Virtumonde,Smithfraud, Zlob...Please help

[lawnguy]

Hi

Following is my HJT log, then my Kaspersky scan log,,,any help would be much appreciated!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:16 PM, on 5/19/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OW3B7DIL\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.safewebnavigate2008.com/index.php?sid=0&pn=0&aid=725&said=7&pid=0
O2 - BHO: BurstWriting module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\BurstWriting\BurstWriting.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BB90EAF5-B809-4C3C-A5B5-51550128F647} - C:\WINNT\system32\ddcArQkL.dll
O2 - BHO: (no name) - {CFC19E37-2C37-42BF-9DA6-71116F1A6E2C} - C:\WINNT\system32\awttutQh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA9360] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3095] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4782] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3739] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6880] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9338] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1226] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9122] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1771] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9811] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8311] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2920] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1235] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2401] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4659] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9395] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4982] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2537] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9575] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2252] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3019] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8879] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8554] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7217] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA478] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2097] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1675] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC975] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\Run: [e©ùýùñûïèóÎ×øøÕøôþÊýÛñûëÞó] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ms1210301710.exe work
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5492] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4371] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB459] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6469] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3884] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6547] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9930] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD443] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8417] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD226] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7226] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7088] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB412] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1603] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6411] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD710] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1993] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7288] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3450] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6035] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7293] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD314] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8023] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2841] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7969] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1787] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9827] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9387] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9901] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7516] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4943] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9678] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {3BA4271E-5C1E-48E2-B432-D8BF420DD31D} - http://antivirus-scanner.com/AntvrsInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O20 - Winlogon Notify: awttutQh - C:\WINNT\SYSTEM32\awttutQh.dll
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 9513 bytes

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Saturday, May 17, 2008 3:59:50 PM

Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 17/05/2008

Kaspersky Anti-Virus database records: 779981

-------------------------------------------------------------------------------



Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true



Scan Target - My Computer:

A:\

C:\

D:\



Scan Statistics:

Total number of scanned objects: 12925

Number of viruses found: 9

Number of infected objects: 14

Number of suspicious objects: 0

Duration of the scan process: 01:07:24



Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Desktop\Privacy Protector.url Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\AntvrsInstall.exe Infected: not-a-virusownloader.Win32.FraudLoad.ar skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\ms1210301710.exe Infected: Trojan-Dropper.Win32.Agent.rky skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\printsrv32.exe Infected: Trojan.Win32.Agent.lsr skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\setup_526_1_.exe Infected: Trojan-Downloader.Win32.FraudLoad.ym skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\vifmykoc.exe Infected: Trojan.Win32.Agent.gmn skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\RECYCLER\S-1-5-21-1454471165-1563985344-1060284298-500\Dc49\Antvrs.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.w skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\Downloaded Program Files\antvrs.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.w skipped

C:\WINNT\Downloaded Program Files\AntvrsInstall.exe Infected: not-a-virusownloader.Win32.FraudLoad.ar skipped

C:\WINNT\Downloaded Program Files\CONFLICT.1\AntvrsInstall.exe Infected: not-a-virusownloader.Win32.FraudLoad.ar skipped

C:\WINNT\knxsrgte.exe Infected: Trojan.Win32.Vapsup.eyk skipped

C:\WINNT\ModemLog_Lucent Win Modem.txt Object is locked skipped

C:\WINNT\qvlbodmnqse.dll Infected: Trojan.Win32.Vapsup.eyk skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\Download\c3e13424b5ca403dd00c8550d4b5fddd\BITC.tmp Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\awttutQh.dll Infected: Trojan.Win32.Monder.gen skipped

C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\system32\ddcArQkL.dll Infected: Trojan.Win32.Zapchast.gr skipped

C:\WINNT\system32\ias\dnary.ldb Object is locked skipped

C:\WINNT\system32\ias\ias.ldb Object is locked skipped

C:\WINNT\system32\ias\ias.mdb Object is locked skipped

C:\WINNT\tdomgafw.dll Infected: Trojan.Win32.Vapsup.eyk skipped

C:\WINNT\Temp\JET6DEA.tmp Object is locked skipped

C:\WINNT\Temp\JETA816.tmp Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped



Scan process completed.

