
2007-06-21 17:53 299,008 --a------ C:\WINDOWS\uninst.exe
2007-06-21 17:53 29,952 --a------ C:\WINDOWS\system\BORLNDMM.DLL
2007-06-21 17:40 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-06-21 17:38 516,096 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-06-21 17:38 294,912 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-21 17:38 151,552 -ra------ C:\WINDOWS\system32\ATIDEMGR.dll
2007-06-21 15:43 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-21 14:22 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-21 14:09 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-21 14:09 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-06-21 13:18 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-21 13:15 69,632 --a------ C:\WINDOWS\system32\a2doKclv.dll
2007-06-21 13:15 10,752 --a------ C:\WINDOWS\system32\dujireri.exe
2007-06-21 13:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-30 16:57 <DIR> d-------- C:\Program Files\BitTorrent
2007-05-27 13:31 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-05-12 23:34 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\vlc
2007-05-12 20:45 28,372 --ah-c--- C:\WINDOWS\system32\mlfcache.dat
2007-05-12 19:54 <DIR> d-------- C:\Program Files\mIRC
2007-05-07 16:18 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-05-06 14:10 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\ATI
2007-05-06 14:07 <DIR> d-------- C:\WINDOWS\pss
2007-05-06 13:49 <DIR> d-------- C:\Program Files\ATI Technologies
2007-05-06 13:48 <DIR> d-------- C:\ATI


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 15:23:14 -------- d-----w C:\DOCUME~1\user\APPLIC~1\.purple
2007-06-29 19:16:01 -------- d-----w C:\Program Files\Warcraft III
2007-06-25 23:42:44 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 16:25:42 -------- d-----w C:\Program Files\AvRack
2007-06-21 17:54:10 77,312 -c--a-w C:\WINDOWS\ua2.dll
2007-06-20 03:50:00 -------- d-----w C:\Program Files\Jap Stuff
2007-06-04 04:04:22 -------- d-----w C:\DOCUME~1\user\APPLIC~1\Viewpoint
2007-05-13 15:43:51 3,742 -c--a-w C:\WINDOWS\mozver.dat
2007-05-13 15:43:49 -------- d-----w C:\Program Files\DivX
2007-05-13 03:33:34 -------- d-----w C:\Program Files\VideoLAN
2007-05-13 03:06:15 -------- d-----w C:\Program Files\Common Files\Real
2007-05-13 03:05:59 -------- d-----w C:\DOCUME~1\user\APPLIC~1\Real
2007-05-07 20:15:12 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-03 02:12:34 -------- d-----w C:\DOCUME~1\user\APPLIC~1\uTorrent
2007-03-28 22:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 22:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{11D19478-67B5-4E13-93BB-F7C00D64D07B}=C:\WINDOWS\system32\geede.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{53B5F2B1-94DD-43E5-8187-EB4E31F00701}=C:\WINDOWS\system32\a2doKclv.dll [2007-06-21 13:15]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll []
{696F13FF-D13B-8EC8-4B16-888DCD26D79B}=C:\WINDOWS\system32\rrblbqeb.dll [2007-06-20 10:49]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{89817E61-C155-423A-93B7-4DC9B4435E80}=C:\WINDOWS\system32\ddccc.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll []
{C78D8BCB-6F16-43AB-8AFE-77D9F2293BE2}=C:\WINDOWS\system32\sstqq.dll []
{D0D1A8BD-8239-4E17-B27F-9A5142C51845}=C:\WINDOWS\system32\awtsp.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-04 04:54 C:\WINDOWS\system32\SiSPower.dll]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 06:20 C:\WINDOWS\soundman.exe]
"dilqxing.exe"="C:\Documents and Settings\All Users\Application Data\dilqxing.exe" [2007-06-29 19:07]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" []
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1146350447\ee\AOLSoftware.exe" []
"ASUS Probe"="C:\Program Files\ASUS\Asus Probe\AsusProb.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aotr"="C:\DOCUME~1\user\MYDOCU~1\YSTEM~1\mmc.exe" []
"Aenwe"="C:\Documents and Settings\user\Application Data\??sembly\n?lookup.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINDOWS\system32\a2doKclv.dll" [2007-06-21 13:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsqom]
awtsqom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d18e2bdc-33a5-11db-99a2-0013d442e202}]
AutoRun\command- E:\wd_windows_tools\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-30 01:49:37 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-30 07:00:00 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 11:41:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-30 11:41:46

