0

I've tried AVG, Ad-Aware, VUNDOFIX, HijackThis, RegRun, and Spy Sweeper but I just can't get rid of pmkjh.dll and it's driving me NUTS! How do I get rid of this stubborn .dll?

This is my HJT log
Logfile of HijackThis v1.99.1
Scan saved at 4:34:45 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjh.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

Thanks in advance

4
Contributors
26
Replies
27
Views
9 Years
Discussion Span
Last Post by Bartman299
Featured Replies
  • killall stops all non-essential processes to prevent any hiccups whilst it is running. Can be used from the 'Run' box using the killall switch. I would say that if your pc is still ok, you will be fine :). Read More

0

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Malwarebytes' Anti-Malware 1.11
Database version: 672

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 219393
Time elapsed: 1 hour(s), 28 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 44
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 27
Files Infected: 58

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pmkjh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\__c0087267.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5cfd4d3d-6f51-4c69-a916-3aa777a515a5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5cfd4d3d-6f51-4c69-a916-3aa777a515a5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\bndblock4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1fe2ebe5-42ff-4586-a144-ca420c84ff6a} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1fe2ebe5-42ff-4586-a144-ca420c84ff6a} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0087267 (Trojan.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\BndBlock4.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03f445f6-bff5-429e-bef2-7ca599d4ca2b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM63f23048 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmkjh -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmkjh -> Delete on reboot.

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pmkjh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hjkmp.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hjkmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\TMP1C.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\xpre.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\xrun.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2T8RWB6N\rasesnet[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\17PHolmes[1].cmt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ENUJCVOD\17PHolmes[2].cmt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FPAY5JN8\glas[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\mevo4444.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\mevo83122.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\ISM\ism.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP183\A0035266.dll (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP189\A0035338.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP189\A0035398.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000050.exe (Adware.Purityscan) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\Terms.rtf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0087267.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wr.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.

I did restart the computer but pmkjh.dll is still on my computer.

Logfile of HijackThis v1.99.1
Scan saved at 7:58:45 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjh.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BM63f23048] Rundll32.exe "C:\WINDOWS\system32\badmuvma.dll",s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\rfyvewsq.dll",b
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

0

Can you please do the following.


===============

Download the newest version of HiJackThis; version 2.0.2. Place it in a permanent folder before scanning. Repost your log after following the steps below. This version has features that might be more helpful in 'cleaning' up your system.

===============

Scan with HijackThis and then place a check next to all the following, if present:


F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjh.exe

O4 - HKLM\..\Run: [BM63f23048] Rundll32.exe "C:\WINDOWS\system32\badmuvma.dll",s
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\rfyvewsq.dll",b


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\pmkjh.exe
C:\WINDOWS\system32\badmuvma.dll
C:\WINDOWS\system32\rfyvewsq.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Do I HAVE to use ComboFix? I heard that it can mess up your computer pretty bad and I have a lot of stuff on here so I'm not sure if I should risk using CF.

This is my new HJT log but pmkjh.dll is still in the system32 folder and I can't delete it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:13 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant .exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

--
End of file - 4378 bytes

0

Do I HAVE to use ComboFix? I heard that it can mess up your computer pretty bad and I have a lot of stuff on here so I'm not sure if I should risk using CF.

Entirely up to you. I have seen nothing personally.

==

Try this;

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator priviledges.


[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\WINDOWS\system32\pmkjh.exe
  • Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.


[*]Ensure the following:

  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)

0

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\pmkjh.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


pmkjh.dll and __c00B50D2.DAT are still on my system =(

0

Avenger says it deleted it. Tell me the exact file path to those files and we can get them with the Avenger.

0

Avenger did delete it but pmkjh.dll regenerated itself a minute later.