 

[Shaba]

Hi lawnguy

You are running HijackThis from temp folder so that is the first thing to correct:

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

[lawnguy]

Tried To Save Hjtinstall To Desktop....

and I am getting a pop-up error message that reads "Program error" at the top, then" HijackThis.exe has generated errors and will be closed by Windows. You will need to restat the program." Below that it reads, "An error log is being created."
My only option then is to click, "OK". I was able to just run it successfully from the temp folder. Below is new scan I just ran...Any suggestions?

 

[lawnguy]

follow up

here is the hjt log I ran todayLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:02 PM, on 5/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OW3B7DIL\HiJackThis[1].exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\MSIMN.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.safewebnavigate2008.com/index.php?sid=0&pn=0&aid=725&said=7&pid=0
O2 - BHO: BurstWriting module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\BurstWriting\BurstWriting.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BB90EAF5-B809-4C3C-A5B5-51550128F647} - C:\WINNT\system32\ddcArQkL.dll
O2 - BHO: (no name) - {CFC19E37-2C37-42BF-9DA6-71116F1A6E2C} - C:\WINNT\system32\awttutQh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA9360] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3095] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4782] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3739] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6880] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9338] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1226] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9122] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1771] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9811] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8311] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2920] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1235] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2401] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4659] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9395] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4982] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2537] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9575] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2252] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3019] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8879] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8554] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7217] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA478] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2097] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1675] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC975] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\Run: [e©ùýùñûïèóÎ×øøÕøôþÊýÛñûëÞó] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ms1210301710.exe work
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5492] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4371] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB459] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6469] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3884] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6547] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9930] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD443] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8417] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD226] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7226] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7088] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB412] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1603] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6411] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD710] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1993] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7288] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3450] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6035] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7293] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD314] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8023] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2841] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7969] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1787] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9827] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9387] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9901] command /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7516] cmd /c del "C:\WINNT\system32\awttutQh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4943] command /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9678] cmd /c del "C:\WINNT\system32\ddcArQkL.dll"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {3BA4271E-5C1E-48E2-B432-D8BF420DD31D} - http://antivirus-scanner.com/AntvrsInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O20 - Winlogon Notify: awttutQh - C:\WINNT\SYSTEM32\awttutQh.dll
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 9588 bytes

 

[Shaba]

Hi

Just follow my previous instructions exactly and tell me if it was now successful

Desktop is not the only place, you can install it to any folder as long as it's not a temp folder.

 

[lawnguy]

uh-oh

Thanks so much for all of your help. I followed the instructions to the letter, and restarted in safe mode. I do have the HJTinstall.exe icon on my desktop, but it will not run from there-I keep getting the error message I mentioned previously.

 

[lawnguy]

further info

I also cannot install it anywhere else. I get the same error message.

 

[Shaba]

Hi

Thanks for the info.

Then we use this instead:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

 

[lawnguy]

scan logs

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-21 13:07:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 94% (more than 75%).
Total Physical Memory: 128 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:57 PM, on 5/21/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ms1210301710.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINNT\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
C:\PROGRA~1\TRENDM~1\Administrator.exe
C:\WINNT\system32\wuauclt.exe

O2 - BHO: DVA First - {1D33427A-2A9F-48DA-B4CC-819902B6A2C2} - C:\WINNT\qvlbodmnqse.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CFC19E37-2C37-42BF-9DA6-71116F1A6E2C} - C:\WINNT\system32\awttutQh.dll
O2 - BHO: (no name) - {E10F13D1-3BE7-490E-A864-5FFFBA2C6CB0} - C:\WINNT\system32\ddcArQkL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ms1210301710.exe work
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O20 - Winlogon Notify: awttutQh - C:\WINNT\SYSTEM32\awttutQh.dll
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 3409 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-04 11:46:02 268 --a------ C:\WINNT\Tasks\Disk Cleanup.job


