Rogue scanner has me locked out of Spybot

[mestora]

As far as I can tell, I have atmtd.dll/uoyzsydz.exe. It has hijacked my browsing, blocked Spybot from running, blocks the spybot installer from running, and redirects attempts to get to Spybot online to a fake "Search and Destroy" program that is not Spybot Search and Destroy.

It gives me virus warnings, virus warning popups, and has enabled active desktop with a virus warning and embedded links on the desktop.

It disables the task manager in the registry on every reboot and it has disabled tskill. Manually de-registering and deleting is not enough without killing the process. It is also deleting my hosts file on every reboot. All of these dirty tricks seem to effect both safe mode and safe mode with networking.

Thanks in advance, Mike

 

[mestora]

It looks like it is also blocking HJTInstaller.exe from running as well.

Mike

 

[mestora]

Renaming Spybot and HJT helped

But spybot can't perminantly fix.

But now I can generate a log to give you. Please forgive the dealy, I'm running between and upstairs and infected downstairs computer with a flash drive in hand.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:50:01, on 7/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\444.470
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\System32\uoyzsydz.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\mcntptdm.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\joe.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\uoyzsydz.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{AF-FA-A8-82-DW}] C:\WINDOWS\system32\rrwnw64p.exe DWram02
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\mcntptdm.exe DWram02
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntptdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

--
End of file - 4067 bytes


Thanks--Mike

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I hope that flash drive is not infected. For some reason folks seem to not know they can carry infections from computer to computer and they stick them anywhere.

C:\Program Files\Spybot - Search & Destroy\joe.exe <<< did you rename this or is this the false program? If you are not sure, uninstall all Spybot programs and you will not have to do the first step to disable TeaTimer. You can install it again before we finish and I will provide a link to the correct program and version.


1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log

(wait until you finish to post logs and reports)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Report from SDFix, the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

 

[mestora]

Thank you for your reply pskelley. I will follow your instructions and post the after logs here.

The internet access on my infected machine is so messed up that I'm pretty much forced to bring in any software or export any logs for posting on a flash drive. I have autorun disabled on my Windows based laptop and my other desktop is a Linux box.

"Joe" is simply the renamed Spybot which I renamed to fool the rouge scanner. As I mentioned above I had to rename the HiJackThis installer as well.

In the meanwhile, I discovered that uoyzsydz.exe seems to be the program that is misdirecting the internet and blocking Spybot, HJT, and tskill but it not smart enough to block alternative task managers like ProcessExplorer. Killng it may allow me unfettered internet access to follow your instrucitons directly without needing to use the flash drive as an intermediary between machines.

Mike

 

[pskelley]

Yo Mike, to respond, I can tell you that you have a very badly infected computer or I would not be running the tools I am running to kill it.
This file >>> uoyzsydz.exe there is no doubt it is bad, see the google:
http://www.google.com/search?hl=en&q=uoyzsydz.exe&btnG=Google+Search
But I can't really say what is causing what. You can try to remove that file, it will go during the process anyway. My advice would be to get the two tools on there and they should clear up most of the infection.
If you are using a flash drive, make sure it is big enough for those downloads and make sure it is clean. A lot of folks have been getting infected by using an infected flash drive, for some reason they think it can't happen so they stick them anywhere.

Thanks...Phil

 

[mestora]

Report of what happened and logs

Phil, thanks for your help. I'm not sure I understand your last post. I am not questioning the fact that my machine is badly infected, only pointing out that it is (or was) so badly infected that I might have trouble following your procedure exactly but that I would try.

I ran into some complications and had to modify your procedures a bit to get around them. Prior to combo fix, my machine would bluescreen shortly after drawing the desktop and icons. So I was forced to run in safe more and forced to bring in the required downloads on a flash drive.

First Complication: turning off TeaTimer: Spybot would not run wihtout being renamed. The renamned version has the resident Tea timer box unchecked but I still checked and unchecked it to be sure. I later found out that tea timer was running but I told to to accept everything ComboFix was doing. It appears it cannot be enabled by Spybot running under one name and disabled by the application running under another name.