I think it's something in the registry that's causing to to regenerate itself because whenever I used Avenger to delete pmkjh.dll I got this message at startup:

Could not load or run 'C:\WINDOWS\system32\pmkjh.exe' specified in the registry. Make sure the file exists on the computer or remove the reference to it in the registry.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\pmkjh.dll" deleted successfully.
File "C:\WINDOWS\system32\__c00BC67B.DAT" deleted successfully.
File "C:\WINDOWS\system32\ykexvuxu.dll" deleted successfully.
File "C:\WINDOWS\system32\kutnqfrq.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

I used Avenger at about 5:33pm. After my computer was rebooted pmkjh.dll regenerated itself at 5:36 pm because when I looked at file properties of pmkj.dll it says Date Created: 4/27/2008 5:46pm

0

Want to use combofix yet?
Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

0

Not sure how much you trust anyone on this website, but crunchie is a moderator on this site. That means he knows his stuff! I have also used ComboFix, and it worked for me. I have actually used it on six computers. They all work fine now! In my opinion it is a great tool. Good luck.

0

I have tried VundoFix numerous times in all versions but pmkjh.dll still regenerates itself.

I will use ComboFix when I get home tonight.

0

Ok, well good luck, I am sure this has been frustrating for you. If I can help in any way I will try. So let us know how it goes!!

0

ComboFix 08-04-26.3 - Owner 2008-04-30 17:01:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Owner\Application Data\PPPATC~1
C:\lswmv.ini
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\uninstall information
C:\Program Files\fnts~1
C:\Program Files\SoftwareOnline
C:\Program Files\SoftwareOnline\soproc.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\winupdate
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\s?curity\
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bxtyhjns.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ggfvmakq.ini
C:\WINDOWS\system32\gokekyww.ini
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.exe
C:\WINDOWS\system32\snjhytxb.ini
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\sstem~1\s?stem\
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-28 19:49 . 2008-04-28 19:49 294 ---hs---- C:\WINDOWS\system32\chuibbgy.ini
2008-04-27 12:50 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 12:50 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-04-27 12:50 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-04-27 12:50 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 12:50 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-27 12:50 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-04-27 12:50 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-04-26 14:29 . 2008-04-30 14:23 109,793 --a------ C:\WINDOWS\BM63f23048.xml
2008-04-26 12:15 . 2008-04-26 12:15 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-04-26 08:37 . 2008-04-26 08:37 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Webroot
2008-04-24 06:05 . 2008-04-24 06:05 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 09:52 . 2008-04-23 09:52 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 08:58 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 08:58 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 08:58 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 08:10 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-23 08:05 . 2006-06-14 00:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-23 08:05 . 2006-06-14 01:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-23 08:05 . 2006-06-14 00:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-22 20:25 . 2008-04-22 20:25 0 --a------ C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\regsvr32
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-26 12:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-22 06:44 . 2008-04-22 06:44 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-21 16:20 . 2008-04-21 16:20 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-21 12:35 . 2008-04-21 12:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-20 18:10 . 2008-04-22 19:41 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Desktopicon
2008-04-18 09:25 . 2008-04-21 09:11 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-04-14 09:35 . 2008-04-14 09:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 01:27 --------- d-----w C:\Program Files\Unlocker
2008-04-21 20:35 --------- d-----w C:\Program Files\RecordNow!
2008-04-21 20:35 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-21 00:41 --------- d-----w C:\Program Files\AIM
2008-04-20 21:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 21:45 --------- d-----w C:\Program Files\Starcraft
2008-04-14 16:52 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-13 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-04-05 18:53 --------- d-----w C:\Program Files\ImgBurn
2008-04-01 01:31 --------- d-----w C:\Documents and Settings\Christine.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 17:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 17:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-21 18:31 13,195 ----a-w C:\Documents and Settings\Owner\zguicfgw.dat
2006-03-10 02:54 272 ----a-w C:\Documents and Settings\Owner\sfa2dat.dat
.