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:02:30 PM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=219.136.239.51:80
O2 - BHO: (no name) - {11D19478-67B5-4E13-93BB-F7C00D64D07B} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (file missing)
O2 - BHO: (no name) - {696F13FF-D13B-8EC8-4B16-888DCD26D79B} - C:\WINDOWS\system32\rrblbqeb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {89817E61-C155-423A-93B7-4DC9B4435E80} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {C78D8BCB-6F16-43AB-8AFE-77D9F2293BE2} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {D0D1A8BD-8239-4E17-B27F-9A5142C51845} - C:\WINDOWS\system32\awtsp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dilqxing.exe] C:\Documents and Settings\All Users\Application Data\dilqxing.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146350447\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aotr] "C:\DOCUME~1\user\MYDOCU~1\YSTEM~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Aenwe] "C:\Documents and Settings\user\Application Data\??sembly\n?lookup.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble.jp/_common/cab/NMStarterJP6.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarble.jp/Control/NMJTransX.cab
O20 - Winlogon Notify: awtsqom - awtsqom.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

--
End of file - 5738 bytes
 
I apologize that you can not run the tools I need to use, you may want to take that up with the hackers. I will do what I can, if that does not work, you should be looking for the Windows CD because a reformat will be in order.

Uninstall list:

I have no idea what this is:
ÅÜÅÜ¿¨¶¡³µ <<< looking for what might be causing the HJT problem.

J2SE Runtime Environment 5.0 Update 6 <<< this needs an update, once you have the chance to do it, uninstall the old version.

Mozilla Firefox (2.0.0.3)
Mozilla Firefox (2.0.0.4)
IF you have an old version still installed, I suggest you uninstall it, it is unsafe and wasting space.

Combofix did not help, appears you removed Purity Scan, all I can do at this point is post what I see.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {11D19478-67B5-4E13-93BB-F7C00D64D07B} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (file missing)
O2 - BHO: (no name) - {696F13FF-D13B-8EC8-4B16-888DCD26D79B} - C:\WINDOWS\system32\rrblbqeb.dll
O2 - BHO: (no name) - {89817E61-C155-423A-93B7-4DC9B4435E80} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {C78D8BCB-6F16-43AB-8AFE-77D9F2293BE2} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {D0D1A8BD-8239-4E17-B27F-9A5142C51845} - C:\WINDOWS\system32\awtsp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [dilqxing.exe] C:\Documents and Settings\All Users\Application Data\dilqxing.exe
O4 - HKCU\..\Run: [Aotr] "C:\DOCUME~1\user\MYDOCU~1\YSTEM~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Aenwe] "C:\Documents and Settings\user\Application Data\??sembly\n?lookup.exe"
O20 - Winlogon Notify: awtsqom - awtsqom.dll (file missing)
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\a2doKclv.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

HJT is a Process Manager, the action of checking and removing the files stops the process so they can be deleted. Since you can not use HJT, you might try booting to safe mode and deleting these files there.
Make sure all files and folders are unhidden:

C:\WINDOWS\system32\a2doKclv.dll <<< delete that file

C:\WINDOWS\system32\rrblbqeb.dll <<< delete that file

C:\Documents and Settings\All Users\Application Data\dilqxing.exe <<< delete that file

C:\Documents and Settings\user\Application Data\??sembly\ <<< delete that folder

C:\DOCUMENTS AND SETTINGS~1\user\MYDOCU~1\YSTEM~1\ <<< delete that folder

Since we also can not use the "Delete on Reboot" tool in HJT, you may need to us this tool:

http://forum.malwareremoval.com/viewtopic.php?t=320

For your information: http://www.bleepingcomputer.com/tutorials/tutorial42.html#O22Diag
Hijackthis will delete the SharedTaskScheduler value associated with this entry, but will not delete the CLSID that it points to and the file that the CSLID's Inprocserver32 points to. Therefore you should always have the user reboot into safe mode and manually delete this file.

Thanks
 
This topic has been moved to archives to prevent others with similar issues posting to it.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.
 
You must log in or register to reply here.
Back
Top