Second Complication: I had to rename SDFix to run it. SDFix's first reboot booted into normal mode and the blue screen happened. I ran it a second time and made sure the reboot directed by SDFix ended up in safe mode. After a considerable delay, SDFix finally ran after the reboot.

Third Complication: I had to rename ComboFix. The next reboot I allowed to go to normal mode and the computer did not bluescreen. The computer shows no sign of infection except . . .

Fourth Complication: The desktop generated by the infection was still in place but I manually chnged it to the default desktop.

So right now my machine appears stable, My internet access is normal, nothing is popping up on either my taskbar or in my browser. So . . . on to the log files:

SDFix Log:

SDFix: Version 1.206
Run by Administrator on Fri 07/18/2008 at 19:33

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
clbdriver
MsSecurity1.209.4
clbdriver

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys

clbdriver - Deleted
MsSecurity1.209.4 - Deleted
clbdriver - Deleted

Killing PID 748 'uoyzsydz.exe'


Restoring Default Security Values
Restoring Default Hosts File


ComboFix Log:

ComboFix 08-07-17.4 - Administrator 2008-07-18 19:41:32.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1812 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\FixCombo.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Heather\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Heather\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\444.470
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1\?icrosoft\
C:\WINDOWS\icroso~1\svchost.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\ayyfpbod.dll
C:\WINDOWS\system32\byXNeBqR.dll
C:\WINDOWS\system32\cbXNFyxv.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dobpfyya.ini
C:\WINDOWS\system32\drivers\ati2mtaaa.sys
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\efcATjKe.dll
C:\WINDOWS\system32\eKjTAcfe.ini
C:\WINDOWS\system32\eKjTAcfe.ini2
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\?vchost.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hgGVPIXN.dll
C:\WINDOWS\system32\mcntptdm.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\sjtque.dll
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI2MTAAA
-------\Legacy_CLBDRIVER
-------\Legacy_CMDSERVICE
-------\Service_ati2mtaaa
-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 19:24 . 2008-07-18 19:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-18 19:20 . 2008-07-18 19:42 <DIR> d-------- C:\SDFix
2008-07-12 18:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-12 18:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-12 18:23 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-12 18:23 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-12 18:23 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-12 18:23 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-12 18:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-12 18:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-12 18:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-12 17:58 . 2008-07-12 18:29 1,380 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-12 16:45 . 2008-07-12 17:24 335 --a------ C:\WINDOWS\wininit.ini
2008-07-12 16:26 . 2008-07-12 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 16:09 . 2008-07-12 16:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-12 14:20 . 2008-07-12 14:20 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-12 13:48 . 2008-07-18 19:28 <DIR> d-------- C:\WINDOWS\system32\7927
2008-07-12 13:18 . 2008-07-12 13:18 4,716 --a------ C:\WINDOWS\gdrv.sys
2008-07-12 12:58 . 2008-07-12 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-07-12 12:58 . 2008-07-12 12:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-07-12 12:57 . 2008-07-12 12:57 <DIR> d-------- C:\WINDOWS\Search And Destroy
2008-07-12 12:50 . 2008-07-12 12:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-12 12:37 . 2008-07-18 19:14 1,862 --a------ C:\WINDOWS\system32\default.htm
2008-07-12 12:35 . 2008-07-12 12:35 152,175 --a------ C:\WINDOWS\system32\g37.exe
2008-07-12 12:35 . 2008-07-12 12:35 49,188 --a------ C:\WINDOWS\system32\rrwnw64p.exe
2008-07-12 12:33 . 2008-07-12 12:33 <DIR> d--hs---- C:\WINDOWS\TnVueWEgQnVzaW5lc3M
2008-07-12 12:33 . 2001-08-18 10:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-12 12:32 . 2008-07-12 12:32 <DIR> d-------- C:\WINDOWS\system32\sfig
2008-07-12 12:32 . 2008-07-12 12:32 <DIR> d-------- C:\WINDOWS\system32\provdll
2008-07-12 12:32 . 2008-07-12 12:32 <DIR> d-------- C:\WINDOWS\system32\olixds01
2008-07-12 12:32 . 2008-07-12 12:32 <DIR> d-------- C:\WINDOWS\system32\OBDE
2008-07-12 12:32 . 2008-07-12 12:32 <DIR> d-------- C:\WINDOWS\system32\imp32
2008-07-12 12:32 . 2008-07-12 12:32 <DIR> d-------- C:\Temp\stmpv4
2008-07-12 12:32 . 2008-07-18 19:41 <DIR> d-------- C:\Temp
2008-07-04 22:05 . 2008-07-04 22:05 32,768 --a------ C:\WINDOWS\system32\olixds01\olixds011065.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 23:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-15 01:01 --------- d-----w C:\Documents and Settings\Mike\Application Data\GARMIN
2008-06-15 01:00 --------- d-----w C:\Program Files\Garmin GPS Plugin
2004-06-18 06:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 20:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 20:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2005-08-02 23:46 187,904 --sha-r C:\WINDOWS\TnVueWEgQnVzaW5lc3M\asappsrv.dll
2005-08-02 23:58 293,888 --sha-r C:\WINDOWS\TnVueWEgQnVzaW5lc3M\command.exe
2005-07-29 23:24 472 --sha-r C:\WINDOWS\TnVueWEgQnVzaW5lc3M\nBpRyqH0kBpWuqc5wag.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 03:41 1511453]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2006-07-12 17:58 356352]
"EasyTuneV"="C:\Program Files\Gigabyte\ET5\GUI.exe" [2004-06-14 11:54 200704]
"Name of App"="C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2008-01-04 17:33 684118]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 01:07 8491008]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 01:07 81920]
"{AF-FA-A8-82-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-07-18 19:45 49208]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 01:56 16261632 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-07-18 19:45:06 49208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2006-11-20 01:59:11 102455]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA}"= "C:\WINDOWS\system32\hkb0122a001.dll" [2007-06-07 00:57 13060]