<pre>
----a-w           307,200 2008-04-26 16:34:34  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager  .exe
----a-w           748,032 2008-04-29 01:37:49  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w            67,160 2008-04-21 00:41:18  C:\Program Files\AIM\aim .exe
----a-w           110,592 2008-04-30 23:39:14  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w            57,344 2008-01-08 22:40:20  C:\Program Files\Lexmark X6100 Series\lxbfbmgr .exe
----a-w         1,175,160 2008-04-26 20:25:20  C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe
----a-w         1,694,208 2008-04-29 01:37:50  C:\Program Files\Messenger\msmsgs .exe
----a-w           365,568 2008-04-30 21:46:49  C:\Program Files\Unlocker\UnlockerAssistant                                                    .exe
----a-w           365,568 2008-04-30 04:03:59  C:\Program Files\Unlocker\UnlockerAssistant                                                   .exe
----a-w           365,568 2008-04-30 01:07:36  C:\Program Files\Unlocker\UnlockerAssistant                                                  .exe
----a-w           365,568 2008-04-29 22:44:18  C:\Program Files\Unlocker\UnlockerAssistant                                                 .exe
----a-w           365,568 2008-04-29 17:37:37  C:\Program Files\Unlocker\UnlockerAssistant                                                .exe
----a-w           365,568 2008-04-29 03:49:18  C:\Program Files\Unlocker\UnlockerAssistant                                               .exe
----a-w           365,568 2008-04-28 17:21:26  C:\Program Files\Unlocker\UnlockerAssistant                                              .exe
----a-w           365,568 2008-04-28 04:56:43  C:\Program Files\Unlocker\UnlockerAssistant                                             .exe
----a-w           365,568 2008-04-28 01:30:23  C:\Program Files\Unlocker\UnlockerAssistant                                            .exe
----a-w           365,568 2008-04-27 23:41:28  C:\Program Files\Unlocker\UnlockerAssistant                                           .exe
----a-w           365,568 2008-04-27 23:18:11  C:\Program Files\Unlocker\UnlockerAssistant                                          .exe
----a-w           365,568 2008-04-27 20:30:10  C:\Program Files\Unlocker\UnlockerAssistant                                         .exe
----a-w           365,568 2008-04-27 18:02:08  C:\Program Files\Unlocker\UnlockerAssistant                                        .exe
----a-w           365,568 2008-04-27 16:22:16  C:\Program Files\Unlocker\UnlockerAssistant                                       .exe
----a-w           365,568 2008-04-27 15:25:26  C:\Program Files\Unlocker\UnlockerAssistant                                      .exe
----a-w           365,568 2008-04-26 22:29:14  C:\Program Files\Unlocker\UnlockerAssistant                                     .exe
----a-w           365,568 2008-04-26 20:37:05  C:\Program Files\Unlocker\UnlockerAssistant                                    .exe
----a-w           365,568 2008-04-26 20:24:36  C:\Program Files\Unlocker\UnlockerAssistant                                   .exe
----a-w           365,568 2008-04-26 20:09:38  C:\Program Files\Unlocker\UnlockerAssistant                                  .exe
----a-w           365,568 2008-04-26 19:44:03  C:\Program Files\Unlocker\UnlockerAssistant                                 .exe
----a-w           365,568 2008-04-26 15:50:29  C:\Program Files\Unlocker\UnlockerAssistant                                .exe
----a-w           365,568 2008-04-26 06:00:54  C:\Program Files\Unlocker\UnlockerAssistant                               .exe
----a-w           365,568 2008-04-26 05:55:10  C:\Program Files\Unlocker\UnlockerAssistant                              .exe
----a-w           365,568 2008-04-26 05:45:07  C:\Program Files\Unlocker\UnlockerAssistant                             .exe
----a-w           365,568 2008-04-26 05:40:12  C:\Program Files\Unlocker\UnlockerAssistant                            .exe
----a-w           365,568 2008-04-26 05:02:27  C:\Program Files\Unlocker\UnlockerAssistant                           .exe
----a-w           365,568 2008-04-26 04:52:52  C:\Program Files\Unlocker\UnlockerAssistant                          .exe