-- Files created between 2008-04-21 and 2008-05-21 -----------------------------

2008-05-21 11:17:17 396288 --a------ C:\WINNT\HijackThis.exe <HIJACK~1.EXE> <Not Verified; Trend Micro Inc.; HijackThis>
2008-05-19 16:27:19 0 d-------- C:\Program Files\Trend Micro
2008-05-19 16:12:33 614672 --a------ C:\WINNT\system32\mswstr10.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet>
2008-05-15 20:30:32 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_290.dat
2008-05-15 15:11:53 0 d--h----- C:\WINNT\PIF
2008-05-13 21:45:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 18:01:46 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2d8.dat
2008-05-10 14:02:57 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2e4.dat
2008-05-10 14:01:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Antivirus
2008-05-10 09:53:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-05-10 09:13:38 804498 --ahs---- C:\WINNT\system32\LkQrAcdd.ini2
2008-05-10 09:10:05 277504 -----n--- C:\WINNT\system32\ddcArQkL.dll
2008-05-08 21:55:18 1 --a------ C:\WINNT\system32\kr_done1de
2008-05-08 21:54:58 44032 -----n--- C:\WINNT\system32\awttutQh.dll
2008-05-08 21:54:55 196608 --a------ C:\WINNT\tdomgafw.dll
2008-05-08 21:54:55 274432 --a------ C:\WINNT\qvlbodmnqse.dll
2008-05-08 21:54:55 90112 --a------ C:\WINNT\knxsrgte.exe
2008-04-24 21:41:40 0 d-------- C:\windows


-- Find3M Report ---------------------------------------------------------------

2008-05-21 09:58:00 0 d-------- C:\Program Files\Accessories
2008-05-10 13:09:16 6892 --a------ C:\Documents and Settings\Administrator\Application Data\update.log


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D33427A-2A9F-48DA-B4CC-819902B6A2C2}]
05/08/08 02:21p 274432 --a------ C:\WINNT\qvlbodmnqse.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFC19E37-2C37-42BF-9DA6-71116F1A6E2C}]
05/08/08 09:54p 44032 --------- C:\WINNT\system32\awttutQh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E10F13D1-3BE7-490E-A864-5FFFBA2C6CB0}]
05/10/08 09:10a 277504 --------- C:\WINNT\system32\ddcArQkL.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [11/30/99 06:40p C:\WINNT\system32\tp4mon.exe]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"6ce633bc"="C:\WINNT\system32\whnbucpy.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InetChk"="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ms1210301710.exe" []
"MalWarrior"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CFC19E37-2C37-42BF-9DA6-71116F1A6E2C}"= C:\WINNT\system32\awttutQh.dll [05/08/08 09:54p 44032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wetkadmr"= {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll [ ]
"tdomgafw"= {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll [05/08/08 02:20p 196608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttutQh]
awttutQh.dll 05/08/08 09:54p 44032 C:\WINNT\system32\awttutQh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\ddcArQkL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-05-21 13:15:15 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 88%
Physical Memory (total/avail): 127.48 MiB / 14.6 MiB
Pagefile Memory (total/avail): 207.11 MiB / 51.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.21 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 6.04 GiB total, 4.7 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IBM-DADA-26480 - 6.04 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 6.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-0CEMP1TJ0U
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\USER-0CEMP1TJ0U
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=USER-0CEMP1TJ0U
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Adobe Flash Player ActiveX --> C:\WINNT\System32\Macromed\Flash\uninstall_activeX.exe
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Windows Media Player 7.1 --> C:\Program Files\Windows Media Player\setup_wm.exe /Uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type311 / Error
Event Submitted/Written: 05/21/2008 00:39:55 PM
Event ID/Source: 2001 / rasctrs
Event Description:


Event Record #/Type310 / Error
Event Submitted/Written: 05/21/2008 00:39:51 PM
Event ID/Source: 1000 / PerfDisk
Event Description:
Unable to open the Disk performance object. Status code returned is
data DWORD 0.