R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\System32\drivers\HCWBT8XX.sys [2006-01-25 16:14]
.
- - - - ORPHANS REMOVED - - - -

BHO-{00110011-4b0b-44d5-9718-90c88817369b} - (no file)
BHO-{06492663-42ce-2b57-dea7-bfe7f4ed0eb4} - (no file)
BHO-{086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
BHO-{092836FC-C426-4532-8931-7FDAC143E393} - (no file)
BHO-{150fa160-130d-451f-b863-b655061432ba} - (no file)
BHO-{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
BHO-{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
BHO-{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
BHO-{247C5C8D-CCFC-4C55-8ACE-59D4EAD21B13} - (no file)
BHO-{2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
BHO-{2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
BHO-{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
BHO-{5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
BHO-{587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
BHO-{5e363ce5-c72e-c561-8aa9-1041fca9940b} - (no file)
BHO-{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
BHO-{79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
BHO-{799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
BHO-{82336A8D-6CD0-4647-B791-75FCA8CF2B39} - (no file)
BHO-{98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
BHO-{a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
BHO-{b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
BHO-{bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
BHO-{cf021f40-3e14-23a5-cba2-717765721306} - (no file)
BHO-{DD679F4F-5FFA-2928-AC34-7FA291EE4FC8} - (no file)
BHO-{e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
BHO-{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
BHO-{e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
BHO-{fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
BHO-{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
Notify-xxyaxXPF - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 19:44:32
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP.NEW 2900 bytes
C:\WINDOWS\system32\rwwnw64d.exe 49208 bytes executable
C:\WINDOWS\system32\msnav32.ax 36 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-18 19:47:10 - machine was rebooted [Mike]
ComboFix-quarantined-files.txt 2008-07-19 02:47:08

Pre-Run: 54,488,911,872 bytes free
Post-Run: 54,439,178,240 bytes free

190

Brand new HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50, on 2008-07-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\windows\system32\rwwnw64d.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{AF-FA-A8-82-DW}] C:\windows\system32\rwwnw64d.exe DWram02
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3878 bytes


Mike

 

[pskelley]

I have to apologize Mike:sad: I did not get the notification I am supposed to receive when you post. If you post and I do not respond within 24 hours, please PM to let me know: http://forums.spybot.info/member.php?u=233

Sounds like you had some complications getting this done, let's hope when we finish they are all gone, malware does a job on your computer!
You can remove SDFix from the computer if you have not already.