----a-w           365,568 2008-04-26 04:38:32  C:\Program Files\Unlocker\UnlockerAssistant                         .exe
----a-w           365,568 2008-04-26 03:54:43  C:\Program Files\Unlocker\UnlockerAssistant                        .exe
----a-w           365,568 2008-04-25 17:49:35  C:\Program Files\Unlocker\UnlockerAssistant                       .exe
----a-w           365,568 2008-04-25 14:48:13  C:\Program Files\Unlocker\UnlockerAssistant                      .exe
----a-w           365,568 2008-04-25 05:53:12  C:\Program Files\Unlocker\UnlockerAssistant                     .exe
----a-w           365,568 2008-04-25 03:54:47  C:\Program Files\Unlocker\UnlockerAssistant                    .exe
----a-w           365,568 2008-04-25 03:30:37  C:\Program Files\Unlocker\UnlockerAssistant                   .exe
----a-w           365,568 2008-04-25 01:50:07  C:\Program Files\Unlocker\UnlockerAssistant                  .exe
----a-w           365,568 2008-04-24 17:48:37  C:\Program Files\Unlocker\UnlockerAssistant                 .exe
----a-w           365,568 2008-04-24 01:20:20  C:\Program Files\Unlocker\UnlockerAssistant                .exe
----a-w           365,568 2008-04-23 23:29:26  C:\Program Files\Unlocker\UnlockerAssistant               .exe
----a-w           365,568 2008-04-23 17:44:41  C:\Program Files\Unlocker\UnlockerAssistant              .exe
----a-w           365,568 2008-04-23 05:54:50  C:\Program Files\Unlocker\UnlockerAssistant             .exe
----a-w           365,568 2008-04-23 04:29:58  C:\Program Files\Unlocker\UnlockerAssistant            .exe
----a-w           365,568 2008-04-23 03:54:31  C:\Program Files\Unlocker\UnlockerAssistant           .exe
----a-w           365,568 2008-04-23 03:43:27  C:\Program Files\Unlocker\UnlockerAssistant          .exe
----a-w           365,568 2008-04-22 16:59:53  C:\Program Files\Unlocker\UnlockerAssistant         .exe
----a-w           365,568 2008-04-22 14:44:27  C:\Program Files\Unlocker\UnlockerAssistant        .exe
----a-w           365,568 2008-04-22 03:36:22  C:\Program Files\Unlocker\UnlockerAssistant       .exe
----a-w           365,568 2008-04-22 01:07:02  C:\Program Files\Unlocker\UnlockerAssistant      .exe
----a-w           365,568 2008-04-21 23:56:39  C:\Program Files\Unlocker\UnlockerAssistant     .exe
----a-w           365,568 2008-04-21 22:49:52  C:\Program Files\Unlocker\UnlockerAssistant    .exe
----a-w           365,568 2008-04-21 18:09:14  C:\Program Files\Unlocker\UnlockerAssistant   .exe
----a-w           365,568 2008-04-21 03:01:58  C:\Program Files\Unlocker\UnlockerAssistant  .exe
----a-w           365,568 2008-04-21 02:52:53  C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w         3,096,576 2008-04-29 22:44:28  C:\Program Files\Webroot\Spy Sweeper\SpySweeper             .exe
----a-w         3,479,552 2008-04-29 22:44:16  C:\Program Files\Webroot\Spy Sweeper\SpySweeper            .exe
----a-w         3,479,552 2008-04-29 17:37:35  C:\Program Files\Webroot\Spy Sweeper\SpySweeper           .exe
----a-w         3,479,552 2008-04-28 17:21:25  C:\Program Files\Webroot\Spy Sweeper\SpySweeper          .exe
----a-w         3,479,552 2008-04-27 16:22:13  C:\Program Files\Webroot\Spy Sweeper\SpySweeper         .exe
----a-w         3,479,552 2008-04-26 15:50:26  C:\Program Files\Webroot\Spy Sweeper\SpySweeper        .exe
----a-w         3,479,552 2008-04-25 20:25:34  C:\Program Files\Webroot\Spy Sweeper\SpySweeper       .exe
----a-w         3,479,552 2008-04-24 17:48:37  C:\Program Files\Webroot\Spy Sweeper\SpySweeper      .exe
----a-w         3,479,552 2008-04-23 17:44:39  C:\Program Files\Webroot\Spy Sweeper\SpySweeper     .exe
----a-w         3,479,552 2008-04-23 05:54:49  C:\Program Files\Webroot\Spy Sweeper\SpySweeper    .exe
----a-w         3,479,552 2008-04-22 16:59:52  C:\Program Files\Webroot\Spy Sweeper\SpySweeper   .exe
----a-w         3,479,552 2008-04-21 18:09:13  C:\Program Files\Webroot\Spy Sweeper\SpySweeper  .exe
----a-w         3,096,576 2008-04-26 16:37:28  C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w           158,208 2008-01-10 23:12:31  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w            15,360 2008-01-21 06:55:28  C:\WINDOWS\system32\ctfmon .exe
----a-w           174,592 2008-01-21 06:55:21  C:\WINDOWS\system32\lexpps .exe
</pre>