Event Record #/Type309 / Error
Event Submitted/Written: 05/21/2008 00:16:18 PM
Event ID/Source: 2001 / rasctrs
Event Description:


Event Record #/Type308 / Error
Event Submitted/Written: 05/21/2008 00:16:13 PM
Event ID/Source: 1000 / PerfDisk
Event Description:
Unable to open the Disk performance object. Status code returned is
data DWORD 0.

Event Record #/Type307 / Error
Event Submitted/Written: 05/21/2008 11:59:10 AM
Event ID/Source: 2001 / rasctrs
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1283 / Warning
Event Submitted/Written: 05/21/2008 01:06:27 PM
Event ID/Source: 20192 / RemoteAccess
Event Description:
A certificate could not be found. Connections that use the L2TP protocol over IPSec
require the installation of a machine certificate, also known as a computer
certificate. No L2TP calls will be accepted.

Event Record #/Type1282 / Warning
Event Submitted/Written: 05/21/2008 01:06:20 PM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.16.95 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type1281 / Warning
Event Submitted/Written: 05/21/2008 01:06:20 PM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.48.199 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type1276 / Error
Event Submitted/Written: 05/21/2008 01:02:50 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Event Record #/Type1272 / Error
Event Submitted/Written: 05/21/2008 00:59:06 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1077



-- End of Deckard's System Scanner: finished at 2008-05-21 13:15:15 ------------

 

[Shaba]

Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log (use HijackThis located here: C:\PROGRA~1\TRENDM~1\)
- combofix report

 

[lawnguy]

Logs

Hi

Below is a new HJT log. I ran Combofix twice, and neither time produced a log. The first error message read, " temp07, Combofix cannot find the specified file, Access is denied." The second error message just read, "access is denied." The window closed on its own both times without directing me to a log. I will try one more time--any suggestions?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:26, on 2008-05-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: DVA First - {1D33427A-2A9F-48DA-B4CC-819902B6A2C2} - C:\WINNT\qvlbodmnqse.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 3239 bytes

 

[lawnguy]

Combofix 3rd time

It appears to run fine, gets to the end, says "preparing log report. do not run any programs until combofix has finished." Then it reads, "Access is denied ," and the window closes. I will re-install and try one more time...it is saved to my desktop, and I followed all instructions.

Thanks again!

 

[lawnguy]

More info after 3rd Combofix attempt

The system has rebooted each time. Last pop-up error message I get before combofix window closes reads, "RUNDLL/Eror loading c:\WINNT\system32\whnbucpy.dll. The specified module could not be found." After I click ok on this, the access denied message appears, and the window closes.

 

[Shaba]

Hi

TeaTimer is still enabled. Please disable it as instructed next or it will make combofix run more difficult.

Check after that if this file exists: C:\ComboFix.txt.

If not, please run combofix next in safe mode

 

[lawnguy]

HI
I disabled tea timer, c:/combofix.txt is on my system but I still can not produce a combofix log, even in safe mode. I get the same "access denied" message. Following is latest HJT log. ANy ideas?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09, on 2008-05-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: DVA First - {1D33427A-2A9F-48DA-B4CC-819902B6A2C2} - C:\WINNT\qvlbodmnqse.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 3064 bytes

 

[Shaba]

Hi

Let's try this way:

Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

[lawnguy]

I can't uninstall it. When I type Combofix /u, it pulls up the applcation and all associated files, with no uninstall option.

 

[Shaba]

Hi

OK, then just skip that step and move on, please

 

[lawnguy]

I can't re-install Combofix. I am not getting an option to rename it; it appears o save it to my desktop, but it's just an icon and nothing more :sad:

 

[Shaba]

Hi

OK, then we remove malware by other means.

For that I need a fresh dss log so please re-run dss and post back a fresh dss log