Do you know what this item is?
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
adxbnet.net/ << >> http://www.who-is-who-in-gpt.com/forum/index.php?showtopic=8073
I suggest removing it, looks like adware.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O4 - HKLM\..\Run: [{AF-FA-A8-82-DW}] C:\windows\system32\rwwnw64d.exe DWram02
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe

(next two are resource waters associated with Alexa. If you don't use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\windows\system32\rwwnw64d.exe <<< delete that file

C:\WINDOWS\system32\msnav32.ax <<< delete that file


5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

How is the computer running now?

Thanks...Phil

 

[mestora]

Yep, I was not fully clean. Went camping for the weekend and there were a bunch of windows open and download prompts when I came back.

Don't worry about the delay getting back to me, I'd been away. I also work 12-hour shifts 4 days per week so I'm only dealing with this on weekends.

My system was not so cripled this time that I was able to do things exactly as you requested.

Here is my MAlwarebytes log:

Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 1

19:59:33 2008-07-25
mbam-log-7-25-2008 (19-59-33).txt

Scan type: Full Scan (A:\|C:\|E:\|)
Objects scanned: 66102
Time elapsed: 10 minute(s), 56 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 3
Registry Keys Infected: 39
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 97

Memory Processes Infected:
C:\WINDOWS\TnVueWEgQnVzaW5lc3M\command.exe (Adware.CommAd) -> Failed to unload process.
C:\Documents and Settings\Mike\Local Settings\Temp\!update.exe (Adware.PurityScan) -> Unloaded process successfully.
C:\Documents and Settings\Mike\Application Data\?ppPatch\rundll.exe (Adware.PurityScan) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\awtqrqoN.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\TnVueWEgQnVzaW5lc3M\asappsrv.dll (Adware.CommAd) -> Delete on reboot.
C:\WINDOWS\system32\xwbdhfuh.dll (Adware.ClickSpring) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b65714b-beca-4302-a250-f07e7b768a3e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1b65714b-beca-4302-a250-f07e7b768a3e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdservice (Adware.CommAd) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdservice (Adware.CommAd) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{df669e1b-56af-782f-aa34-7fa291ee1acf} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{df669e1b-56af-782f-aa34-7fa291ee1acf} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000162-9980-0010-8000-00aa00389b71} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MySidesearch (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/xpreload.ocx (Heuristics.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06492663-42ce-2b57-dea7-bfe7f4ed0eb4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06492663-42ce-2b57-dea7-bfe7f4ed0eb4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e363ce5-c72e-c561-8aa9-1041fca9940b} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e363ce5-c72e-c561-8aa9-1041fca9940b} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\xpreload.ocx (Heuristics.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqrqon -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqrqon -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Sakora (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\mjc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\awtqrqoN.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\Noqrqtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Noqrqtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmvvdopp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppodvvmc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nlibyrqc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqrybiln.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tcwwcqni.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inqcwwct.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\TnVueWEgQnVzaW5lc3M\asappsrv.dll (Adware.CommAd) -> Delete on reboot.
C:\WINDOWS\TnVueWEgQnVzaW5lc3M\command.exe (Adware.CommAd) -> Delete on reboot.
C:\WINDOWS\system32\xwbdhfuh.dll (Adware.ClickSpring) -> Delete on reboot.
C:\Documents and Settings\Mike\Local Settings\Temp\!update.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\?ppPatch\rundll.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Microsoft\Windows\gqqft.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\SpeedRunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\NDR11.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\4PEROXI3\!update-4495[1].0000 (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\mfru\mfrua.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\mfru\mfrul.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\mfru\mfrum.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\mfru\mfrup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\mfru\mfrud\mfruc.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\Program Files\mjc\mjc.exe (Adware.MJC) -> Quarantined and deleted successfully.
C:\Program Files\Sakora\Sakora.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\444.470.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\ICROSO~1\svchost.exe.vir (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe.vir (Adware.BHO) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sjtque.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ati2mtaaa.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\SDFix\backups_old\mrofinu1000106.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\SDFix\backups_old\mrofinu572.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\SDFix\backups_old\mrofinu572.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\SDFix\backups_old\rwwnw64d.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP109\A0097454.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0097465.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0098480.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0098512.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0105568.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0105569.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0106692.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0106698.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0106759.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0106779.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0108877.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0108878.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0108920.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0109977.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0109978.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0109979.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0109981.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0110025.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP110\A0110024.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP111\A0110178.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP112\A0110183.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110193.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110197.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110198.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110208.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110209.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110222.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110223.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP113\A0110224.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP114\A0110259.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB5BD683-819D-47F8-B55F-E7C131C638D7}\RP115\A0110305.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\17PHolmes572.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b104.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b152.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b155.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b156.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu572.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu572.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cklemxbmnvqnq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rrwnw64p.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olixds01\olixds011065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imp32\keysrve.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\provdll\globsetup.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\OBDE\idexpnd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfig\mcirev2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gside.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM2f49c9b1.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM2f49c9b1.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\default.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\xpreload.ocx (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oibshohfaev.dll (Adware.BHO) -> Delete on reboot.
C:\WINDOWS\system32\qnfiieqswhhcn.dll (Adware.BHO) -> Delete on reboot.