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f69bbef-119f-41ca-a2e3-860f206c8df0}]
C:\WINDOWS\system32\vjpmdedr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [ ]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"BM63f23048"="C:\WINDOWS\system32\iyxjcluf.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0086076]
C:\WINDOWS\system32\__c0086076.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B7BEF]
C:\WINDOWS\system32\__c00B7BEF.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BC67B]
C:\WINDOWS\system32\__c00BC67B.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60c103d4]
C:\WINDOWS\system32\nhtnvkly.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 19:34 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-01-08 14:40 441856 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brxv]
C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-08-15 00:59 70816 c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-01-16 19:16 229376 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 19:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
--a------ 2008-01-08 14:40 417280 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-02-12 13:12 59392 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2003-08-15 18:24 124096 c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\WINDOWS\system32\SSTEM~1\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 19:13 98304 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-13 20:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-17 23:31 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 00:49 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-02 01:43 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tndzcg]
C:\Program Files\Common Files\?racle\?canregw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-21 16:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 02:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 16:52:24 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2004-04-03 08:05:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 17:45:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 32

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-30 18:16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 02:15:17

Pre-Run: 78,093,807,616 bytes free
Post-Run: 78,672,683,008 bytes free

329 --- E O F --- 2008-04-24 21:41:33


HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:23 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe


My system seems clear so far, pmkjh.dll has not regenerated itself :)
But on my laptop I have the same problem but instead of pmkjh.dll its jkkii.dll and even with ComboFix, jkkii.dll regenerated itself. But my desktop computer is much more important and it appears to function properly! Thanks for the help guys =)

I will post another HJT log tomorrow and I will also check if the stubborn .dll managed to regenerate itself. *crosses fingers*

0

You need to understand that your system is still severely compromised. Combofix has revealed one heck of a lot of nasties on your pc. There is no guarantee that even once they are removed, your pc will be 'back to normal.'

==

Go to Start | Run and type in msconfig and hit ok. Go to the Startup Tab and enable all startups. Apply the settings and ok out. Do NOT reboot!
Do a scan with hijackthis and save the log.
Go back into msconfig and change the startups back again to how they were.

==

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:



KillAll::

File::
C:\WINDOWS\system32\vjpmdedr.dll
C:\WINDOWS\system32\__c0086076.dat
C:\WINDOWS\system32\__c00B7BEF.dat
C:\WINDOWS\system32\__c00BC67B.dat
C:\WINDOWS\system32\nhtnvkly.dll

RENV::
----a-w 307,200 2008-04-26 16:34:34 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 748,032 2008-04-29 01:37:49 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 67,160 2008-04-21 00:41:18 C:\Program Files\AIM\aim .exe
----a-w 110,592 2008-04-30 23:39:14 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 57,344 2008-01-08 22:40:20 C:\Program Files\Lexmark X6100 Series\lxbfbmgr .exe
----a-w 1,175,160 2008-04-26 20:25:20 C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe
----a-w 1,694,208 2008-04-29 01:37:50 C:\Program Files\Messenger\msmsgs .exe
----a-w 365,568 2008-04-30 21:46:49 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-30 04:03:59 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-30 01:07:36 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-29 22:44:18 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-29 17:37:37 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-29 03:49:18 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-28 17:21:26 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-28 04:56:43 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-28 01:30:23 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 23:41:28 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 23:18:11 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 20:30:10 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 18:02:08 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 16:22:16 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 15:25:26 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 22:29:14 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 20:37:05 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 20:24:36 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 20:09:38 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 19:44:03 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 15:50:29 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 06:00:54 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:55:10 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:45:07 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:40:12 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:02:27 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 04:52:52 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 04:38:32 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 03:54:43 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 17:49:35 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 14:48:13 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 05:53:12 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 03:54:47 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 03:30:37 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 01:50:07 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-24 17:48:37 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-24 01:20:20 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 23:29:26 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 17:44:41 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 05:54:50 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 04:29:58 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 03:54:31 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 03:43:27 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 16:59:53 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 14:44:27 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 03:36:22 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 01:07:02 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 23:56:39 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 22:49:52 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 18:09:14 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 03:01:58 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 02:52:53 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 3,096,576 2008-04-29 22:44:28 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-29 22:44:16 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-29 17:37:35 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-28 17:21:25 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-27 16:22:13 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-26 15:50:26 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-25 20:25:34 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-24 17:48:37 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-23 17:44:39 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-23 05:54:49 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-22 16:59:52 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-21 18:09:13 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,096,576 2008-04-26 16:37:28 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 158,208 2008-01-10 23:12:31 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 15,360 2008-01-21 06:55:28 C:\WINDOWS\system32\ctfmon .exe
----a-w 174,592 2008-01-21 06:55:21 C:\WINDOWS\system32\lexpps .exe