Here is my most recent HIT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:07, on 2008-07-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\Mike\APPLIC~1\PPPATC~1\rundll.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {092836FC-C426-4532-8931-7FDAC143E393} - (no file)
O2 - BHO: (no name) - {1B65714B-BECA-4302-A250-F07E7B768A3E} - (no file)
O2 - BHO: (no name) - {247C5C8D-CCFC-4C55-8ACE-59D4EAD21B13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DBA5A11-DA13-4E08-9B6D-E2FDE408CF8C} - (no file)
O2 - BHO: (no name) - {DD679F4F-5FFA-2928-AC34-7FA291EE4FC8} - (no file)
O2 - BHO: (no name) - {EFF70636-DB72-418E-A823-1E5F54D0759B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Oraa] "C:\DOCUME~1\Mike\APPLIC~1\PPPATC~1\rundll.exe" -vt yazb
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: xxyaxXPF - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4126 bytes

Mike

 

[pskelley]

Let's communicate a moment these are instructions I posted in my first post:

disable TeaTimer/(leave TT disabled until we finish)

TeaTimer is running in the latest HJT log?

You must keep the computer offline until we get it clean, if there is a downloader on board we have not killed, it will keep downloading more junk when you are online.

Let's proceed like this:

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Make sure all files and folders are still visible.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {092836FC-C426-4532-8931-7FDAC143E393} - (no file)
O2 - BHO: (no name) - {1B65714B-BECA-4302-A250-F07E7B768A3E} - (no file)
O2 - BHO: (no name) - {247C5C8D-CCFC-4C55-8ACE-59D4EAD21B13} - (no file)
O2 - BHO: (no name) - {6DBA5A11-DA13-4E08-9B6D-E2FDE408CF8C} - (no file)
O2 - BHO: (no name) - {DD679F4F-5FFA-2928-AC34-7FA291EE4FC8} - (no file)
O2 - BHO: (no name) - {EFF70636-DB72-418E-A823-1E5F54D0759B} - (no file)
O4 - HKCU\..\Run: [Oraa] "C:\DOCUME~1\Mike\APPLIC~1\PPPATC~1\rundll.exe" -vt yazb
O15 - Trusted Zone: *.sxload.net (HKLM) <<< if you are absolutely positive this is safe, you may leave it.
O20 - Winlogon Notify: xxyaxXPF - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\DOCUMENTS&SETTIBGS~1\Mike\APPLICATION DATA~1\PPPATC~1\ <<< delete that folder and contents

Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

Run MBAM again and post the results. Provide feedback about performance.

Thanks

 

[pskelley]

Run MBAM again and post the results. Provide feedback about performance.

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.