Folders::
C:\Documents and Settings\Owner\My Documents\W?nSxS
C:\WINDOWS\system32\SSTEM~1
C:\Program Files\Common Files\?racle

Registry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f69bbef-119f-41ca-a2e3-860f206c8df0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0086076]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B7BEF]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BC67B]


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log that have previously run.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments th_CFScript.gif 27.09 KB
0

Crunchie,

I have a question for you. Is the killall: command something you should always do after combofix is ran? Providing that you can see where the bad files are, does the killall completely wipe them out. I am asking cause I have used combofix, but I have never ran a killall after. I just did this about a month ago on a few machines. Should I anticipate further problems with these?? I have had no issues with them since CF.

1

killall stops all non-essential processes to prevent any hiccups whilst it is running. Can be used from the 'Run' box using the killall switch.
I would say that if your pc is still ok, you will be fine :).

Votes + Comments
Your posts are thourough, and informative. Thanks for sharing your expertise!
0

ComboFix 08-04-26.3 - Owner 2008-05-01 15:57:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\__c0086076.dat
C:\WINDOWS\system32\__c00B7BEF.dat
C:\WINDOWS\system32\__c00BC67B.dat
C:\WINDOWS\system32\nhtnvkly.dll
C:\WINDOWS\system32\vjpmdedr.dll
.

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-04-28 19:49 . 2008-04-28 19:49 294 ---hs---- C:\WINDOWS\system32\chuibbgy.ini
2008-04-27 12:50 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 12:50 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-04-27 12:50 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-04-27 12:50 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 12:50 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-27 12:50 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-04-27 12:50 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-04-26 14:29 . 2008-04-30 14:23 109,793 --a------ C:\WINDOWS\BM63f23048.xml
2008-04-26 12:15 . 2008-04-26 12:15 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-04-26 08:37 . 2008-04-26 08:37 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Webroot
2008-04-24 06:05 . 2008-04-24 06:05 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 09:52 . 2008-04-23 09:52 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 08:58 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 08:58 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 08:58 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 08:10 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-23 08:05 . 2006-06-14 00:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-23 08:05 . 2006-06-14 01:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-23 08:05 . 2006-06-14 00:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-22 20:25 . 2008-04-22 20:25 0 --a------ C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\regsvr32
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-05-01 15:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-22 06:44 . 2008-04-22 06:44 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-21 16:20 . 2008-04-21 16:20 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-21 12:35 . 2008-04-21 12:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-20 18:10 . 2008-04-22 19:41 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Desktopicon
2008-04-18 09:25 . 2008-04-21 09:11 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-04-14 09:35 . 2008-04-14 09:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 23:55 --------- d-----w C:\Program Files\Unlocker
2008-05-01 23:55 --------- d-----w C:\Program Files\Lexmark X6100 Series
2008-05-01 23:55 --------- d-----w C:\Program Files\AIM
2008-04-21 20:35 --------- d-----w C:\Program Files\RecordNow!
2008-04-21 20:35 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-20 21:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 21:45 --------- d-----w C:\Program Files\Starcraft
2008-04-14 16:52 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-13 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-04-05 18:53 --------- d-----w C:\Program Files\ImgBurn
2008-04-01 01:31 --------- d-----w C:\Documents and Settings\Christine.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 17:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 17:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-21 18:31 13,195 ----a-w C:\Documents and Settings\Owner\zguicfgw.dat
2006-03-10 02:54 272 ----a-w C:\Documents and Settings\Owner\sfa2dat.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-20 22:55 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60c103d4]
C:\WINDOWS\system32\nhtnvkly.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 19:34 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-04-20 16:41 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brxv]
C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-08-15 00:59 70816 c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-20 22:55 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-01-16 19:16 229376 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 19:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
--a------ 2008-01-08 14:40 57344 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-02-12 13:12 59392 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2003-08-15 18:24 124096 c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\WINDOWS\system32\SSTEM~1\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 19:13 98304 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-13 20:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-17 23:31 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 00:49 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-02 01:43 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tndzcg]
C:\Program Files\Common Files\?racle\?canregw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2008-04-30 15:39 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-21 16:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 02:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 16:52:24 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2004-04-03 08:05:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 16:38:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 32

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-01 17:12:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 01:11:32
ComboFix2.txt 2008-05-01 02:17:02

Pre-Run: 79,145,226,240 bytes free
Post-Run: 79,133,798,400 bytes free

207 --- E O F --- 2008-04-24 21:41:33


Hijackthis log when enabled all startups:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:10 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\nhtnvkly.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tndzcg] "C:\Program Files\Common Files\?racle\?canregw.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\system32\SSTEM~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Brxv] "C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

--
End of file - 7070 bytes

0

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\nhtnvkly.dll",b
O4 - HKCU\..\Run: [Tndzcg] "C:\Program Files\Common Files\?racle\?canregw.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\system32\SSTEM~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Brxv] "C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe"
O4 - Startup: Compaq Organize.lnk = ?

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\WINDOWS\system32\SSTEM~1
C:\Program Files\AIM

files...

C:\WINDOWS\system32\nhtnvkly.dll

Search for...

ALCXMNTR.EXE

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:33 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

--
End of file - 4060 bytes


My PC seems to be a little slow while browsing the internet

0
My PC seems to be a little slow while browsing the internet


Like I said;You need to understand that your system is still severely compromised. Combofix has revealed one heck of a lot of nasties on your pc. There is no guarantee that even once they are removed, your pc will be 'back to normal.'Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==

Let's get rid of Combofix now that we are (hopefully) finished with it. Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.






When shown the disclaimer, Select "2"


The above procedure will: Delete the following: ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

==

See if that improves things.

Attachments th_CF_Cleanup.png 9.98 KB
0

Uh oh, pmkjh.dll regenerated itself and a number of new .dlls appeared..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:35 AM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: {8a768a4e-360e-feba-7014-67b2cceb3c87} - {78c3becc-2b76-4107-abef-e063e4a867a8} - C:\WINDOWS\system32\ynxrajno.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\xhncagsl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

--
End of file - 4279 bytes

0

Actually I think that the .dll seems to regenerate only when someone uses another account to sign on the computer. (after combofix)

0

After I used ATFCleaner everything on my browser is messed up, like I can't see images, etc.

0

Do a system restore and then download combofix again and run it on every user account on the pc.

0

Dude, I had the same problem. Here's what I did, I downloaded a version of avast4.8 home edition (free with registration) from www.avast.com. At the time I had McAfee VirusScan Enterprise 8.0i (thats another story though) and it obviously missed the virus too. Avast kind of took over the anti-virus services for my computer but it got rid of the virus and rootkits that I had. For you, download it from a different computer, also download the current virus library and put them on a external usb drive. I will tell you now, it will seriously mess up Norton and may conflict if you have them running simultaneously. But in your case it may not be a good idea to remove Norton just yet. If you want after the virus is gone, uninstall Avast and re-install Norton.

Install Avast! 4.8 and the virus library. It will ask you to put in the registration key but if you don't you still have 60 days of free service. It will also ask you if you wish to do a boot scan after installing, say yes. Avast has an anti-rootkit built into it and will protect itself from being overwritten, while remaining easy to uninstall. After installing you will be prompted to restart, and after doing so the boot scan shall start. This is the main reason why I love this product its the lowest price, everything in one (virus, malware, ad ware, rootkit) killer, and it has this great boot scan that does everything and more than the desktop version does. I use this program to kill all the nasties when I'm working (helpDesk Tech) or making a house call to a clients.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.